A Security Exploit Is in the Air

Technological advancements have made cameras smaller and more inexpensive than ever before. This has enabled the development of all manner of Internet of Things devices that are equipped with cameras. Hundreds of millions of these gadgets are now deployed in homes, businesses, and public spaces to act as security cameras, home monitors, smart doorbells, and much more. Convenience, safety, and efficiency that was once unthinkable has been made a reality by these networks of internet-connected cameras.

But along with these benefits come some very real, and very serious, privacy-related concerns. The rich data provided by camera sensors makes them a high-value target for malicious hackers. And the risk of this sort of data being compromised can leave camera owners laying awake at night worrying about that possibility. As such, much effort has gone into securing these systems via encryption, multi-factor authentication, and other cutting-edge techniques.

A common feature of these security practices is that they tend to focus on the software stack of the camera, and the security of data in transit over public networks. That makes a lot of sense, as these are the most common areas to be exploited. However, they are not the only methods to gain access to private data. Side-channel attacks, in particular, can often come out of left field, allowing attackers to circumvent all of the protections that were carefully designed to secure a system.

Side-channel attacks are a class of security breaches that exploit information leaked from the physical implementation of a system, such as power consumption, electromagnetic emanations, timing variations, and acoustic emissions. A team led by researchers at the University of Michigan has just described a troubling side-channel attack, called EM Eye, that makes it possible to reconstruct video frames captured by a camera by listening to electromagnetic leakage signals emitted by its circuits. These signals can be received from several meters away — even through walls.

Recent studies have demonstrated that it is possible to determine if a camera is switched on or off by examining the electromagnetic emissions it produces. That inspired the researchers to determine just how much more information they could pull out of this data source. They discovered that the correlations between electromagnetic emissions and the image being captured by the camera are highly predictable.

Further investigation revealed that the reason for this was that large amounts of electromagnetic radiation are emitted as data is transferred from the image sensor chips to the downstream image processing components. As they explored this data, they realized that raw sensor data was being transferred in a frame-by-frame, row-by-row, and column-by-column order that could be easily interpreted. With this knowledge, the electromagnetic signals could be captured from a distance and reconstructed into video frames, all while bypassing any security measures that might be in place.

It was noted that this technique resulted in the loss of color information, and that significant noise was present in the image frames which degraded image quality. To address these issues, EM Eye includes an image translation model based on a generative adversarial network that learns the mappings between the true images and the distorted versions captured via the side-channel attack. This model can then remove most distortions, and often even recover color information, to produce remarkably good video frame reconstructions.

The attack was demonstrated to work on over a dozen commercial devices made by manufacturers such as Samsung, Google, and Wyze. This broad range of affected cameras means that this is an attack that we should take very seriously. It does require a receiver to be in relatively close proximity to the camera, which is enough protection in many cases. But where that cannot be guaranteed, the team recommends that manufacturers use better cable shielding, shorter wires, and improved data transmission protocols to reduce the risk of electromagnetic signal leakage.