Cyber criminals can work out if people are away from home by examining information transmitted over Wi-Fi by home security cameras, say scientists.
Internet-connected security cameras that track potential burglars, such as Google’s Nest Cam and Amazon’s Ring range, can be interfered with by attackers.
These devices, which are becoming an increasingly common feature of people’s homes, generate huge amounts of hackable personal data.
UK and Chinese researchers got access to a data set of smart home camera uploads from an undisclosed device maker.
They found online traffic generated by the cameras, which are often triggered by motion, could be monitored and used to predict when a house is occupied or not.
A lack of traffic throughout a working day could indicate that a homeowner is out, for example, leaving the home vulnerable to a burglary if linked with address data.
Scroll down for video
Researchers from the Chinese Academy of Sciences and Queen Mary University of London tested if an attacker could infer privacy-compromising information about a camera’s owner from simply from tracking the uploaded data passively without inspecting any of the video content itself
IP home security cameras are internet-connected and can be installed in homes. Many have the ability for owners to remotely monitor them online via a Wi-Fi link.
This connection — and when it is activated — can be hijacked by hackers, even if the content of the videos is encrypted.
These cameras are growing in popularity and the global market is expected to reach $1.3 billion by 2023.
‘Once considered a luxury item, these cameras are now commonplace in homes worldwide,’ said Dr Gareth Tyson, a senior lecturer of internet data science at Queen Mary University of London, who worked with researchers at the Chinese Academy of Sciences in Beijing.
‘As they become more ubiquitous, it is important to continue to study their activities and potential privacy risks.
‘Whilst numerous studies have looked at online video streaming, such as YouTube and Netflix, to the best of our knowledge, this is the first study which looks in detail at video streaming traffic generated by these cameras and quantifies the risks associated with them.
‘By understanding these risks, we can now look to propose ways to minimise the risks and protect user privacy.’
The researchers even found that future activity in the house could be predicted based on past traffic generated by the camera, which could leave users more at risk of burglary by discovering when the house it unoccupied
The majority of internet traffic is now video, dominated by the likes of Netflix, YouTube and live e-sports service Twitch, the researchers say.
However, the advent of low-cost internet-enabled cameras has resulted in ‘the arrival of a rather different type of video streaming service’.
While Internet of Things (IoT) home security cameras were once considered a luxury, they have since entered the mainstream and brought fresh privacy and security concerns with them.
Home security cameras follow an on-demand model, where video is only streamed when a user requests it, or when motion is observed.
Researchers used data from a ‘major’ home internet protocol (IP) security camera provider, which the team wouldn’t disclose to MailOnline.
‘We signed an NDA [non-disclosure agreement] when analysing their data,’ Dr Tyson said.
‘Basically, this company shared data allowing us to characterise the scale of the problem across hundreds of thousands of users.’
The data set covered 15.4 million streams from 211,000 active users and contained a mix of free and premium users.
Internet-connected security cameras to track potential burglars, such as Google’s Nest Cam and Amazon’s Ring range, can be interfered with by attackers
Assuming the role of the attacker, the scientists evaluated the potential privacy risks for users of the increasingly popular security devices.
Researchers tested if a real-life attacker could gather privacy-compromising information about a camera’s owner from simply tracking the uploaded data passively without inspecting any of the video content itself.
Attackers could detect when the camera was uploading motion and even distinguish between certain types of motion, such as sitting or running, they found.
This was done without inspecting the video content itself but, by looking at the rate at which cameras uploaded data via the internet.
Scientists even discovered that future activity in the house could be predicted based on past traffic generated by the camera, which could leave users more at risk of burglary by discovering when the house is unoccupied.
An attacker with access to this ‘passive network data’ may be able to infer the camera owner’s household activity by inspecting home security camera traffic.
For example, a camera consistently uploading motion-triggered video at 6pm might indicate that family members arrive home at that time.
The team found that premium users are more vulnerable to privacy risks due to their heavier usage and the exclusive availability of the motion detection mode, which was not available for normal users.
‘Home security cameras have become a commodity which will likely increase in usage,’ the researchers conclude in their report.
‘As they are often placed in intimate locations, it is important we continue to investigate their activities and potential risks.’
The findings are being presented at the virtual IEEE International Conference on Computer Communications this week.
According to Javvad Malik, security awareness advocate at KnowBe4, smart home camera firms should implement their own layered controls to ensure that IoT devices aren’t accessible from the public internet.
Consumers, meanwhile, can ‘harden’ them where possible by changing default passwords.
Consumers should also review whether all of their IoT devices are essential or simply ‘nice to haves’.
‘It could be the difference between suffering a security incident or not,’ Malik told MailOnline.
Boris Cipot, senior security engineer at Synopsys, said there is currently no standard around the minimum data security and access requirements that IoT devices need to satisfy before they hit the shops.
‘While the users do need to be encouraged in configuring security settings based on their risk appetite, users cannot be expected to be security experts,’ Cipot told MailOnline.
‘Responsibility ultimately falls to device manufacturers who must provide devices that don’t require users to actively configure their devices to be secure.’