Blinking Red Light of Death for Cameras
Cameras you can find on street corners, offices, and public spaces can all be used by attackers in one way or another in order to steal sensitive information. Researchers from the Ben-Gurion University of the Negev were able to create a method to use infrared (which can look like a blinking red light) from certain cameras to exfiltrate data coming from a targeted network by simply encoding the data, then sending it through infrared signals. They created a malware called aIR-Jumper that could be used on a machine within the targeted network to control the cameras.
The researchers noted that:
“Many surveillance and security cameras are equipped with IR LEDs which enable night vision. We show that malware residing within the internal networks of the organization can control these IR LEDs, turning them on and off or controlling their IR intensity.
“We implement a malware prototype and show that binary data can be encoded over the IR signals and leaked to an attacker from a distance of tens of meters away. Notably, many surveillance and security cameras monitor public areas, and therefore attackers can easily establish a line of sight with them.”
This research essentially uncovered that surveillance cameras can be used as a covert channel in order to steal passwords, keys, and other sensitive data. This can be done by first gaining access to the network by means of a malware installed, such as through a phishing scam. This malicious program can then scan the network’s IP in search for cameras. They are easily identified by their protocol or MAC addresses.
Once this is done, the malware program can then connect to the cameras. Even if they are password protected, that would be easy to circumvent at this point.
“The malware in the network collects sensitive data that it wants to exfiltrate. When the data is collected, the malware transmits it by encoding it over the IR signals emitted from the camera’s night vision IR LEDs. Exfiltration may take place at predefined times or as the result of a trigger from the attacker side. An attacker located outside the secured facility (e.g., on the street) can receive the IR signals by carrying a standard video camera that is aimed at the transmitting surveillance camera,” the paper says. “The received video is then processed in order to decode the transmitted data.
“An attacker located outside the secured facility (e.g., on the street) generates invisible IR signals by using IR LEDs. The IR signals are modulated with the C&C messages to be delivered to the malware. The video stream recorded by the surveillance camera is received by the malware which processes and decodes the transmitted data,” the researchers said.
While the malware created is simply a proof-of-concept, all the necessary elements to achieve this are there.