A team of researchers from the Ben-Gurion University of the Negev, Israel, have proved how security cameras equipped with Infrared (IR) light to enable night vision can secretly access, transfer and receive data from not only its own network but from other networks too.
Mordechai Guri, who led the research, noted that “Security cameras are unique in that they have ‘one leg’ inside the organization, connected to the internal networks for security purposes, and ‘the other leg’ outside the organization, aimed specifically at a nearby public space, providing very convenient optical access from various directions and angles.”
Researchers developed proof-of-concept malware that utilized internet-connected surveillance cameras to bypass airgaps and weave passwords, cryptographic keys and other types of sensitive data into infrared signals while the built-in infrared light transmits them. These signals are recorded by an attacker through a video camera.
The embedded data is then decoded and beamed to an infected camera from where they are intercepted and decoded by the malware. The two-way channel is established by the malware to allow attackers to communicate with compromised networks despite being air-gapped. This channel transmits data from a video camera to the attacker.
The purpose of instilling IR light is to make the camera capable of seeing in the dark without illuminating the surroundings. If these cameras are hacked, the attackers can easily flash the IR light on and off to transfer data to anyone that comes in the range of the camera. The disturbing part is that all of this would be conducted secretly.
Moreover, once hacked the lens of these cameras can receive additional commands when the hackers aim IR light signals at it. Believe it or not but hackers can aim any network even those that aren’t linked to the camera.
Now consider this scenario; if the attackers get malware to be installed on the publicly viewable surveillance camera with IR capabilities connected to the attackers’ network then they can use it as a modem and control the malware or steal/manipulate the data.
Researchers claimed that attackers can also communicate with these surveillance cameras from tens of thousands of meters distance. So data could be easily leaked from any network at 20 bit/sec bit rate per camera and deliver the data at a bit rate of over 100 bit/sec per camera. When more than one camera is involved then the bit rate may become higher than this. Data as sensitive as user Ids and passwords could be stolen through compromising these cameras.
To prove their findings, researchers presented a video in which they demonstrated how they hacked an IR light equipped camera and managed to steal passwords and some portions of The Adventures of Tom Sawyer. The video can be viewed here:
In another video, researchers demonstrated how attackers can force these cameras to communicate with the network.
This malware’s prototype may serve as an important element for hackers who want to target cameras installed at sensitive locations such as energy sector organizations, military areas, and similar critical infrastructure. Airgaps are critical for ensuring the security of data and networks and if it is secure, then there is no way that malware could create contact with servers controlled by the attackers to issue commands and/or transmit stolen data.