Johannes Obermaier
ABSTRACT
In the area of the Internet of Things, cloud-based camera surveillance systems are ubiquitously available for industrial and private environments. However, the sensitive nature of the surveillance use case imposes high requirements on privacy/confidentiality, authenticity, and availability of such systems. In this work, we investigate how currently available mass-market camera systems comply with these requirements. Considering two attacker models, we test the cameras for weaknesses and analyze for their implications. We reverse-engineered the security implementation and discovered several vulnerabilities in every tested system. These weaknesses impair the users' privacy and, as a consequence, may also damage the camera system manufacturer's reputation. We demonstrate how an attacker can exploit these vulnerabilities to blackmail users and companies by denial-of-service attacks, injecting forged video streams, and by eavesdropping private video data - even without physical access to the device. Our analysis shows that current systems lack in practice the necessary care when implementing security for IoT devices.
- A. Costin, J. Zaddach, A. Francillon, D. Balzarotti, and S. Antipolis. A large-scale analysis of the security of embedded firmwares. In USENIX Security Symposium, 2014. Google Scholar
Digital Library
- Deloitte & Technische Universität München. Ready for Takeoff? Smart Home aus Konsumentensicht. http://www.connected-living.org/content/4-information/5-downloads/4-studien/5-ready-for-takeoff/deloitte-smart-home-consumer-survey-20150701.pdf, July 2015.Google Scholar
- GfK. Smart home beats wearables for impact on lives, say consumers. http://www.gfk.com/fileadmin/user_upload/dyna_content_import/2015-11-24_press_releases/data/Documents/Press-Releases/2015/2015-11-11_smart-home_press-release_global.pdf, November 2015.Google Scholar
- M. Green. Attack of the week: FREAK (or 'factoring the NSA for fun and profit'). http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html, Mar. 2015.Google Scholar
- P. Kocher, R. Lee, G. McGraw, and A. Raghunathan. Security as a new dimension in embedded system design. In Proceedings of the 41st Annual Design Automation Conference, DAC '04, pages 753--760, New York, NY, USA, 2004. ACM. Moderator-Ravi, Srivaths. Google ScholarDigital Library
- N. Serpanos and A. Papalambrou. Security and privacy in distributed smart cameras. Proceedings of the IEEE, 96(10):1678--1687, 2008.Google Scholar
- H. Vagts and J. Beyerer. Security and privacy challenges in modern surveillance systems. In Proceedings of the Future Security Research Conference, pages 94--116, 2009.Google Scholar
- T. Winkler and B. Rinner. Security and privacy protection in visual sensor networks: A survey. ACM Computing Surveys (CSUR), 47(1):2, 2014. Google ScholarDigital Library
- T. Winkler and B. Rinner. Secure embedded visual sensing in end-user applications with trusteye. m4. In Intelligent Sensors, Sensor Networks and Information Processing (ISSNIP), 2015 IEEE Tenth International Conference on, pages 1--6. IEEE, 2015.Google Scholar
Index Terms
- Analyzing the Security and Privacy of Cloud-based Video Surveillance Systems
Recommendations
IoT Security & Privacy: Threats and Challenges
IoTPTS '15: Proceedings of the 1st ACM Workshop on IoT Privacy, Trust, and SecurityThe era of the Internet of Things (IoT) has already started and it will profoundly change our way of life. While IoT provides us many valuable benefits, IoT also exposes us to many different types of security threats in our daily life. Before the advent ...
Security of CCTV and Video Surveillance Systems: Threats, Vulnerabilities, Attacks, and Mitigations
TrustED '16: Proceedings of the 6th International Workshop on Trustworthy Embedded DevicesVideo surveillance, closed-circuit TV and IP-camera systems became virtually omnipresent and indispensable for many organizations, businesses, and users. Their main purpose is to provide physical security, increase safety, and prevent crime. They also ...
Providing destructive privacy and scalability in RFID systems using PUFs
Internet of Things (IoT) emerges as a global network in which any things (including humans and the real world things) having unique identifier can communicate each other. The RFID system has very important role in the IoT system for solving the ...
Comments