EM Eye: Electromagnetic Side-channel Eavesdropping on Embedded Cameras

EM Eye investigates a cybersecurity attack where the attackers eavesdrop on the confidential video data of cameras by parsing the unintentional electromagnetic leakage signals from camera circuits. This happens on the physical/analog layer of camera systems and thus allows attackers to steal victim’s camera data even when perfect software protections (e.g., unbreakable passwords) are all in place. Exploiting the eavesdropped videos, attackers can spy on privacy-sensitive information such as people’s activities in an enclosed room recorded by the victim’s home security camera. […]

Paper.

Rascabin,

So how can one protect themselves from this type of attack, or does responsibility lie on the vendors to keep up with security updates?

jabathekek,
@jabathekek@sopuli.xyz avatar

I would guess covering the camera and/or data cord with tinfoil. Even more unsure about wireless.

potatopotato,

It’s just a tempest attack. Firmware won’t fix anything but the attack is an extremely expensive nation state level operation that doesn’t scale.

tavu,

[…] the attack is an extremely expensive nation state level operation that doesn’t scale.

About $250 at most. Quoting the linked page:

Below is a list of equipment we used for the experiments.

  • (1) Software Defined Ratio (SDR): Ettus USRP B210 USRP, ~$2100.
  • (2) Low Noise Amplifier (LNA): Foresight Intelligence FSTRFAMP06 LNA, ~$200.
  • (3) Directional Antenna: A common outdoor Log-periodic directional antenna (LPDA), ~$15.
  • (4) A laptop, of course.

Note that the equipment can be replaced with cheaper counterparts. For example, USRP B210 can be replaced with RTL-SDR that costs ~$30.

To reproduce the attack: our GitHub repository provides the codes and instructions for reproducing and understanding the attack. We have prepared a ready-to-use software tool that can produce real-time reconstructions of the eavesdropped videos with EM signal input from the USRP device.

potatopotato,

$250 per camera that you have to be within meters of best case. That doesn’t include the packaging cost to make this look innocuous so probably significantly more money if you wanted this to be stealthy and reliable. Add in the money for the distribution and “installation” of such devices.

This doesn’t scale at all.

tavu,

Well within the budget of a private investigator or burglar or peeping-tom or abusive ex-partner.

No need to scale; plenty of privacy/security incursions don’t require mass-surveillance.

That said, I’d suggest that the attack does scale economically . Think war-driving but with one of these setups – cruising around in a van through a dense neighbourhood collecting short clips of cctv footage looking for something of interest.

potatopotato,

Yeah, I’d agree with that.

The point I was making was for people who thought this was cellphone cameras and that it would somehow work even if the camera wasn’t actively running.

As far as war driving with an sdr you’d probably occasionally find something interesting, but the vast majority would be cameras just pointed back out at the street. I think you’d mostly see stuff where if you wanted to spy it would make more sense to hide your own camera because it’s already public.

All that said, I would lose my shit if Hollywood did something believable for once and used this for a heist movie.

tavu,

I wonder when (if?) orbital radio receiver arrays (a la starlink) are sensitive and discriminating enough to be used for this type of attack.

potatopotato,

I work on this stuff, short answer, no, it’s not possible. This is just yet another overly complicated tempest attack. Especially with phones the camera link is so short it’s just not radiating enough. They claim 30cm so you basically need the receiver in the same backpack as the phones. As phones get higher resolution and faster cameras this will become even less of an issue. Also, most importantly the camera has to be powered and running for this to work so just don’t take pictures of classified stuff while carrying around a weirdly warm battery bank an unusually attractive eastern European girl gave you as an engagement gift and you’re good.

The actual target here is some sort of The Thing …m.wikipedia.org/…/The_Thing_(listening_device) style attack where someone with a huge budget can get a wildly expensive device really close to a system through a significant human intelligence effort.

The line of reasoning is valid though. These satellites will have some ability to track and intercept low power intentional emissions like WiFi and cellular packets. While these are encrypted there are still things you can do with the metadata.

LostXOR,

so just don't take pictures of classified stuff while carrying around a weirdly warm battery bank an unusually attractive eastern European girl gave you as an engagement gift and you're good.

Lmao, I really hate it when that happens.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • privacy@lemmy.ml
  • DreamBathrooms
  • magazineikmin
  • cubers
  • everett
  • rosin
  • Youngstown
  • GTA5RPClips
  • tester
  • slotface
  • khanakhh
  • Durango
  • kavyap
  • InstantRegret
  • ethstaker
  • JUstTest
  • ngwrru68w68
  • cisconetworking
  • thenastyranch
  • Leos
  • osvaldo12
  • anitta
  • mdbf
  • tacticalgear
  • modclub
  • megavids
  • provamag3
  • normalnudes
  • lostlight
  • All magazines
    •