{"id":27329,"date":"2024-04-16T12:51:17","date_gmt":"2024-04-16T16:51:17","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/em-eye-side-channel-espionage\/27329\/"},"modified":"2024-09-26T14:47:59","modified_gmt":"2024-09-26T09:17:59","slug":"em-eye-side-channel-espionage","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/em-eye-side-channel-espionage\/27329\/","title":{"rendered":"An unusual method of stealing data from surveillance cameras"},"content":{"rendered":"

Scientific research of hardware vulnerabilities often paints captivating espionage scenarios, and a recent study<\/a> by researchers from universities in the United States and China is no exception. They found a way to steal data from surveillance cameras by analyzing their stray electromagnetic emissions \u2014 aptly naming the attack EM Eye.<\/p>\n

Reconstructing information from stray emissions<\/h2>\n

\nLet\u2019s imagine a scenario: a secret room in a hotel with restricted access is hosting confidential negotiations, with the identities of the folks in attendance in this room also deemed sensitive information. There\u2019s a surveillance camera installed in the room running round the clock, but hacking the recording computer is impossible. However, there\u2019s a room next-door to the secret room accessible to other, regular guests of the hotel. During the meeting, a spy enters this adjacent room with a device which, for the sake of simplicity, we\u2019ll consider to be a slightly modified radio receiver. This receiver gathers data that can be subsequently processed to reconstruct the video from the surveillance camera in the secret room! <\/p>\n

How is this even possible? To understand this, let\u2019s talk about TEMPEST attacks. This codename<\/a>, coined by the U.S. National Security Agency, refers to methods of surveillance using unintentional radio emissions, plus countermeasures against those methods. This type of hardware vulnerability was first studied during\u2026 World War II. The U.S. Army used an automatic encryption device from the Bell Telephone Company<\/a>: plaintext input was mixed with a pre-prepared random sequence of characters to produce an encrypted message. The device used electromagnetic relays \u2014 essentially large switches.<\/p>\n

Think of a mechanical light switch: each time you use it, a spark jumps between its contacts. This electrical discharge generates radio waves. Someone at a distance could tune a radio receiver to a specific frequency and know when you turn the light on or off. This is called stray electromagnetic radiation \u2014 an inevitable byproduct of electrical devices.<\/p>\n

In the case of the Bell encryption device, the switching of electromagnetic relays generated such interference that its operation could be detected from a considerable distance. And the nature of the interference permitted reconstruction of the encrypted text. Modern computers aren\u2019t equipped with huge electromechanical switches, but they do still generate stray emissions. Each bit of data transmitted corresponds to a specific voltage applied to the respective electrical circuit, or its absence. Changing the voltage level generates interference that can be analyzed.<\/p>\n

Research on TEMPEST has been classified for a long time. The first publicly accessible work was published in 1985<\/a>. Dutch researcher Wim van Eck showed how stray emissions (also known as side-band electromagnetic emissions) from a computer monitor allow the reconstruction of the image displayed on it from a distance.<\/p>\n

Images from radio noise<\/h2>\n

\nThe authors of the recent study, however, work with much weaker and more complex electromagnetic interference. Compared to the encryption devices of the 1940s and computer monitors of the 1980s, data transmission speeds have increased significantly, and though there\u2019s now more stray radiation, it\u2019s weaker due to the miniaturization of components. However, the researchers benefit from the fact that video cameras have become ubiquitous, and their design \u2014 more or less standardized. A camera has a light-sensitive sensor \u2014 the raw data from which is usually transmitted to the graphics subsystem for further processing. It is this process of transmitting raw information that the authors of the research studied.<\/p>\n

In some other recent experiments<\/a>, researchers demonstrated that electromagnetic radiation generated by the data transmission from a video camera sensor can be used to determine the presence of a nearby camera \u2014 which is valuable information for protecting against unauthorized surveillance. But, as it turned out, much more information can be extracted from the interference.<\/p>\n

\"Interference<\/a>

Interference depending on the type of image transmitted by the surveillance camera. Source<\/a><\/p><\/div>\n

The researchers had to study thoroughly the methods of data transmission between the video camera sensor and the data processing unit. Manufacturers use different transmission protocols for this. The frequently used MIPI CSI-2 interface transmits data line by line, from left to right \u2014 similar to how data is transmitted from a computer to a monitor (which that same Wim van Eck intercepted almost 40 years ago). The illustration above shows the experiments of the authors of the study. A high-contrast target with dark and light stripes running horizontally or vertically is placed in front of the camera. Next, the stray radiation in a certain frequency range (for example, 204 or 255 megahertz) is analyzed. You can see that the intensity of the radio emission correlates with the dark and light areas of the target.<\/p>\n

\"Improving<\/a>

Improving image quality by combining data from multiple frames. Source<\/a><\/p><\/div>\n

This is essentially the whole attack: capture the stray radio emission from the video camera, analyze it, and reconstruct the unprotected image. However, in practice, it\u2019s not that simple. The researchers were dealing with a very weak and noisy radio signal. To improve the picture, they used a neural network: by analyzing the sequence of stolen frames, it significantly improves the quality of the intercepted video. The result is a transition from \u201calmost nothing is visible\u201d to an excellent image, no worse than the original, except for a few artifacts typical of neural networks (and information about the color of objects is lost in any case).<\/p>\n

EM Eye in practice<\/h2>\n

\nIn numerous experiments with various video cameras, the researchers were able to intercept the video signal at distances of up to five meters. In real conditions, such interception would be complicated by a higher level of noise from neighboring devices. Computer monitors, which operate on a similar principle, \u201cspoil\u201d the signal from the video camera the most. As a recommendation to camera manufacturers, the authors of the study suggest improving the shielding of devices \u2014 even providing the results of an experiment in which shielding the vulnerable module with foil seriously degraded the quality of the intercepted image. Of course, a more effective solution would be to encrypt the data transmitted from the video camera sensor for further processing.<\/p>\n

Pocket spy<\/h2>\n

\nBut some of the researchers\u2019 findings seem even more troubling. For example, the exact same interference is generated by the camera in your smartphone. OK, if someone starts following his target around with an antenna and a radio receiver, they\u2019ll be noticed. But what if attackers give the potential victim, say, a slightly modified power bank? By definition, such a device is likely to stay close to the smartphone. When the victim decides to shoot a video or even take a photo, the advanced \u201cbug\u201d could confidently intercept the resulting image. The illustration below shows how serious the damage from such interception can be when, for example, photographing documents using a smartphone. The quality is good enough to read the text.<\/p>\n

\"Examples<\/a>

Examples of image interception from different devices: smartphone, dashcam, stationary surveillance camera. Source<\/a><\/p><\/div>\n

However, we don\u2019t want to exaggerate the danger of such attacks. This research won\u2019t lead to attackers going around stealing photos tomorrow. But such research is important: ideally, we should apply the same security measures to hardware vulnerabilities as we do to software ones. Otherwise, a situation may arise where all the software protection measures for these smartphone cameras will be useless against a hardware \u201cbug\u201d which, though complex, could be assembled entirely from components available at the nearest electronics store.<\/p>\n","protected":false},"excerpt":{"rendered":"

We explain in simple terms research demonstrating a vulnerability in modern digital video cameras. <\/p>\n","protected":false},"author":665,"featured_media":27331,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2036,2609,2610],"tags":[1229,703,706,3322],"class_list":{"0":"post-27329","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-cameras","11":"tag-espionage","12":"tag-research","13":"tag-side-channels"},"hreflang":[{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/em-eye-side-channel-espionage\/27329\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/em-eye-side-channel-espionage\/22623\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/em-eye-side-channel-espionage\/30006\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/em-eye-side-channel-espionage\/27484\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/em-eye-side-channel-espionage\/37283\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/em-eye-side-channel-espionage\/51011\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/em-eye-side-channel-espionage\/27642\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/em-eye-side-channel-espionage\/33490\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/em-eye-side-channel-espionage\/33117\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.in\/blog\/tag\/side-channels\/","name":"side channels"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/27329","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/users\/665"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/comments?post=27329"}],"version-history":[{"count":7,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/27329\/revisions"}],"predecessor-version":[{"id":28065,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/27329\/revisions\/28065"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media\/27331"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media?parent=27329"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/categories?post=27329"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/tags?post=27329"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}