The cameras you see on every street lamp and in the corner of every office might also be used by attackers looking for another way to steal sensitive data. Researchers at Ben-Gurion University of the Negev in Israel have developed a method for using the infrared capabilities of some cameras to exfiltrate data from a target network by encoding the data and sending it out over the air using infrared signals. The researchers created a proof-of-concept piece of malware they call aIR-Jumper that can be implemented on a machine in a target network and then used to control the surveillance cameras attached to the network.

“Many surveillance and security cameras are equipped with IR LEDs which enable night vision. We show that malware residing within the internal networks of the organization can control these IR LEDs, turning them on and off or controlling their IR intensity,” the researchers said in their paper.

“We implement a malware prototype and show that binary data can be encoded over the IR signals and leaked to an attacker from a distance of tens of meters away. Notably, many surveillance and security cameras monitor public areas, and therefore attackers can easily establish a line of sight with them.”

The idea behind the research is to use the surveillance cameras as a covert channel through which an attacker can exfiltrate data such as encryption keys, passwords, PINs, and other sensitive information. The initial stage of the attack involves an adversary gaining access to a target network, for example by installing malware through a phishing attack or other common method. The researchers’ malware then can scan the compromised network’s IP range and search for security cameras, which are identifiable by their HTTP responses or MAC addresses. Once that’s done, the malware can connect to a camera. If the camera is password-protected or has some other access control, the attacker would need to either get the password somehow or perhaps use an exploit against the camera’s firmware. Given how many surveillance camera models have publicly known vulnerabilities, this is not really a difficult task.

Then the fun really begins.

“The malware in the network collects sensitive data that it wants to exfiltrate. When the data is collected, the malware transmits it by encoding it over the IR signals emitted from the camera’s night vision IR LEDs. Exfiltration may take place at predefined times or as the result of a trigger from the attacker side. An attacker located outside the secured facility (e.g., on the street) can receive the IR signals by carrying a standard video camera that is aimed at the transmitting surveillance camera,” the paper says. “The received video is then processed in order to decode the transmitted data.”

The researchers also laid out a scenario in which an attacker could infiltrate a target network using the same IR signal method.

“An attacker located outside the secured facility (e.g., on the street) generates invisible IR signals by using IR LEDs. The IR signals are modulated with the C&C messages to be delivered to the malware. The video stream recorded by the surveillance camera is received by the malware which processes and decodes the transmitted data,” they said.

Although the researchers’ malware is a proof-of-concept, all of the elements necessary for this kind of attack are present.