Every day, we’re surrounded by cameras and microphones. It’s not just those on our smartphones and laptops anymore. It’s smart TVs, CCTV cameras, conferencing systems, and virtual assistants like Amazon’s Alexa. Many of these devices are recording even when you think they’re off, so they collect audio and video footage 24/7.
Unfortunately, these are among the most vulnerable devices in the IT world. The Mirai botnets responsible for the largest DDoS attack in history have reportedly taken control of 300,000 devices worldwide. Most of them are cameras and video recording equipment.
So why is video equipment so vulnerable? In short, they were manufactured for mass production, and quick time-to-market, not security. After the Dyn DDoS attack, Chinese company Xiongmai vowed to recall up to 10,000 webcams. Devices like these use default usernames and passwords like “admin” and “password”. And in many cases, they’re designed so that users can’t change the password.
The scale of this vulnerability is giving way to a new threat type: ambient surveillance, where you are potentially watched all the time as you move around the world.
But this begs the question: who would want to do such a thing? What would they have to gain by listening to my meetings for hours? Why would a hacker want to watch my face staring at a computer screen?
Because it’s profitable. The rapid development of AI means that ambient surveillance is increasingly becoming a viable way to penetrate business environments and engage in corporate espionage and ambient data theft.
In the past, attackers would have to go through victims’ video or audio footage manually to look for something of value. But AI techniques will automate the process. Attackers will be able to train malicious software to know what to look for – to understand what it hears and sees. In other words, infected machines will be able to sift through all the boring stuff to find the diamond in the rough – recognizing faces, images, and words along the way.
Without disrupting normal functions, conferencing systems could quietly listen and extract the most valuable information, like discussions of illegal activity, quarterly earnings, negotiations, or prep for M&A.
This isn’t just a hypothetical. Recently, Darktrace observed a law firm’s video-conferencing unit behaving strangely. It was transmitting large volumes of data to rare external IPs. The camera was being accessed remotely, allowing the attacker to essentially live stream images and sound. The worst part?
The conference room was used for the most important board and customer meetings. Sensitive information was discussed daily, and the attacker had access to all of it.
This case involved sending large streams of data to the attacker’s server. But soon, cyber-attacks will only send back the most relevant information. By leaking only tiny fragments, these attacks will be much harder to detect.
In the movies, we see gangsters and spies lock their phones away before discussing sensitive topics. But in an era of widespread IoT we need to do something cleverer than hiding from our devices. Ambient surveillance is just one of many new techniques that modern attackers will add to their arsenal.
To learn more about the advanced threats we’ve uncovered, you can book a meeting with me and the rest of the Executive Team at the upcoming RSA conference in San Francisco.
Dave is the Director of Technology at Darktrace, overseeing the mathematics and engineering teams and project strategies. With over 19 years of experience at the forefront of government intelligence operations, Dave has worked across UK intelligence agencies GCHQ and MI5, where he was responsible for delivering mission-critical infrastructure services, including replacing and securing entire global networks, the development of operational internet capabilities and the management of critical disaster recovery incidents. He acts as an advisor to cyber security start-ups and growth-stage companies from the UK Government’s Cyber Security Accelerator and CyLon. His insights on AI and the future of cyber security are also regularly featured in the UK media. He holds a first-class degree in Computer Science and Software Engineering from the University of Birmingham.