Wireless security cameras may deter intruders. Accompanying the hardware, consumers may pay recurring monthly fees for recording videos to the cloud, or use the free tier offering motion alerts and sometimes live streams via the camera app. Many users may purchase the hardware without buying the subscription to save money, which inherently reduces their efficacy. We discover that the wireless traffic generated by a camera responding to stimulating motion may disclose whether or not video is being streamed. A malicious user such as a burglar may use such knowledge to target homes with a “weak camera” that does not upload video or turn on live view mode. In such cases, criminal activities would not be recorded though they are performed within the monitoring area of the camera. Accordingly, we describe a novel technique called WeakCamID that creates motion stimuli and sniffs resultant wireless traffic to infer the camera state. We perform a survey involving a total of 220 users, finding that all users think cameras have a consistent security guarantee regardless of the subscription status. Our discovery breaks such “common sense”. We implement WeakCamID in a mobile app and experiment with 11 popular wireless cameras to show that WeakCamID can identify weak cameras with a mean accuracy of around 95% and within less than 19 seconds.
Read our latest version of full paper.
| ID | Camera Name | Cloud Recording (Unpaid) |
|---|---|---|
| 1 | Arlo Pro 3 | No |
| 2 | Arlo Pro 4 | No |
| 3 | Arlo Ultra 2 | No |
| 4 | Blink XT2 | No |
| 5 | Blink Outdoor | No |
| 6 | Ring Stick Up Cam | No |
| 7 | Ring Spotlight | No |
| 8 | Reolink Argus 2 | No |
| 9 | SimpliSafe Cam | No |
| 10 | Wyze Battery Cam Pro | No |
| 11 | Wyze Cam Outdoor v2 | No |
In order to know why camera’s traffic will not be the same under different working mode. We have a small quick playground for you to test the wireless sniffing. This quick guide explains how to collect wireless traffic data from security cameras in 4 different modes:
Using the airodump tool from the aircrack-ng suite. You need a WiFi adapter that supports monitor mode.
Put WiFi adapter into monitor mode
airmon-ng start wlan0
Find channel of target camera from the list, match the OUI
airodump-ng wlan0mon
Note the channel of the target camera’s BSSID.
Capture on channel
airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w camera wlan0mon
Replace 6 with camera channel and 00:11:22:33:44:55 with camera BSSID.
Generate motion to stimulate camera
Repeat step 4 in each mode
Press Ctrl+C to stop capture
Now you can analyze these capture files to extract traffic patterns for each camera mode and you should be ready to get start with traffic capture.
You can send us any email Yan He (heyan@ou.edu) or Fang Song (songf@ou.edu).
If you notice that we are using mathlab to show our final result and you want to find Matlab codes we shown on our paper with same result, read Code part which should be on the bottom of each section page.
1. Copy the Matlab code shown on page
2. Create *.m file
3. Run the *.m file on Matlab
If the result is getting by Microsoft Excel, just simplely download the *.xls file shown on the individual page.