Researchers have found a vulnerability in devices with cameras — like smartphones, surveillance cameras, and dashcams — that threat actors can exploit to spy on your camera’s footage in real time.
In a paper published this month, researchers from the University of Michigan, Northeastern University, and Zhejiang University demonstrated how electromagnetic (EM) emissions from the cameras embedded in these devices can be hijacked to spy on people beyond barriers like walls and doors.
“We characterize EM Eye—a vulnerability in the digital image data transmission interface that allows adversaries to reconstruct high-quality image streams from the cameras’ unintentionally electromagnetic emissions, even from over 2 meters away in most cases,” the researchers said.
“By exploiting this vulnerability, adversaries may be able to visually spy on private activities in an enclosed room from the other side of the wall,” they added.
Many Devices Are Susceptible to EM Eye Vulnerability
According to the researchers, the primary source of the leak is the digital image data transmission interface between the image sensor chips and the image processing components.
“By understanding the serialized data transmission scheme and reverse-engineering the transmission parameters, adversaries can directly generate eavesdropped image streams in real-time using portable equipment including an antenna, a software-defined radio receiver, and a laptop,” the researchers explained in their paper.
The researchers tested four smartphones, six smart home cameras, and two dash cams and found them vulnerable to the “EM Eye” flaw. The devices they tested include:
- Google Pixel 1 (2013)
- Google Pixel 3 (2018)
- Samsung S6 (2015)
- ZTE Z557 (2019)
- Wyze Cam Pan 2 (2019)
- Xiaomi Dafang (2019)
- Baidu Xiaodu X9 (2023)
- TeGongMao (2023)
- Goov V9 (2022)
- QiaoDu (2021)
- 360 M320 Dashcam (2020)
- Blackview Dashcam (2022)
The quality of the reconstructed images varied based on several factors, like the camera’s design, the distance between the eavesdropping equipment and the camera, and the type of cable connecting the camera (with longer cables leading to better quality images due to stronger EM emissions).
The researchers used standard eavesdropping equipment for the experiment. They noted that advanced devices could further improve the range adversaries can eavesdrop on and the quality of the content they get. For instance, professional antennas have a 30 dBi gain, while top-quality LNAs have up to 50 dB gain. Analog filters can also enhance signal-to-noise ratio.
Adversaries with more resources can also create specific analog filters for each target camera or buy high-end tunable filters. Previous research on computer displays shows that using a 45 dBi LPDA antenna, analog band-pass filters, and improved software can extend eavesdropping distance from 10 meters to 80 meters, the researchers said.
How to Protect Your Camera From Hackers
This isn’t the first time researchers have rung the alarm bells over vulnerabilities in everyday items that could allow threat actors to spy on unwitting targets.
In January, researchers from the Massachusetts Institute of Technology (MIT) revealed that ambient light sensors, commonly found in smartphones and tablets, can be used to capture images of how users interact with their devices. And a Carnegie Mellon University study from 2022 revealed that signals from Wi-Fi routers can be used to produce 3D images of people.
Given the widespread nature of the EM Eye vulnerability and the potential for significant privacy breaches, the researchers noted the urgent need for manufacturers to re-evaluate the design of embedded camera systems.
They suggested some practical countermeasures for manufacturers, like employing shorter cables, using better-shielded cables, or improving the data transmission protocols to cut down on EM emissions. These measures, while effective, may not be universally applicable or could impose additional costs and design challenges.
If you’re concerned about the EM Eye vulnerability potentially compromising your privacy, we recommend you:
- Consider using a more secure smartphone or an older device that doesn’t have cameras.
- If you’re using smart devices in a confidential environment, hire a cybersecurity professional to assess if your devices’ cameras are vulnerable to such attacks.
- Regularly patch and update your devices.
- Place your device in a Faraday cage, if possible.
For more news, follow us on X (Twitter), Threads, and Mastodon!
