The international study was carried out by researchers from Queen Mary University of London (QMUL) and the Chinese Academy of Science, using data provided by a large Chinese manufacturer of Internet Protocol (IP) security cameras.
Cameras like these allow users to monitor their homes remotely via a video feed on the internet, but the researchers say the traffic generated by the devices can reveal privacy-compromising information.
Study author Gareth Tyson from QMUL told CNN that data uploads of the unencrypted data increase when a camera is recording something moving, so an attacker could tell if the camera was uploading footage of someone in motion, and even different types of motion like running or sitting.
The risk is that “someone who is specifically targeting an individual household rocks up outside with a device to try and start passively monitoring traffic,” he said.
Tyson told CNN that an attacker would require a decent level of technical knowledge to monitor the data themselves, but there is a chance that someone could develop a program that does so and sell it online.
Noting that he hasn’t seen any direct evidence of this kind of attack taking place, he said one potential use would be if someone wanted to burgle your house.
“They monitor the camera traffic over an extended period of time, and by looking at the patterns that are generated by those cameras over maybe a week, they then start predicting the following week when you’re most likely to be in the house,” he said.
In order to reduce the privacy risk, companies could randomly inject data into their systems to make it harder for attackers to spot a pattern, he said.
Tyson said the team are trying to extend their research to work out how to maintain camera performance while reducing privacy risks.
At present, cameras are “fairly stupid items” in order to keep manufacturing costs down, said Tyson, uploading data whenever motion is detected.
“What we want to do is have a more intelligent system that allows the camera to understand what that motion is, assess the level of risk, and only upload it and alert the user in a case where the camera feels that it’s worthy doing,” he said.
For example, someone who owns a cat probably doesn’t want to be alerted every time the camera detects the animal walking around, but they would certainly want to know if a human intruder were spotted.
Tyson said this is the first study to investigate the risks posed by video streaming traffic generated by the cameras.
The global market for the devices is expected to be worth $1.3 billion by 2023, according to the press release. Popular brands include Xiaomi and Nest, which is owned by Google.
While the study authors did not analyze data from those brands, they did find that their cameras present the same privacy risk. CNN has reached out to Nest and Xiaomi for comment on the research.
The study was published at the IEEE International Conference on Computer Communications, which brings together researchers in networking and related fields.