Research: Leiden University smart cameras had vulnerabilities
Research by Leiden University shows that the security of 371 smart cameras that were installed during the corona crisis had vulnerabilities. If the university wants to use the cameras again, it must also carry out a risk analysis.
The editors of the university magazine Mare were able to view the research report, which is currently with the university council. It contains the results of the penetration test that was carried out at the beginning of this year by an external agency. The test shows that users could see information about the smart camera without logging in. The passwords were also reportedly protected with an insecure and outdated encryption. According to Mare Xovis, the company behind the smart cameras, implemented an update in February of this year that has fixed the vulnerabilities.
According to the editors of the university magazine, however, the penetration test only looked at the possible security risks that can occur when logging into the system. There would have been no investigation into the unintended use of the sensors and vulnerabilities by logged-in users. The university will not investigate this further, according to the magazine. We consider vulnerabilities that are on the inside, but which cannot be exploited from a distance, a negligible risk.
Ricardo Catalan, the data protection officer of Leiden University, states in the research report that the university has a data protection impact assessment, DPIA for short, has to do if it wants to re-enable the cameras. A DPIA is an analysis that an organization must perform if there is data processing with a high privacy risk. According to the man and the university, such an analysis was not necessary before. “This estimate was not correct,” Catalan said.
According to the man, the university should have communicated better about the smart cameras. He notes, for example, that the university had to make it clear from the start that it was about smart cameras and not about ‘sensors’ or ‘scanners’ as initially suggested. In this way, according to the man, the seriousness of the privacy issue was underestimated.
The university has not yet decided whether the smart cameras will be re-enabled. To do so, it first awaits the results of the DPIA. As soon as this has been completed, the decision will be made in consultation with the University Council.
During the corona crisis, Leiden University will start using 371 smart cameras in 2020. These are Xovix PC2S cameras that can be used for counting people, but also for tracking and analyzing behaviour. The university stated that the cameras were only used as sensors to record the number of students present. For example, no image would be used. According to university magazine Mare, the privacy level of the hardware was always at a level that allowed more. People were reportedly not recognizable at that level either. At the end of last year, the university switched off the smart cameras as a result of the unrest that had arisen about privacy.
Xovis PC2S