Thermal imaging cameras may be transmitting images of your face overseas

Posted on : 2021-05-13 17:40 KST Modified on : 2021-05-13 17:40 KST
They include features that allow them to collect and transmit information about faces and voices
A woman gets her temperature checked by a thermal imaging camera. (Getty Images Bank)
A woman gets her temperature checked by a thermal imaging camera. (Getty Images Bank)

Thermal imaging cameras positioned at the entrances of buildings, offices and stores to measure body heat for COVID-19 prevention include features that allow them to collect and externally transmit face and voice information from the people scanned.

Through remote control programs, the devices can also be operated like closed circuit television (CCTV) systems.

In addition to the serious potential for violation of the Personal Information Protection Act’s prohibition on gathering, providing and using face and voice information without the subject’s consent, observers have expressed concerns about possible breaches of security for companies and government institutions.

Could my facial data be transmitted to China?

On Tuesday, the Hankyoreh acquired a copy of a report on study data about the potential transmission of information by thermal imaging sensors. It was provided by Environmental Monitoring National Headquarters, a civic group that has been monitoring the issue of thermal imaging camera abuse.

The mainboard of the thermal imaging camera in question that was used for a demonstration for the Hankyoreh on May 6.
The mainboard of the thermal imaging camera in question that was used for a demonstration for the Hankyoreh on May 6.

According to the report, a feature on widely sold body temperature scanning products was found to allow for the gathering of face and voice information from scanned individuals and transmission of the data in encrypted form to outside parties.

Specifically, the transmission destination settings in the scanner were Internet Protocol (IP) systems – computers – located in China and the US. Up to 400 megabytes (MB) of information could be transmitted on average per day. Equivalent in size to one of the compact discs (CDs) used in the past to store information, this amount was taken to represent still images and short videos stored in compressed form for potentially hundreds of people.

The information acquired by the Hankyoreh was an internal document from an IT business’s technology institute in Bucheon, Gyeonggi Province.

The company’s president, who asked that neither their name nor the company’s be disclosed, told the Hankyoreh, “We performed the analysis through our tech institute because we were wondering, ‘Why does a thermal imaging camera body temperature scanner have a face and voice information collection and transmission feature, when all it needs to be able to do is scan facial temperature and decide whether someone is approved?’”

“We intend to provide our analysis data and give a demonstration if requested by the Personal Information Protection Commission (PIPC) and the Korea Internet & Security Agency (KISA),” they added.

The board includes a communication chip.
The board includes a communication chip.

The company’s tech institute performed a demonstration for the Hankyoreh on May 6 at its Bucheon site to show the process and results of its previous analysis.

The product in question, imported from China, is a popular device for body temperature scanning by thermal imaging cameras. On online shopping malls, it sells for midway between 1 and 2 million won (US$883 to 1768). It uses an Android 7.1.2 operating system, with the YBFace program for facial temperature measurement.

Its board includes a communication chip, and attempts to connect externally could be observed on its monitoring screen, which uses the Wireshark traffic analysis program. With traffic tracing using the firewall system, the exchange of data could be observed through connections with servers (computers) with IP addresses in China and the US.

Are scanners advanced CCTV systems? Conversations within a 30-meter radius also captured

The scanners could be used the same way as CCTV systems. As a team leader at the institute executed a smartphone app for remote operation, video images and sounds from the camera could be seen and heard.

The Wireshark traffic analysis program shows the product in question tried to make an external connection.
The Wireshark traffic analysis program shows the product in question tried to make an external connection.

“For our analysis, we acquired an item that is currently being used at a building in Seoul and operated it for about a month and a half,” said a director at the company’s tech institute.

“With the additional use of a noise canceling program, we could clearly hear conversations within a radius of 30 meters,” they said.

“In terms of protecting security, personal information and privacy, this appears to be a device that should never be used.”

The company’s president also said, “Around 400MB of data per day are being transmitted to servers that appear to be in China, and it’s encrypted in a way that makes it impossible to decipher with domestic technology.”

“By analyzing the scanners’ IP addresses, we can confirm where the device in question has been set up and is being used,” they added.

“It looks like it could be abused to detect the position of body scanners installed in important facilities such as major companies or government institutions, and then hacked to introduce a remote control program that would allow it to be used like CCTV to detect who has entered and exited.”

It previously emerged in a PIPC study last November that some of the thermal imaging camera body temperature scanner models collect and store video images of the faces captured in the camera. But this marks the first time it has been confirmed that the devices include features for transmitting the data overseas.

“It’s possible that similar features are included on other companies’ body temperature scanners,” the company president said, adding that it “looks like an inspection by the PIPC or KISA will be needed.”

Traffic tracing using the firewall system made it possible to observe data being exchanged with servers (computers) with IP addresses in China and the US.
Traffic tracing using the firewall system made it possible to observe data being exchanged with servers (computers) with IP addresses in China and the US.
Extent of use remains shrouded in mystery

It would be difficult to ascertain just how widespread the camera devices in question are in South Korea. Without any systematic oversight on the matter, even statistics are unavailable.

But it appears very likely that many private companies, and even government institutions, acquired the same or similar devices in the interest of disease control as the COVID-19 pandemic began intensifying in March 2020.

The items are sold domestically through around 50 local SMEs. Key components are manufactured in China.

“Even when one of them is listed as ‘made in Korea,’ key components like the mainboard and facial temperature measurement program are usually made in China,” the president of one company producing thermometers for medical devices told the Hankyoreh in a telephone interview.

“Often, they will simply purchase a Chinese-made product, translate the instructions into Korean, change the external design and support, stick a new logo on it and market it as domestically produced,” they explained.

By Kim Jae-seob, senior staff writer

Please direct comments or questions to [english@hani.co.kr]

button that move to original korean article (클릭시 원문으로 이동하는 버튼)

Related stories

Most viewed articles