In a paper titled "aIR-Jumper: Covert Air-Gap Exfiltration/Infiltration via Security Cameras & Infrared (IR)", the researchers detail a data exfiltration scenario, whereby malware accesses the surveillance camera in the local network and generates covert IR signals by controlling the cameras' IR LEDs. In that case, binary data can be modulated, encoded, and transmitted as IR pulses which can be detected from a distance by an attacker. In an infiltration scenario, a remote attacker on a parking lot in line of sight or even out of line of sight of the cameras, sends covert IR signals using IR LEDs. Once received by the surveillance camera, malware within the network can intercept the signal and decode command and control (C&C) messages hidden in the video stream. That way the hacker could communicate with malware previously installed via supply chain attacks, malicious insiders, or social engineering, even on sites that are air-gap isolated.
To prove their concept, the authors implemented a malware prototype and evaluated it with different types of cameras, including doorbell cameras, communicating tens to hundreds of meters away from the network under attack. They were able to leak internal data at a bit rate of 20bit/s per camera and were able to deliver commands to the network at bit rate of more than 100bit/s from one camera.
Ben-Gurion University of the Negev - http://in.bgu.ac.il/en