Schneier on Security
A blog covering security and security technology.
« Extreme Authentication |
| Forged Memory »
May 6, 2011
Stolen Camera Finder
Here's a clever Web app that locates your stolen camera by searching the EXIF data on public photo databases for your camera's serial number.
Posted on May 6, 2011 at 7:01 AM
• 32 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
While I can see how this can be defeated, I actually quite like this idea.
It wont protect your device from master criminals or even those who are technically literate enough to scrub the data before the upload it - but it will spot people who have naively bought a cheap camera from a guy in the street...
Quite cool. Next step is what? Call the guy and ask for your camera back? That might work if the guy was scrupulously honest. But, if not, ....
I'm assuming that most people are like me -- lazy. I don't go out of my way to record all of the critical data of items I purchase, so I won't have recorded the serial number of the camera or the EXIF data prior to the theft. I can easily get the EXIF data from my prior photos, but that's not much proof of ownership. One could easily change the EXIF information in a photo and claim it was original. Assuming I kept the receipt (big assumption, btw) I don't think the serial number would be on there. Warranty registration card? Don't even think about it.
So, even assuming I find the new possessor of the camera, who claims that they paid good money for the camera so they own it now, how do I prove its really mine?
Then there's the problem of camera models: FAIL -- The 'Canon Canon PowerShot S1 IS' does not write serial information in the exif. Of course it's so old no one would intentionally steal it.
EXIFtool is a great way to scrub tracking information like your camera's serial number from photos, incase you would like to publish things not trackable back to you.
@jeff -- Obviously it's ONE piece of evidence to present to the police, and actually recovering your stolen property would require police cooperation along with possibly more evidence... just as in any case of a reported theft with other forms of evidence.
@jeff "Next step is what? Call the guy and ask for your camera back?"
No! Just go to where the most common GPS location in their photos, bring a few printouts of the thiefs face, and when they turn up with your camera, call the cops!
It's not quite red-handed, but you'll get the camera back, though it may take a couple of weeks for the cops to check where they say they got the camera, your receipt, your evidence (your photos taken, with serial) and your crime report....
It's an 'easy' collar for them (probably open/shut case if they find anything else stolen at the person's home), so they should be very keen - and local government would have told the police to focus on this kind of crime.
This one has stalking potential. One could easily download "anonymous" naughty pictures from naughty websites and find the corresponding holiday pictures of that person sitting on a terrace in Spain.
@jeff "Quite cool. Next step is what?"
Call the SEALS.
@Rubin110 - Thanks!
Do mobile phones also add serial number metadata? If so this would be very interesting.
Scary thing is.. and I just thought of this. It can be used in reverse.
So they person who stole your camera can find other photos of you on the web.
This could be hilariously subversive when combined with tineye and EXIF (thanks Rubin110). Scrubbing tracking data with EXIF is the boring option - you could use plant someone else's EXIF in your photos and completely mislead any 'stalking' attempts. Or steal a camera and insert the EXIF into someone else's photos... or XSS/SQLi a site through the metadata, if it's unfiltered. And probably plenty of cunning things I haven't thought of.
EXIF is untrusted data. You're relying on naivety somewhere in the chain for it to work - anyone who trusts it anywhere along the line is making an (potentially very foolish) assumption. That's the same for catching thieves or for security purposes.
I like the distributed manner in which they're grabbing EXIF data. Check out the how can I help section. They have a Chrome extension.
Just in case it's not clear to you or anyone else here, the 'stalking' potential -- by which you really mean de-anonymization -- has existed for many years. It's existed ever since camera makers started stuffing EXIF data into photos and people started posting them to the web. Stolen Camera Finder does do anything new in these situations.
Digital photos are to an extent traceable even if all metadata is stripped. Research that was referenced on Bruce's blog years ago, showed that each camera has a "fingerprint" that is imprinted on every photo, and is quite difficult to remove. [This fingerprint is the unique pattern of variation in sensitivity of imaging elements.]
While such analysis doesn't reveal the camera's serial number, it does allow determination as to whether different images came from the same camera. So if there is even one available image that is known to be from "person X", any anonymously posted photo with the same fingerprint will have come from the same camera, and would suggest an association with the same person.
In the digital era, privacy is becoming more precious than platinum.
For those seaking a little anonymity, removing the serial number is but the first step on a longish path.
If you have a hunt around you should be able to find an app that makes small distortions to the picture that although mainly unnoticable to the human eye helps remove "signiture artifacts".
IIRC Ross J Anderson and others at Camb Labs came up with a program over a decade ago that did it well enough to remove "wartermarking" frrom even the best of the DRM systems of the time.
You would need to test but probably take the raw image apply a little AGWN the apply the distortion filter then downsize and back up again would remove the majority of the "signature artifacts".
If someone stole a camera, they probably don't even know EXIF stores the S/N. Anyone who would buy stolen property probably doesn't either. It would be a PITA to have to scrub every image you ever produce, anyway.
Oh, and the fact that someone paid "good money" for stolen property is irrelevant. "Possession of stolen goods" ought to motivate anyone to return it, considering the proof is littered all over the web.
most people don't realize that posting pics online is a security risk - potential criminals see your house, layout of the rooms, security cams, potential loot like flatscreens, cars, expensive jewelry etc - and with new cameras they even have the GPS data to find you and your friends
would be nice to have EXIF data encrypted by the camera, or even all pics.
but then of course you got the usual tradeoffs - useability vs security: who wants to enter passwords for a snapshot? one could have a 'picture takeing' mode that takes pics but does NOT allow access later w/o a password
all that does not keep your kids from disclosing every detail of your life on facebook anyways ...
@JeffR et al.,
>"considering the proof is littered all over the web."
That's the point. You call the police or whatever, you'll need to prove that you owned that camera first and that it was stolen. How do you do that? Knowing a serial number doesn't prove ownership.
I guess a previously filed police report of a theft which named a serial number would help. But, that's not completely free from manipulation either.
To bring this around to the subject of this blog, its an authentication problem. Unless you do something to the camera (like etch your name into the case), it'll be an interesting situation.
@jeff - Any photos you took with it would be tagged with the same S/N. That's how the web-app in question gets your S/N.
Can you track down a receipt? A check or credit card statement?
If it's any kind of serious camera, it *should* be insured anyway, which would provide the S/N.
Honestly, the cops probably wouldn't bother *anyway*; but can you convince the current 'owner' otherwise?
This is timely discussion for me. Recently, some activists I know where discussing the security problems of EXIF data and noting a death of good easy to use free programs for stripping EXIF data. Another activist and I quickly bodged something together and it was well received.
With respect to serial numbers, I was just examining some photos sitting around on my hard drive (taken with many different cameras) and the serial number field was blank on all of them. It doesn't appear that it's a field that's normally used by normal consumer cameras.
How do you prove that the camera is yours? I guess your photos (wih EXIF tag) need to be posted and timestamped on a site similar to the one you harvested the tag from. That or turn over your hard drive with photos for forensic analysis of the file system. Pick your poison.
Most cases, though... The juice probably isn't worth the squeeze.
Steve Rambam (PI) has discussed his use of this technique to locate persons of interest.
Did one of you tried this site with success? None of my pictures / cameras are supported...
If camera is lost, too bad, finders keepers losers weepers. If camera was stolen, ok so how will you get it back? If it costs less than $250 I wouldnt bother tracking anyone out in cyberspace. Ifcourse had Mr.Zapruder's camera been lost or stolen we wouldnt have footage of JFK's last seconds alive.
Part of the point I was trying to make is that this wont ever stop a security aware criminal but how many of them rob a £100 camera.
Where it can come in use is the small scale action - such as a school kid having their camera stolen by another school kid.
It is far from perfect and I wouldnt pay for it. But if it was there, I would use it.
It's not very effective anyway. I have hundreds of images online that I've taken with my two cameras and neither serial number got a hit.
I don't know how useful this will be for tracking down a stolen camera from the point of view of the average camera owner, but if I were with the police, I'd be thinking about setting up some kind of script with the serial numbers of any cameras that have been stolen in area burglaries.
On the other hand, a while back I found a cell phone...well, the remains of a cell phone...and was able to get the micro SD card (all full of pictures of dad playing with the kids, a birthday part and a new puppy - the kind of stuff you'd hate to loose) back to the owner. It took some digging but I like these kinds of puzzles. If you don't want to play "Sherlock Holmes and the Case of the Building in the Backround" LARP, now you can just take a picture of a note saying something like, "I found your camera - E-mail me at firstname.lastname@example.org."
It's been a year or two, but last time I checked, none of my consumer p&s cameras saved SN to the EXIF data. The DSLR did, but none of the smaller cameras. Could have changed by now, but I bet most p&s cameras still don't write much to EXIF.
Facebook and Flickr used to scrub EXIF data as well. So it didn't matter what was in there. That too could have changed, I haven't checked recently.
I guess it can also be used to track cameras (& their owners) which have not been stolen...
I've just been on the receiving end of this. I bought a camera from an ebay shop last year. Now that this site has been posted on so many camera forums and flickr sites, I receive an email via facebook (the person had tracked me down, joined facebook with the purpose of emailing me), saying the camera I'm using is his.
I'm no criminal, you're all talking as if the person using the camera is going to be the thief, whereas that's pretty unlikely. TBH, I'm freaking that some strange man has stalked me on the net and told me my camera is stolen. I'm not sure what he expects me to do, but surely this isn't the correct or legal approach?
And you guys are encouraging this chap to use my geotags and come knocking on my door!!! Surely what you should be saying is take your evidence to the police along with your original crime no. when you had the sense to report the item lost or stolen?
I am happy to do the right and honourable thing WHEN it is pursued through the correct authorities. But no way am I taking the word of some internet weirdo who has stalked me through my few publicly available photos on flickr.
The camera was bought second hand via an ebay shop, how do I know this guy didn't sell it to that shop? I'd be pretty sure the onus is on him to involve police and prove he is the rightful owner, if he wants it back.
First you need to make the decision as to whether you want to conceal a possible crime, or whether you want to "do the right thing" and allow this alleged theft to be investigated. I hope you choose the latter.
In my opinion you should go to the police. Not to make a complaint, but to use them as an intermediary. They can then evaluate whether there was a theft or if someone is trying to scan you, and can deal with any "internet weirdos" that you are trying to avoid. This also has the advantage of getting it sorted out before he comes knocking on your door wanting it returned immediately.
I can't see how it would be illegal for him to ask for his property back (if it actually is his). As for being "correct", that is subject to interpretation, but if it was stolen (and hasn't been claimed on insurance) then he certainly has the right to have it back.
If, however, the camera is stolen and he has provided any details about the theft (such as a police report number or police contact) then I would disagree with your comment "I'm no criminal" as my understanding is that knowingly possessing stolen property is a crime.
I think you should go to the police, make a report about a potential theft or scam, give a statement detailing the camera model & serial number and then email the guy back with the police report number. That way you won't have to deal with him directly, plus he has no reason to pursue you directly.
If you intend to go through the police to have this resolved, then you will need to take that step, as this person may choose another method to recover the camera.
Note that the above is my opinion only and should not be considered legal advice.
What's way more interesting here, is I upload YOUR photos to the stolen camera finder, and now I can find all of your images across the internet. The connection between photos becomes a lot more interesting when some are headless risqué shots. Those "anonymous" photos might not be so anonymous. It's only a matter of time before this ruins someone's political career.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.