There is a system consisting of Storage Server (S) and Camera (C), which is accessed by Alice. When Alice accesses Storage Server, she executes the following unilateral authentication.

(1) Alice -> S: Im Alice || r1

(2) Alice <- S: E(k, r1 || ks)

Alice and the storage server share a secret key k. Alice initiates the connection and wants to verify Storage Servers authenticity. The 128-bit nonce r1 is randomly generated by Alice. Alice rejects if the received ciphertext does not correctly decrypt to r1; otherwise, the 128-bit ks chosen by Storage Server is to be used as the session key. The encryption is done using AES CBC mode, but owing to the poor system design, the IV is 0.

On the other hand, when Alice interacts with Camera, the following unilateral authentication protocol is used for sending remote control command.

(1) Alice -> C: Im Alice || command

(2) Alice <- C: r2

(3) Alice -> E(k, r2)

Here, k is a symmetric key shared between Alice and Camera. The 128-bit r2 is randomly chosen by Camera, and Camera executes the command if the received ciphertext correctly decrypted to r2. Encryption is again based on AES CBC mode but again with IV=0.

Now let us consider an attacker Eve, who does not know k. If Eve knows that Alice uses same key for both (i.e., k = k), how can Eve maliciously control camera?