Day 61 - So, you think webcams can't be turned on without the indicator light?

19 Apr 2017 100daysofwriting · online · privacy · security · webcams

2 days ago, I wrote this list about improving your security online and practices that you should follow. The last point on that list was Tape your webcam. The question that most people seem to have is:

1. Are there any existing exploits which can turn on your webcam without turning on the light that is there next to it? How widespread are these lights?

2. Why should I tape the webcam if I have nothing to hide? (This was the argument used by Shailene Woodley’s character in the movie Snowden (2016)).

I think the FBI director Comey answered both these the best:

I saw something in the news, so I copied it. I put a piece of tape — I have obviously a laptop, personal laptop — I put a piece of tape over the camera. Because I saw somebody smarter than I am had a piece of tape over their camera.

– From npr.org

And what did he say about the second question?

You go into any government office, we all have our little camera things that sit on top of the screen. They all have a little lid that closes down on them, You do that so that people who don’t have authority don’t look at you. I think that’s a good thing.

– From hindustantimes.com

In light of all of that, I think my point about protecting your privacy because the existence of exploits might be questioned but by the time that these exploites are released to the public, it will most certainly be too late.

Moreover, if you know about the Lower Merion School District case in which the School district gave laptops to all their students and installed an anti-theft tracking software and used that to capture photos of their students at periodic intervals. Most students noticed that the green light next to their camera used to flash now and then, and they found it creepy but the people at the school reassured them that it was a technical glitch (which is the easiest out) and let it go. They paid heavily for their indiscretions and SICK actions, it must be noted though that the photos are out there and they might have been deleted or handed over, nonetheless some people have seen it.

Further research for about 30-40 minutes on sites like the StackExchange site for Information Security, Quora and news websites led me to several articles that detailed exploits and attackers getting access to webcams and using those to click pictures. There is a dearth of articles in 2014 and 2015, which is intriguing, but 2013 was the time that this issue was at it’s highest popularity and there are many articles from the second part of that year. So, read on!

• September 2011, August 2016, Discussion on this InfoSecurity Stack Exchange question about whether webcams can be turned on without the indicator light

• December 2013, CS professor and student from Johns Hopkins University publish a paper about turning on webcams on Macbooks without turning on the light

• December 2013, Errata Security found an exploit to turn on webcams without the indicator light using DLL files

• July 2015, A camera connected to the internet was hacked, through the router and eerie music / messages were played. In what was perhaps a prank by some hacker, this is one of the most disturbing pieces on this topic

• August 2015, Couple watching Netflix was inadvertently caught on camera by someone who hacked their computer’s webcam

• February 2016, Edward Snowden says that NSA and GCHQ have been surveilling laptops of innocent people since 2008

• April 2016, FBI Director James Comey says in an address about privacy and encryption that he tapes his webcam, and everyone in government offices does, and according to him, that’s a good thing

• June 2016, Mark Zuckerberg tapes his camera and mic

• August 2016, An answer on SuperUser Stack Exchange about how to turn on the webcam without turning on the light on Windows and Linux

• April 2017, A Quora question with some surprisingly good answers about whether taping your webcam is something everyone should do

By this time, after reading all of that, I think you should be sufficiently convinced about 1. the possibility of the existence of exploits 2. that someone or the other is watching and it’s not right to let them watch without your permission.

On a sidenote, I didn’t find those articles in the exact chronological order that I have presented them in (obviously). After creating a list entry for each of them, I had to sort them. I probably did using Quick Sort, because I inherently created year pivots and grouped all of 2016’s articles together, same for 2015, 2013 and then once I had a clear distinction between these two sets, I moved the whole 2013 before 2015 and so on. Probably not traditional quick sort but I think that’s the algorithm that comes closest to describing what I did.

POST #61 is OVER