Blog: How-Tos

Webcam Security: I can SEE you!

Tom Roberts 04 Mar 2014

Let me start by saying this is not an opinion one way or the other on the recent disclosure about GCHQ/NSA capturing webcam footage of millions of people as reported by the guardian: http://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo.

We at PTP have long known that protocols such as these have vulnerabilities in both the commercial and private home sectors. We see them regularly and will commonly find open webcams that people have forgotten to firewall off or segregate properly on their network.

A quick google search will highlight sites and applications that will go looking for them for the “cyber voyeur”. They range from IP cameras people have willingly installed in their homes for remote access, to city street cameras for people to view traffic. Sometimes they are just random open access cameras that someone has failed to properly protect from the internet (http://arstechnica.com/gadgets/2011/01/one-mans-journey-through-the-world-of-unsecured-ip-surveillance-cams/).

We also have forms of them in our offices and meeting rooms or board rooms in the form of AV equipment. Snooping on offices may seem the most boring of pastimes but it can aid social engineers and give them vital info on things like arrival and departure times for staff, cleaners, dress code and a variety of other useful titbits that can aide someone who might try to gain physical access, not to mention the possibility of overhearing (in the case of AV equipment) sensitive meetings or corporate negotiations.

This isn’t new news either. YouTube is full of handy “how to” videos for people wishing to “try this at home”. I can’t and won’t condone this activity but you can see how people might abuse this flaw to spy on lovers, spouses, exes or just random strangers.

It seems almost amusing to me that GCHQ seemed surprised that people might use the internet to show bits of their anatomy to others, while the rest of us know that is what far too many people use it solely for. Using MS08-067 on a vulnerable machine and a single line of code within Metasploit gives instant access to a victims webcam, but any suitable local exploit or ability to run code on a victims machine at a suitable level will suffice. The potential (bad guy) user base ranges from corporate espionage to creepy stalker.

Now there are simple solutions to intercepts such as this. The first being have a well patched machine at home and the rest range from a corporate set of well configured firewalls and internal servers which are tested for vulnerabilities and exploits regularly, to a small piece of tape that you apply over your webcam when it’s not in use. This won’t stop people listening in when you are using it, if you are unsecured, but it will stop them snooping on you when you aren’t looking.

Maybe it’s time that manufacturers applied a “privacy screen” on all PC/tablet/phone cameras that would require a manual intervention to “open” the viewfinder. Very akin to a camera lens cover. At least then you know they will only watch you while you are using it. At which point it’s really all about making sure that when you do use it, it’s a secure and safe communication channel. I for one just use the tape. ;-)

It just leaves me to say that I now know who has the biggest porn collection in the world now, GCHQ. ;-)