Reading this on a laptop or on a screen with a camera? Glance up at the camera. Smile and wave.
Why? Just in case someone is watching you. Is that possible?
Yes. Yes it is.
Are you the person who puts the yellow sticky over your laptop webcam? Or the one who laughs at the people who do it?
What if someone turned on your laptop camera without your knowledge? What would they see? How could that harm you?
Once the domain of movies and television shows. The theory is now reality - complete with solutions pitched on Shark Tank.
It's even extended to the realm of office pranks. Take for example this video from last Fall [link to YouTube video]
Whether you find it funny, disturbing, or a waste of time, it points out the reality that sometimes technology can be used against us.
The concern even surfaced in the courts; but those cases are generally the result of inappropriate use of organizationally approved and installed tracking/monitoring solutions.
The vanishing privacy/use indicator
In most of these cases, the privacy light that turns on when the camera is on was functioning normally. It's intended to allow us to know if and when the camera is on.
That changed about a month ago with the revelation that it's possible to turn OFF the privacy light while turning ON the webcam remotely. What really grabbed attention was the attack was against Apple laptops (the caveat: it's on older hardware) [link].
While the privacy light may no longer serve as the definitive signal of webcam use, the sky isn't falling.
Framing the conversation
Cameras are becoming the standard for laptops and mobile devices. More and more, we rely on the ability to share voice and video over networks. It's becoming a standard means to communicate (which I love as a traveling father).
That means it's also time to think about the implications and practical protections while engaging those around us in constructive conversation.
There is a difference between someone installing monitoring software as part of the build versus an attacker finding a way to remotely activate the webcam (microphone, and speakers).
It's important to consider what we know, sort through implications, and then consider what steps, if any, make sense to take.
What we know
Since the privacy/on lights are controlled much the same way the camera is, it was inevitable that eventually someone could turn the webcam on without signaling it.
Right now, it means the act is possible. Sometimes.
Possible doesn't always means it's easy. Success depends on a variety of factors, including hardware, software, and network connections.
State actors, well-financed criminals, and determined attackers have access to the techniques, tools, and ability to gain access to embedded cameras.
The broader consideration is how this impacts future efforts to take over embedded cameras. How long until someone figures out how to get your tablet or smart phone camera to turn on to monitor you [link]?
The implications are just forming. It's a time when a little awareness, some discussion, and common sense go a long way.
Implications & Actions
The implications and actions depend a bit on who you are and what you're doing.
Most of us will be successful by simply putting a piece of tape over the webcam. I recommend something plastic/vinyl (like electrical tape) without residue. That way, when you need the camera, it's available. Similarly, a lot of people use a small sticky note to cover the camera.
Manufacturers need to consider the architecture of camera solutions with attention to how privacy/use lights and camera usage is coupled/protected. The upside to the revelation is attention; this allows manufacturers and developers insight into a new range of attacks, unintended uses, and the potential to develop stronger solutions.
Security professionals -- cyber and physical -- need to find a way to work together. While concerns over remote camera use have existed for some time, the new developments may renew consideration for how cameras are used in sensitive environments.
The Bottom Line
While the news made headlines and caught some attention, the easier way to compromise someone is to trick them into clicking on a link or downloading (and running) a program that gives an attacker the same access.
The important action at this point is simple awareness (read more about the proper definition). Take a few moments to consider the locations and ways laptops with built-in cameras are used -- and then encourage the individuals around you to do the same.
Simply ask, "what can the camera see, and how could that impact me?"
Whether you elect to go with the electrical tape or sticky-note solution, perhaps it makes sense to laugh less at those who do.
This is a developing area worth monitoring. More and more, we rely on the ability to share audio and video with people. It’s not going away (and doesn’t need to).
Our reliance on these systems and capabilities means they can sometimes be used in unintended and unexpected ways. The key is reasonable, balanced conversations where we get to discuss them.