Security Review: Integrated Webcams

By zaxim at 9:53 pm on February 10, 2008 | 2 Comments

The other night one of my friend’s asked me about the webcam in her laptop. She was concerned about people gaining access to it and spying on her. Her fears got me to thinking about this problem.

Integrated webcams are becoming the norm in most laptops. The privacy implications of unauthorized access are staggering. A lot of us take changing in the secrecy of our own room for granted, but what if that wasn’t the case? In this security review I look at the possible weaknesses and defenses this class of products has.

Product Summary

A webcam is usually a small video camera used for the purpose of transmitting images or videos over a local network or the internet. It’s typically used for videoconferencing in a corporate or personal setting. It can also be used for recording utter crap to put on youTube, and anyone who does that deserves to die an ignominious e-death. But that’s beside the point.

Webcams used to come as stand alone peripherals that could be used by plugging into a USB slot, and placing somewhere on top of the computer monitor. But as of late, more and more laptops are coming with webcams built in, and it’s an oft sought after feature. In fact I think all Mac laptops (And some desktop computers) in the past few years have come with webcams.

Assets

-Users’ physical privacy, specifically visual privacy. The right to choose when to show themselves to the rest of the world is an important asset.

-Corporate or national secrets. This can include physical location, printed information, or even identity of personnel in the vicinity of the laptop.

Adversaries

-Peeping Toms: Looking for voyeuristic pleasure. Pedophiles and their ilk can fall under this category.

-Blackmailers: They might be seeking incriminating data in order to extort money or favors from the users. One man in Cyprus tried to blackmail a teenager into posing nude for him. (http://itmanagement.earthweb.com/secu/article.php/3499571)

-Corporate or national spies: Might be trying to identify secret locations and facilities, or the identities of secret employees or customers.

Weaknesses

-Faulty web-conferencing programs: Many programs take advantage of webcams now, such as instant messengers like Skype and Yahoo! If these programs are written with security flaws, they can be exploited.

-Backdoor programs: An adversary can slip a Trojan onto a laptop granting unauthorized access to various aspects such as passwords, and files, and since the webcam is integrated hardware, the webcam…

Potential Defenses

-Disable webcam driver when not in use.

-Run multiple levels of firewalls and spyware detection, such that if one is disabled, ports are still blocked.

-Keep up to date on latest Trojans and systematically check start-up programs and running processes

-Avoid installing software with known security holes.

-And most elegant solution devised by my friend: tape a piece of paper over the webcam.

Conclusion and Evaluation

The biggest problem is if an adversary installs a backdoor program on a user’s machine. This program could do more than just compromise the webcam, it has access to various other aspects of the computer. These backdoor programs are relatively easy to customize and deploy, in fact some disreputable companies and groups offer to sell or distribute these Trojan makers, resulting in various programs, W32/Rbot-GR, MyDoom, and Optix. The best way to avoid them is not to install any suspicious software or accept files from unstrusted users.

Because of the fact the webcam is now considered integrated hardware, there isn’t really a simple software solution to disable it completely, provided a backdoor program can reverse most software changes.

In the past, with conventional webcams, you could always unplug the device when not in use. But now it’s always there…staring at you…unblinking…How do you know it’s not on now?
Sources

http://www.sophos.com/virusinfo/analyses/w32rbotgr.html

http://www.theregister.co.uk/2004/08/23/peeping_tom_worm/

http://www.technewsworld.com/story/36096.html?welcome=1202699594

http://www.wackyb.co.nz/vb/showthread.php?t=112

Filed under: Privacy,Security Reviews2 Comments »

2 Comments

  • 1
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Brian

    February 10, 2008 @ 10:02 pm

    Another defense employed by many of the integrated webcams out there – all of them in Mac laptops, for example, is to have an LED next to the webcam that is wired so that if the webcam is powered, the LED is on. While this doesn’t prevent malicious software from accessing the camera, it at least lets you know that it’s happening, if you’re paying attention.

    I particularly liked Apple’s original external iSight camera. If you turn the front ring counterclockwise, the camera is switched off and the lens is covered by an opaque iris, making it impossible to see anything with the camera. The iris is also bright white, so it’s easy to see that the camera is closed just by glancing at it. Unfortunately, the built-in webcams lack this feature.

  • 2
    Get your own gravatar for comments by visiting gravatar.com

    Comment by Fabian

    February 10, 2008 @ 10:42 pm

    I personally would not trust any webcam that uses wireless interface. This is primarily because that I would to use the webcam in conjunction with my laptop which I always carry around. Not a lot of places can provide wireless security connection in public.

    In addition, if malicious program is exploited to misuse the webcam, then the problem might come from the manufacturer driver. It is pretty tricky in handling such driver and the possible fixes might come after our privacy has been compromised.

RSS feed for comments on this post