Risk
6/27/2013
10:02 AM
50%
50%

Sextortion Warning: Masking Tape Time For Webcams

"Camjacking" attacks activate your webcam and record your every move. Female images are in demand.

Furthermore, RATs aren't the only potential attack vector, with researchers having recently identified ways of remotely hijacking camera feeds by using a malicious iFrame attack to create a transparent Flash layer. This month, Russian security researcher Egor Homakov released a proof-of-concept attack -- dubbed "Click and say cheese" -- that exploited the Adobe Flash plug-in for the Chrome browser, running on OS X, that he says has been known since 2011. (His script-based attack was blockable using extensions such as NotScript and ScriptSafe.)

"This works precisely like regular clickjacking -- you click on a transparent flash object, it allows access to Camera/Audio channel. Voila, attacker sees and hears you," Homakov said in a blog post. Furthermore, with a bit of automation and distribution of malware that exploited this vulnerability, attackers could harvest thousands of webcam feeds or stills at once. "Your photo can be saved on our servers but we don't do this in the [proof of concept]," he said.

Since then, Google fixed the underlying bug in Chrome, which Russian security researcher Oleg Filippov (aka typicalrabbit) said affected not just Mac OS X but also Windows 7 and 8. Now, clicking the play button in Homakov's proof of concept attack -- slightly not safe for work -- instead of executing outright, first trips an alert in Chrome, asking if access should be granted to the webcam.

When weighing webcam security risks, note that a number of information security professionals cover up. For example, a photograph of Martin Muench, managing director of Gamma International and head of its FinFisher product portfolio, shows a piece of tape -- or perhaps cut-down Post-It note -- over his MacBook Pro laptop's webcam lens. That's notable because his company sells FinSpy software -- and related command-and-control networks -- to governments that want to spy on political activists. Based on teardowns of the software, it can surreptitiously intercept voice, video and other data from a variety of devices, including Android smartphones, iOS (iPhone, iPad) and BlackBerry devices.

On the other side of the sinister surveillance spectrum, cryptographer Whitfield Diffie also tapes over the camera on his MacBook. But my webcam cover-up chic award goes to Mikko Hypponen, chief research officer at F-Secure, who blocks his webcam with a band-aid. Give his solution extra points, because it won't leave gunk on the webcam lens for when you do need to hold a videoconference.

Software exists to alert users when their webcams have been activated, but Hypponen prefers a low-tech approach. "I trust the tape more than I trust any program," he told ZDNet at an Australian security conference. "I figure if there's a piece of tape over it, it isn't taking pictures of things."

As with so many technological innovations, webcams -- while enabling revolutionary services such as Skype -- carry information security and cybercrime risks. Best invest in some tape.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7437
Published: 2015-03-29
Multiple integer overflows in potrace 1.11 allow remote attackers to cause a denial of service (crash) via large dimensions in a BMP image, which triggers a buffer overflow.

CVE-2013-7438
Published: 2015-03-29
Multiple buffer overflows in pbm212030 allow remote attackers to cause a denial of service (crash) or possible execute arbitrary code via a crafted PBM image, related to (1) stream line data, which triggers a heap-based buffer overflow, or (2) vectors related to an "internal intermediate heap-based ...

CVE-2014-5427
Published: 2015-03-29
Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read pa...

CVE-2014-5428
Published: 2015-03-29
Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integratio...

CVE-2014-9205
Published: 2015-03-29
Stack-based buffer overflow in the PmBase64Decode function in an unspecified demonstration application in MICROSYS PROMOTIC stable before 8.2.19 and PROMOTIC development before 8.3.2 allows remote attackers to execute arbitrary code by providing a large amount of data.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.