Risk
6/27/2013
10:02 AM
50%
50%

Sextortion Warning: Masking Tape Time For Webcams

"Camjacking" attacks activate your webcam and record your every move. Female images are in demand.

Furthermore, RATs aren't the only potential attack vector, with researchers having recently identified ways of remotely hijacking camera feeds by using a malicious iFrame attack to create a transparent Flash layer. This month, Russian security researcher Egor Homakov released a proof-of-concept attack -- dubbed "Click and say cheese" -- that exploited the Adobe Flash plug-in for the Chrome browser, running on OS X, that he says has been known since 2011. (His script-based attack was blockable using extensions such as NotScript and ScriptSafe.)

"This works precisely like regular clickjacking -- you click on a transparent flash object, it allows access to Camera/Audio channel. Voila, attacker sees and hears you," Homakov said in a blog post. Furthermore, with a bit of automation and distribution of malware that exploited this vulnerability, attackers could harvest thousands of webcam feeds or stills at once. "Your photo can be saved on our servers but we don't do this in the [proof of concept]," he said.

Since then, Google fixed the underlying bug in Chrome, which Russian security researcher Oleg Filippov (aka typicalrabbit) said affected not just Mac OS X but also Windows 7 and 8. Now, clicking the play button in Homakov's proof of concept attack -- slightly not safe for work -- instead of executing outright, first trips an alert in Chrome, asking if access should be granted to the webcam.

When weighing webcam security risks, note that a number of information security professionals cover up. For example, a photograph of Martin Muench, managing director of Gamma International and head of its FinFisher product portfolio, shows a piece of tape -- or perhaps cut-down Post-It note -- over his MacBook Pro laptop's webcam lens. That's notable because his company sells FinSpy software -- and related command-and-control networks -- to governments that want to spy on political activists. Based on teardowns of the software, it can surreptitiously intercept voice, video and other data from a variety of devices, including Android smartphones, iOS (iPhone, iPad) and BlackBerry devices.

On the other side of the sinister surveillance spectrum, cryptographer Whitfield Diffie also tapes over the camera on his MacBook. But my webcam cover-up chic award goes to Mikko Hypponen, chief research officer at F-Secure, who blocks his webcam with a band-aid. Give his solution extra points, because it won't leave gunk on the webcam lens for when you do need to hold a videoconference.

Software exists to alert users when their webcams have been activated, but Hypponen prefers a low-tech approach. "I trust the tape more than I trust any program," he told ZDNet at an Australian security conference. "I figure if there's a piece of tape over it, it isn't taking pictures of things."

As with so many technological innovations, webcams -- while enabling revolutionary services such as Skype -- carry information security and cybercrime risks. Best invest in some tape.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2184
Published: 2015-03-27
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.

CVE-2014-3619
Published: 2015-03-27
The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.

CVE-2014-8121
Published: 2015-03-27
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over...

CVE-2014-9712
Published: 2015-03-27
Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 before Hotfix 01 allows remote administrators to read arbitrary files and obtain passwords via a crafted path.

CVE-2015-2157
Published: 2015-03-27
The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.