A FEW YEARS AGO a security expert, enraged at discovering that his PC had been hacked, managed to trace the intruder’s computer and take remote control of it. He was astonished to find himself staring at the face of the culprit, courtesy of the machine’s webcam.
The case of the hacked hacker was an early example of how webcams can expose a home or office to the world. They have since proliferated at least as quickly as Britain’s public surveillance cameras, yet while two major reports in three years have warned that those present a serious threat to privacy and freedom - A Report on the Surveillance Society and Surveillance: Citizens and the State - the insidious perils of private webcams have received little attention.
Security firm Sophos tells the story of a Cyprus man who infected a 17-year-old girl’s PC with Trojan spyware that gave him access to her webcam. He was caught only after she contacted police when he tried to use his pictures to blackmail her into posing naked.
Another man in Spain spied on his victim for more than three years after discovering in a random sweep that her webcam-equipped PC was infected by a similar Trojan. She discovered what was happening only when he accidentally sent her some pictures he had taken of her.
Graham Cluley, senior technology consultant at Sophos, points out, "Most spyware is designed to steal your identity, your passwords, your banking information - but it is just as easy to program a Trojan horse to take over your webcam."
In fact software providing remote access to webcams is freely available on the web, ostensibly for legitimate uses such as checking up on the home, the office, or the kids. One vendor boasts of a “stealth mode” rendering the software invisible to the person being spied on and promotes it as a way of checking up on cheating partners – with salacious pictures making clear the possibilities for voyeurs.
Such software, unlike a Trojan infection, needs to be installed manually on the target computer, but this does mean it cannot be misused. A US student was arrested for spying on a young woman using remote-access software he installed when she asked him to fix her computer. He was caught only because she noticed a drop in her machine’s performance.
Commonly used software also can provide remote access to any webcam installed in or connected to your computer.
You probably don't know this, but Adobe's Flash Player browser plug-in, which many people install to view Flash video clips and adverts on the web, has a Settings Manager that has two settings that control whether websites you access, and potentially other Internet users, can turn on your webcam and microphone remotely - with or without asking your permission.
In addition, the Internet VoIP and chat application Skype also has some settings that can control whether and how a webcam in or connected to your computer is enabled when using it.
These are but two examples of popular, widely distributed applications that can turn on webcams. There are many other software applications that can control and use webcams.
The threat is taking a different form with the latest WiFi cameras, such as the £149 Y-Cam Knight, which are directly accessible over the web and do not need to be attached to a PC, except perhaps for configuration. Their big advantage is that they do not require a network or USB cable and so are more easily installed in awkward locations. Even a mains link can be dispensed with, if you are prepared to make frequent battery changes.
The Y-Cam Knight has much to commend it. The size of just a couple of cigarette packets, it can easily be switched between locations to double as a baby monitor and security camera, complete with sound. Infrared sensors even allow it to ‘see’ at night, and it has the usual surveillance features such as email intruder alerts triggered by movement sensors.
A networked video baby monitor seems like a good idea but in practice it can be very intrusive because it exposes what might well be the mother’s bedroom to any web browser in the house, or within range of its WiFi signal, and potentially even to anyone on the Internet. It is like having a window in the room, with no way of knowing if someone can see in or not.
Access to the Y-Cam Knight is password protected but there is no obvious way to change the default administrator ID, which could even be known to a hacker, making the password more vulnerable to brute force attack. Even password guessing might not be necessary because, if experience with broadband modems and WiFi routers is anything to go by, many people will not bother to change the default password. To be fair, the Y-cam setup routine does explicitly warn users about this, however.
But perhaps the greatest danger from products like the Y-Cam Knight stems from their very convenience and ease of use. They are dead easy to install and hide for industrial espionage, covert or overt monitoring of staff, or voyeurism, and with WiFi there are no telltale wires pointing to the perpetrator.
Suspiciously enough, few cyber-voyeur prosecutions go to court, and those that do have tended to involve people who did something foolish to draw attention to themselves.
Criminal convictions for what the Home Office categorises as “miscellaneous sex offences”, including voyeurism, average around 10,000 per year in Britain, which certainly must represent only a small proportion of actual offences. There is no indication of how many involve Peeping Toms, but even if those represent only a small proportion of cases, it's possible that there are thousands of voyeurs in Britain. Surely some of these are computer literate enough to hack into a webcam or set up a covert one.
All of which argues that there might be cyber-voyeurism going on undetected, and that we should be careful about how and where we use webcams. A good rule might be, “Never do in front of a webcam what you would not do out in public.”
A better rule might be to cover any webcam you happpen to have on your computer or around your house with a small piece of tape when you're not actually using it. µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted