Does it Matter If You Cover Your Webcam?
During security conferences, laptops with tape covering the webcam has certainly been a common sight. But recently, covering webcams has become somewhat of a "main-stream phenomenon", after Mark Zuckerberg was sighted with a covered webcam [1], and even the FBI director suggests people covering their cameras [2].
Laptops are often used in private spaces, and an attacker, with access to the camera, is expected to be able to spy on the user of the laptop. Attacks like this have happened, and even indicator lights can be disabled in some of these attacks. However, the camera is not the only sensor included in modern laptops and mobile devices that can be used to "listen in." Most notably, mobile devices usually have several microphones, that are far more difficult to disable. The article about Mark Zuckerberg above shows how he also uses tape to cover up the microphone of the laptop. First of all, covering the microphone with electrical tape will not reduce the microphone's ability to detect sound by much. Secondly, most laptops use multiple microphones. Disabling all microphones is difficult, and will most likely void your warranty if you outright remove them.
The webcam in most laptops is designed for video conferencing. As a result, it points at the user's face, not at the keyboard, which would likely be more interesting. I have not seen a built in "tilt pan" camera yet. The resolution is also somewhat limited (1080p usually) and prevents the camera from seeing notes taped to a wall behind it. Access to the microphone (and of course to the keyboard via a good old fashion keystroke logger) can be a lot more useful.
Many mobile devices do use gyroscopes to detect motion. In some cases, these sensors were found to be sensitive enough to record conversations by detecting the vibration caused by sound. Microphones in close by mobile devices have also been found to be sensitive enough to record keystrokes on close by PC keyboards.
As far as cameras go, cameras in video conferencing systems, which often include pan/tilt and zoom have been used to look in on conference rooms. These cameras are often not covered up.
So what should you do?
- Keep your camera covered. There are some little "sliding covers" that you can buy, but a piece of electrical tape will work (add some paper to the back of it right over the camera to avoid glue residue in case you use it).
- In particular for sliding covers, make sure the frame doesn't cover the LED indicator. You should be able to see if the camera is on while the cover is open
- For systems like video conferencing cameras, point them in a safe direction (wall) while not in use
- Sadly, I haven't seen laptops with physical switches for microphones. If you cover microphones, make sure you test that the cover works (maybe some foam will work) and get the schematic for your laptop to know where all the microphones are located.
- Don't forget your mobile devices!
- and if you want real privacy: Leave the electronics in a different room and power it down.
Any other tips I missed?
[1] http://www.theverge.com/2016/6/21/11995032/mark-zuckerberg-webcam-tape-photo
[2] http://thehill.com/policy/national-security/295933-fbi-director-cover-up-your-webcam
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
Comments
Anonymous
Sep 19th 2016
8 years ago
For example:
https://puri.sm/librem-15/
They are not supposed to be designed for Windows, but as their compatibility is likely to be very good I would expect you can use it if you must.
Anonymous
Sep 19th 2016
8 years ago
Anonymous
Sep 19th 2016
8 years ago
Microphone are probably trickier.
But, if someone managed to run a RAT on your PC, aren't files, keyboard, network stream fat more sensitive than your picture ?
The only scenario that I would envision where camera would the privileged option for an attacker is if it is an attack from a web browser (or another software running in a sandbox), particularly with something like Flash.
Of course, if what you have that's most interesting for an attacker is your face, you may want to take precaution (like closing the laptop lid if you plan to do some potentially compromising things around it). But for most of your reader, and most people attending security conferences, hard drive content will be much more important than their face.
Focus on camera is interesting and telling because it shows that despite Scott McNeally prediction, privacy might be dead but people don't get over it. But in term of rational risk management, it is missing the point: we are afraid of what is visible (the electronic eye of the camera) while what is not (files, credentials ...) remains largely mismanaged.
--
Christophe Renard
Anonymous
Sep 19th 2016
8 years ago
Anonymous
Sep 20th 2016
8 years ago
In most cases your computer represents your identity. It makes no sense to me that people, whose authenticity is extremely important (such as the FBI director), apparently don't trust their computer. What do they use such a device for?
Anonymous
Sep 20th 2016
8 years ago
Anonymous
Sep 20th 2016
8 years ago
Great idea to follow it onto the SmartPhone as well.
Anonymous
Sep 21st 2016
8 years ago
Great idea to follow it onto the SmartPhone as well.[/quote]
My idea of using jack without a wire will work here, too, ... unless you have an iPhone 7.
Anonymous
Sep 21st 2016
8 years ago