Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-09-19 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Does it Matter If You Cover Your Webcam?

Published: 2016-09-19
Last Updated: 2016-09-19 15:13:44 UTC
by Johannes Ullrich (Version: 1)
9 comment(s)

During security conferences, laptops with tape covering the webcam has certainly been a common sight. But recently, covering webcams has become somewhat of a "main-stream phenomenon", after Mark Zuckerberg was sighted with a covered webcam [1], and even the FBI director suggests people covering their cameras [2]. 

Laptops are often used in private spaces, and an attacker, with access to the camera, is expected to be able to spy on the user of the laptop. Attacks like this have happened, and even indicator lights can be disabled in some of these attacks. However, the camera is not the only sensor included in modern laptops and mobile devices that can be used to "listen in." Most notably, mobile devices usually have several microphones, that are far more difficult to disable. The article about Mark Zuckerberg above shows how he also uses tape to cover up the microphone of the laptop. First of all, covering the microphone with electrical tape will not reduce the microphone's ability to detect sound by much. Secondly, most laptops use multiple microphones. Disabling all microphones is difficult, and will most likely void your warranty if you outright remove them.

The webcam in most laptops is designed for video conferencing. As a result, it points at the user's face, not at the keyboard, which would likely be more interesting. I have not seen a built in "tilt pan" camera yet. The resolution is also somewhat limited (1080p usually) and prevents the camera from seeing notes taped to a wall behind it. Access to the microphone (and of course to the keyboard via a good old fashion keystroke logger) can be a lot more useful.

Many mobile devices do use gyroscopes to detect motion. In some cases, these sensors were found to be sensitive enough to record conversations by detecting the vibration caused by sound. Microphones in close by mobile devices have also been found to be sensitive enough to record keystrokes on close by PC keyboards. 

As far as cameras go, cameras in video conferencing systems, which often include pan/tilt and zoom have been used to look in on conference rooms. These cameras are often not covered up.

So what should you do?

- Keep your camera covered. There are some little "sliding covers" that you can buy, but a piece of electrical tape will work (add some paper to the back of it right over the camera to avoid glue residue in case you use it).
- In particular for sliding covers, make sure the frame doesn't cover the LED indicator. You should be able to see if the camera is on while the cover is open
- For systems like video conferencing cameras, point them in a safe direction (wall) while not in use
- Sadly, I haven't seen laptops with physical switches for microphones. If you cover microphones, make sure you test that the cover works (maybe some foam will work) and get the schematic for your laptop to know where all the microphones are located.
- Don't forget your mobile devices! 
- and if you want real privacy: Leave the electronics in a different room and power it down.

Any other tips I missed?

[1] http://www.theverge.com/2016/6/21/11995032/mark-zuckerberg-webcam-tape-photo
[2] http://thehill.com/policy/national-security/295933-fbi-director-cover-up-your-webcam

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
9 comment(s)
Diary Archives