You just purchased some new monitors with built-in webcams and speakers or you added external webcams. Now your employees can easily make video conference calls and speak to each other face to face, even when they’re off-site. You may think you’ve provided a great improvement in productivity, but you may unintentionally have put your company’s intellectual property at risk.
Here’s how it works. A hacker sends a Trojan horse to your company via phishing, spear phishing, or whaling – attacking the corporate officers of the company. Once the Trojan horse is installed on the host computer, the attacker can take over the camera and microphone without a user’s knowledge. This is called camfecting.
“In the field of computer security, camfecting is the fraudulent process of attempting to hack into a person’s webcam and activate it without the webcam owner’s permission. The remotely activated webcam can be used to watch anything within the webcam’s field of vision, sometimes the webcam owner itself. Camfecting is most often carried out by infecting the victim’s computer with a virus that can provide the hacker access to the victim’s webcam. This attack is specifically targeted at the victim’s webcam, and hence the name camfecting, a portmanteau of the words cam and infecting.” (1)
To try and warn users when the camera is in use, LED’s have been added to cameras. However, new Trojans have been created to keep those warning lights turned off.
The attack can be executed using both the USB-type webcams and IP webcams. Recently, a story was reported in the news about a father who found the IP baby monitor activated in his child’s room. The camera moved from side-to-side watching the child sleep. The father also heard a voice coming from the speakers of the camera trying to speak to the child. Fortunately, the child did not hear it. More than likely, the camera and router were set up using the default security settings.
Here’s a hypothetical business scenario. Your company is about to launch the next great industry disrupting product. An attacker has gained access to an important employee’s computer with a webcam and microphone. The attacker can hear and see, or just hear, everything going on in the room where the computer is located. What are the implications of someone gaining access to your corporate data on the eve of a new product launch, or worse, while the product is in development?
According to Wikipedia, “Recently, webcam privacy software has been introduced by companies such as Stop Being Watched or Webcamlock. The software exposes access to a webcam and prompts the user to allow or deny access by showing what program is trying to access the webcam. [This allows] the user to accept a trusted program [he or she] recognizes or [he/she terminates] the attempt immediately. Other companies on the market manufacture and sell sliding lens covers that allow users to retrofit the computer and close access to the camera lens.” (2)
So what can you do? Your first line of defense: never use the default settings for security on anything that requires or uses Internet access. Another inexpensive way of protecting yourself is to disable the camera and microphone. If they are built-in, go to the device manager and disable the microphone under audio inputs and outputs by right clicking and choosing disable. You can disable the camera the same way, locating it under imaging devices in the device manager, right clicking on it, and choosing disable. If you have a USB webcam, leave it unplugged until needed, then unplug it again immediately after use.
Webcams are a great way to provide interaction with other team members that cannot happen with an impersonal phone call. Thanks to Skype, it has become convenient for everyone to speak face to face – it’s not just a tool for big companies anymore.
While convenience means easy to use, it can also mean easy to exploit. So when dealing with webcams and microphones, be cautious.
Sources for this post:
(1) CNET: Virus Alert: Spies Prize Webcams’ Eyes
(2) Wikipedia: Webcam
Image Credit: Cybrosys Technologies
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.