Tuesday, May 27, 2014

Your Computer and Phone Cameras Are On -- Beware!

Co-authored by Dr. Stephen Bryen, CTO Ziklag Systems

Spying through smartphone cameras, computer webcams, laptops and tablets is widespread and governments have been checking people out for years.
2014-05-27-Webcam000c1.jpg
Between 2008 and 2012, GCHQ, Britain's NSA, ran a program called Optic Nerve that scanned live webcam chats on Yahoo (and probably other chat services). Many of the images obtained were very personal ones and could be used to either embarrass or blackmail users. Reports in the UK say that NSA engineers helped GCHQ develop the Optic Nerve program. Many have either claimed or speculated that one way the NSA and other U.S. spy agencies got around the prohibition of spying on Americans was to let a third party do it for them. According to the New York Times, the Australian Signals Directorate tapped a U.S. law firm representing Indonesian interests and offered their intercepts to the NSA.This sort of special intelligence cooperation is a regular occurrence under the "Five Eyes" program. The cooperating countries are the U.S., U.K., Australia, New Zealand and Canada.

News reports, based on the leaks of NSA information by Edward Snowden, say that GCHQ stored millions of images gleaned from its webcam surveillance. These images can be retrieved in various ways, including the use of advanced face recognition systems, so seemingly unrelated video chats from different computers and with different names or web addresses, can be linked together. Obviously, when used correctly and legally, this is an important counter-terrorism tool. But when it is used as a political tool to harass or blackmail people, the consequences are different and corrosive. A problem the U.S. government still has, new legislation notwithstanding, is how to assure the proper handling of extremely personal information that is completely unrelated to any counter terrorism or criminal activity.

But the NSA and GCHQ aren't the only entities spying on webcams. Marcus Thomas, a former assistant director of the FBI's Operational Technology Division in Quantico,Virginia, tells the Washington Post that the FBI could spy on anyone's webcam without turning on the camera's indicator light. While not all webcams have indicator lights, and many laptops do not have them at all, the indicator light is a nice security feature that tells you when the camera is active. Webcam spying is part of a suite of so-called Remote Access Tools or RATS. Thomas told the Post that the FBI has had these tools for years but uses "Rattingly" (the webcam spying tool) sparingly.

Szymon Sidor is a Polish-born software engineering genius currently working for Dropbox as an intern. Before that, he served two internships with Google working on Google Chrome and Google Analytics. He is working on his PhD at MIT and writes a blog called Snacks for Your Mind. Sidor's latest "snack" is a demonstration of how the cameras on your Android Smartphone can be turned on without you knowing it, and sequential photos sent to a third party over the Internet. Along with the photos, data on your location is displayed in the intercept so you can be easily tracked. All this happens without any awareness by the phone user -- the screen can either be turned off or on, it does not matter. Szymon has gotten around the Android requirement to display any photo preview on the screen by reducing the preview to only one pixel, which you won't notice even when your screen is on. On top of this, his solution has gone around Android's notification that an APP is running, so you cannot even check to see if this brilliant piece of software "mal-engineering" is running.

Camera spying is so widespread that it's happening in schools. Just this year Lower Merion Township in suburban Philadelphia, settled a lawsuit brought by two students, paying them $610,000 in compensation. The crime? The school provided 2,300 MacBooks to their students and installed spy software on them that snapped pictures of the students. Photos of the students included snaps of them at home, in bed, sometimes partially clothed. In one case the school claimed a student was popping pills: in fact he was eating candy.

'Sextortion," the secret control of webcams or smartphone cameras to run extortion rackets against people, is also a growing problem. A major case gained notoriety in California where a now-20 year old Jared Abrahams "illegally hacked into the laptops of several young women in the U.S. and abroad, then took control of their webcams in order to film and photograph them while they undressed."
According to the FBI, the scam included web cam pictures of Miss Teen USA Cassidy Wolf, who was a classmate of Abrahams. Abrahams "threatened to post the images to the victim's social media accounts unless the women provided additional nude photos/videos or obeyed his commands during a five-minute Skype session."

Abrahams was convicted, receiving an 18-month jail sentence. In another case, a Glendale California man was sentenced to five years in federal prison Monday after pleading guilty in a sextortion case that targeted hundreds of women. Interpol announced the arrest of 58 persons in the Philippines for sextortion, including one case where a 17-year-old victim committed suicide in July last year following blackmailing by the group.

In fact, "the scale of these sextortion networks is massive, and run with just one goal in mind: to make money regardless of the terrible emotional damage they inflict on their victims," says Sanjay Virmani, director of the Interpol Digital Crime Center.

Webcams and phone cams are also an important source for corporate spying. This works in two ways: companies and organizations spying on their own employees, and competitors and thieves spying on corporations. By being able to activate either a webcam or microphone on a PC, laptop or smartphone, intruders can listen in on sensitive meetings and conversations and even know where the meetings are held, who attended, and everything about what was discussed.

There are plenty of vendors selling spy software, some designed for "professional" business use and marketed as a way to track employees, such as a product for employee monitoring made by InterGuard. Such spying falls into a gray legal area, but once it goes onto a mobile device, it clearly intrudes on privacy outside of the work space. Even so, this is an unsettled area in U.S. law. It is of course illegal to record a conversation without obtaining permission of the person or persons being recorded, but keep in mind even web conferencing software allows for proceedings to be recorded and no permission is asked. These days, there are hundreds of spying products to choose from, and the best of them facilitate surreptitious webcam and mobile cam spying.

Corporate spying also facilitates insider trading, where the "insider" gains privileged access to your webcam, mobile camera or microphone. The extent of stock exchange manipulation and trading of sensitive investment and competitive information from computer and smartphone spying is unknown.

Part of the problem stems from the fact that it is legal to sell spy software. It's just illegal to use it without permission outside the workplace, unless it is used by parents to spy on their minor children. Even this "permission" is fraught with difficulty, since other kids who are not related to the parents may well be monitored.

This epidemic of webcam and smartphone camera monitoring and spying affects everyone. Yet our laws have a long way to go to catch up to the reality of this powerful attack on personal privacy.

So what can you do? One "solution" is to cover up the webcam on your PC or laptop. This is a bit of a bandaid approach as it stops the camera, but does nothing to shut down the microphone. This would also have to be done with a fair amount of regularity. But it's not easy to manage -- given the number of devices people own. Tablets and smartphones often have two cameras, one in front and one on the back and covering both is awkward and probably unrealistic.

A second option is to gain positive control over cameras and microphones so malware and intruders can't switch them on. There are only a handful of companies that offer this solution. Our company is one of them and this tool trumps Szymon Sidor's brilliant Android hack and other RAT tools that try to control your device.

We live in a post-privacy era where snoops, provocateurs and criminals are free to exert their will. No one, not even school children, teenagers, adults, corporate tycoons or government officials can escape them or live in this world undetected.

No comments:

Post a Comment