Posted by Josh Townsend on July 3, 2017.

America Exposed: Who’s Watching You Through Your Computer’s Camera? is a recent paper on webcam security by James Scott for the Institute for Critical Infrastructure Technology. It sets out to expose and analyse the vulnerabilities of webcams and similar connected devices, and the risks posed to consumer and business users, as well as the alarmingly low barrier for hackers and malicious agents to take advantage of these devices.

It’s important to bear in mind that the paper is clearly angled towards those either in or in close contact with the field of information security, and makes its arguments accordingly. “China requires that all companies that operate within its borders be subject to a high-ranking on-site government liaison…[who] could direct the manufacturer to knowingly include malware or exploitable vulnerabilities within the firmware or preinstalled software of the device”. This does raise an important issue; however, it is not necessarily evidence for Chinese government-mandated security vulnerabilities. Believable as it may be, from a skeptical perspective, the potential for something to be true does not indicate that it is true. From a security perspective however, it is vital that every possible vulnerability be treated as an actual vulnerability. Kevin Townsend reported on serious vulnerabilities found in Chinese-manufactured IP cameras; whether or not this is indicative of any intent behind the security holes, it does confirm that this is a security issue to be taken seriously.

While webcam vulnerabilities are the main subject, many of the associated vulnerabilities also apply other to IoT (Internet of Things) devices, especially those which have camera functionality included, like Microsoft’s Kinect, smart TVs, mobile devices and so on; and the paper does well to raise awareness of this alongside the exploitability of PC webcam devices. The very real potential for harm and the alarming accessibility of the required tools is explored, but the danger is more than theoretical. Many thousands of IP cameras have been already compromised for use in botnets thanks to zero-day vulnerabilities, as examined by Eduard Kovacs and Ionut Arghire.

Quite apart from the risk from malicious individuals aiming to steal data, it has long been a significant concern for many people about their own privacy being invaded by the so-called “snooping agencies” of their own governments. Whether justified or not, the paper barely alludes to the issue, saying only that GCHQ “evaluated the [Microsoft Kinect] for its ‘potential and capabilities’”. The citation for this fact is a Guardian article reporting on GCHQ’s large-scale interception of private webcam images from non-surveillance targets, with NSA assistance.

The paper does, however, highlight an important issue: Even if government agencies have the resources to breach webcam privacy, webcam devices are so vulnerable that virtually any private individual with a computer and basic search engine skills can make a virtually undetectable, targeted attack on a user. It’s an important aspect of general vulnerability of which many individual and business users are unlikely to have as much awareness. There’s also a troublesome implied argument here: Government agencies may have covertly taken information from citizens, but many people without any sophisticated tools or resources can do this too, which somehow negates any wrongdoing on the government’s part. Directly quoting the ICIT paper: “The WikiLeaks “Vault 7’ release of supposedly CIA tools stirred outrage and incited mass paranoia about the U.S. government’s ability to covertly collect information from smart devices. In reality, the capabilities of the featured malware are not uncommon or necessarily sophisticated.”

There is another side to this issue that the paper leaves similarly untouched; how much of an issue is posed by this level of vulnerability to the government itself? If webcams and similar IoT devices are so vulnerable, with virtually no way to mitigate their vulnerability, and the tools to exploit the vulnerability are so widespread, what are the risks of those in positions of power being compromised? The potential harm from this issue is briefly alluded to at the start of the paper, but with the apparent pitch towards corporate executives, people whose data is valuable enough to be at risk and those with a high level of security awareness, a deeper exploration of these risks would not be out of place.

While the paper offers what it can, it also clearly explains why there is not a great deal that can be done to protect yourself or your organisation from webcam attacks. The usual precautions against phishing, social engineering and trojan attacks will go a long way, but there are as yet no elegant solutions – putting stickers or tape over the webcam is the endorsed method of protection from ex-FBI director James Comey.

Although in some areas the information in this paper feels incomplete, and some minor arguments are made a little shakily, it does clearly lay out what vulnerabilities an organisation or individual faces from webcam devices, as well as what little can be done to protect themselves and, most especially, why this issue needs to be taken more seriously than it already is. With one or two relevant sides of the issue a little under-explored, this is nonetheless for the most part a well-researched, cogent and succinct examination of webcam security, the risks to personal data these devices pose and the ease with which they can be compromised.