Ten years ago I worked on a video conferencing system designed to sit in the center of a conference table. It had several cameras pointing toward the people sitting around the table. Software could take data from the cameras and microphones and focus the recording of a meeting on the person talking at that moment. When used for audio-conferencing, the product requirements called for a physical shield cover the cameras when not in operation. The engineers suggested it would be much easier to have an LED indicator. A physical shield was required, however, because users might be unnerved by a camera trained on them and may not trust the indicator.

Ten years later cameras are ubiquitous because of smartphones. A paper in the latest issue of IEEE Communications on how malicious apps could exploit phones' cameras.

The Android permission system gives users the opportunity to see what a device can access prior to installation, but many users do not understand what the permission requests stand for. They tend to pay attention access to contact lists, calling history, location, and file access. Users often see camera access as benign. There are nearly hundred apps designed for taking surreptitious pictures with the users knowledge, but there is a danger of useful apps secretly taking pictures without the user's knowledge. This is particularly dangerous because people carry phones everywhere.

Apps for taking secret pictures are not necessarily designed for spying or dishonest purposes. A spy camera app could take a picture every time someone uses the device, so the user can know if someone is using it without permission. It could be activated remotely to identify a stolen phone.

A malicious application using the camera to spy needs to avoid the various avenues of detection.

It must avoid using the CPU when a user app is using the CPU heavily, so the user does not notice the decreased performance and investigate. Similarly it can avoid using battery-intensive operations when the phone is not plugged into a charger, so the user does not notice decreased battery life.

It must turn off the phone's sound and vibration when it activates the camera and then quickly restore them to their previous levels.

It must hide the camera preview, which is difficult in Android. The app can hide the preview by putting the camera preview on a layer behind the app on top or by making the camera preview size 1x1 pixel.

It must store files in confusing file names in obscure directories.

It must avoid using excessive mobile data. One way is to wait until the user connects to a Wi-Fi hotspot to upload the files.

Researchers were able to use the camera for eye tracking to see characters typed by the user. This was surprising to me, but it turns out eye tracking software is not new.

When eye traacking is deployed while the phone is locked, the locking screen unintentionally provides a shield for the spyware, obviating the need to hide the camera screen running just beneath the lock screen.

Researchers tested this with four-digit passcodes on phones running Android 4.1, 4.2, and 4.3. The software was able to track eye movements and identify the passcode or narrow it down to a few possibilities.

I don't see a malicious app using the camera to work out the combination to unlock someone's phone. There are probably more straightforward ways to steal this information. It is a powerful illustration, however, of the unexpected information a malicious app can glean from the camera.

After reading this research, I did a quick search for stories of attackers exploiting camera phones and could not find any. I would be surprised, however, if it were not happening. I suspect governments have at least looked into the issue. Three years ago when the US Congress was working on legislation to prevent a lapse in the “Patriot Act”, two senators on the Intelligence Committee said when people find out how the government has interpreted the Patriot Act and how it is using the powers, people will be “stunned”, “angry”, and “alarmed”.[Link to source NYT article] Their position on the committee gives them access to the details, but they are not allowed to share it. The language could be politicking or grandstanding, but reading this article makes me wonder if the government is deploying, at least in special cases, software that exploits cameras and microphones to catch criminals.

This would be hard at this time to deploy on a large scale without being detected. But if the software is well designed, it could easily be used on a limited basis. This opens the potential for people working with the software to deploy it for personal gain or for simple peeping. Is it paranoid to want a physical shield over my camera like the one in the conference system ten years ago?