Covering your webcams

Podcast episode, August 22, 2019

Liz and Geoffrey take a look at how attackers compromise webcams and discuss why it's worth physically covering them. Malware and alleged threats of malware are only some of the avenues attackers take to access other people's webcams; vulnerabilities in legitimate software, like the recent Zoom security flaw, can also be exploited. Additionally, sharing ownership of your devices with another party like your school district or workplace may leave you and your webcams exposed. In the news, the FTC fines Facebook, weaknesses in Apple's iMessage and Visual Voicemail, and U2F support added to Firefox for Android.

Covering your webcams episode art

Timeline

  • 1:02 - Loose Leaf Security updates: we've started a blog and a newsletter!
  • 2:49 - Security news: FTC fines Facebook
  • 5:40 - Security news: Vulnerabilities in Apple's iMessage and Visual Voicemail
  • 6:22 - Security news: New iPhones for security researchers & updates to Apple's bug bounty program
  • 7:33 - Security news: Firefox for Android now supports U2F
  • 8:26 - How to cover your webcam
  • 9:55 - Why to cover your webcam
  • 10:49 - Webcam phishing attacks that prey on fear: sextortion scams
  • 15:38 - Vulnerabilities in legitimate software could expose your webcam, like with Zoom
  • 21:08 - School district spying through webcams with theft tracking software
  • 22:44 - Consequences of sharing ownership of your devices, like with a school district or your employer

Show notes & further reading

Our new newsletter!

We're starting a weekly newsletter that is going to include short summaries of interesting security news. We'll also include links to any new Loose Leaf Security content.

You can sign up for our newsletter here.

We've started a blog!

In addition to podcast episodes, we'll also be covering some security- and privacy-related topics in blog-style articles, where we can go into more detail than we could in an episode. Our first article is already up: Instagram 'Unusual Login Attempt' verification loop failures. We'll include our articles in our new newsletter, and you can also subscribe to our RSS feed for both episodes and articles in your favorite RSS reader.

Types of web camera covers

There are two basic approaches you can take: a removable sticker / tape or a purpose-built sliding cover that lets you easily open and close the cover. If you make video calls every day, you might want a sliding cover. If you use your camera only occasionally, tape might be easier.

We both currently cover our webcams with washi tape, a decorative tape based on a Japanese style of paper and generally covered with designs or patterns. It's sold in craft and stationery stores (and online, of course) and usually comes in spools about the size of regular transparent adhesive tape - usually just the right width to cover your webcam. Other low-residue, colored tapes like masking tape or gaffer tape should also work. Note that whatever tape you use will probably become less adhesive each time you remove it, so it's useful to have extra tape on hand for making a fresh webcam cover.

Sliding covers are generally mass-produced plastic items, sometimes with the ability for the slide to snap closed - if it doesn't snap closed, make sure it doesn't slide open in your bag! You can find them for a few dollars on online stores; they're also popular branded promotional items (such as this Mr. Robot one).

Whatever style you use, make sure to test that the cover actually blocks the image. The paper in washi tape tends to obscure images, but lighter patterns or inks will still let some light through. And plastics may not sufficiently obscure an image: the EFF, a digital rights non-profit, found that the NSA's promotional webcam covers were translucent enough to see shapes through (and note the replies where people do enough signal processing to reconstruct a recognizable face!). The EFF, for their part, just offers promotional stickers of the right shape.

By the way, we're not the only people who cover our webcams - former FBI director James Comey and Facebook founder Mark Zuckerberg both do, too.

"Sextortion" scams

The term "sextortion" refers to two somewhat different types of attacks: one where the attacker pressures or blackmails their victim into purposely recording compromising videos of themselves on their webcam, and one where the attacker claims to have video already by having installed malware, and more often uses that blackmail leverage to extort money instead of further videos. We focus largely on the second type here, where videos are recorded not just without the consent but also without the awareness of the victim. A webcam cover is a straightforward way to make sure you're not being recorded when you're not intending to use your camera.

There's been a recent uptick of sextortion scams of the second type recently in the form of broadly-targeted spam email. In these attacks, no such video actually exists; the attacker is sending a form email to millions of addresses and hoping that the threat scares even one person into responding. Sometimes, as with the email Liz got, they make the threat more credible with a real, breached password. However, it's still an automated, mail-merged spam campaign, relying on the fact that breaches disclose lots of passwords. Here's the one Liz received (with the breached password redacted):

I know, ••••••••, is your password. You do not know me and you're probably wondering why you're getting this mail, correct?

Let me tell you, I setup a malware on the adult video clips (sex sites) website and do you know what, you visited this web site to have fun (you know what I mean). While you were watching videos, your web browser initiated working as a RDP (Remote Desktop) that has a key logger which provided me access to your display screen and also web cam. Just after that, my software collected your complete contacts from your Messenger, social networks, as well as email.

What exactly did I do?

I created a double-screen video. First part displays the video you were viewing (you've got a fine taste haha), and 2nd part shows the recording of your webcam.

What should you do?

Well, in my opinion, $1900 is a fair price tag for our little secret. You'll make the payment by Bitcoin (if you don't know this, search "how to buy bitcoin" in Google).

BTC Address: 1JHwenDp9A98XdjfYkHKyiE3R99Q72K9X4 (It is cAsE sensitive, so copy and paste it)

Note:

You now have one day to make the payment. (I have a specific pixel in this email message, and right now I know that you have read this email). If I don't receive the BitCoins, I will send out your video to all of your contacts including members of your family, colleagues, etc. Having said that, if I receive the payment, I will erase the video immidiately. If you need evidence, reply with "Yes!" and I will send your video recording to your 5 contacts. This is a non-negotiable offer, and thus please do not waste my personal time and yours by responding to this email message.

Of late, the emails have become lazier and have nothing to make them convincing, they just sound scary. Geoffrey has recently gotten a few of these addressed to mailing lists, but written as if they were to a single person, e.g. "I have recorded you, <mailing list name>." The EFF has several more examples of these emails, including one ("Example 7") where the spammer claims to have a "website on the darkweb" where someone hired them to throw acid in your face, and demands a payment to not do so.

However, that's not to say that these attacks are always fake. In 2011, the FBI caught a man in California actually breaking into people's laptops and watching them (Note: This article is a lengthy account of an attacker who records his victims through their web cameras, solicits sexual content from his victims, and spies on minors for extended periods of time. We're linking to this particular article despite its disturbing content because these attacks are relatively rare and even more rarely reported on, and there are no additional security-related takeaways to be gained by reading it.), using malware to break into people's computers - sometimes by first convincing a victim's trusted friend to open an infected attachment, and then sending messages pretending to be that friend. The story is quite disturbing (and the behavior, involving impersonating friends and listening on microphones, is far beyond what a webcam cover would protect against). The Brookings Institution, a US think tank, has a more detailed look at sextortion criminal cases with a particular focus on minor victims. The avenues of attack seem to vary widely, from victims known to the attacker (where the attacker might have had in-person access to their computer), to attackers finding victims on online dating / cam sites, to phishing emails pretending to need the victims' passwords. Brookings ends with several legal policy recommendations, followed by two technical ones: that laptop manufacturers build covers or other physical switches into their webcams, and that social media companies enforce the use of strong passwords and account recovery information that isn't guessable by an attacker.

Zoom vulnerability

Security researcher Jonathan Leitschuh has a post on Medium describing a serious security flaw in videoconferencing app Zoom. The writeup is pretty straightforward, but there's also good reporting from BuzzFeed News and discussion of the company's response from Verge. TechCrunch also reports that Apple used its silent malware removal tool to uninstall Zoom's web server.

Computer security firm Assetnote later wrote another post about security issues in the Zoom web server. They had started looking at Zoom as part of work for a client, and when their engineering lead and CTO were on an international flight with no wifi, they decided to dig into the Zoom desktop app. They found that the hidden web server's function for reinstalling Zoom had a feature to accept one of several domain names to download the app from, presumably because Zoom offers the same software under white-label brands, and this function did not properly check the domain name of the provided URL. They were able to trick the web server into installing their own app by passing it a URL containing the text "zoom.us" but not actually from Zoom - so people who had ever uninstalled Zoom were in fact at more risk than people who still had it installed!

School district spying on students

Wikipedia has an uncommonly detailed article about Robbins v. Lower Merion School District, the court case resulting from two high schools in Lower Merion Township, Pennsylvania installing monitoring software that took photos of students.

There are also various other stories of school systems monitoring students' private behavior: for instance, there are now a few companies that monitor students' behavior on school computers with the stated purpose of monitoring students' well-being, unlike the anti-theft rationale of Lower Merion's system. This past school year, the Evergreen, WA school district installed software to analyze all the files and uploads of students, flagging everything from an essay on Homer's Odyssey containing the word "bastard" to private photos of several nude minor students - some of which were picked up when students plugged their personal phones into district-owned computers, which automatically synced their photos. Some students have even learned to contact administrators by creating a new Google doc and typing curse words to set off the filters. In an Education Week article on the new surveillance reality, the CEO of the company behind this monitoring software was quoted saying, "Privacy went out the window in the last five years. We're a part of that. For the good of society, for protecting kids."

In the news: FTC fines Facebook

The FTC has a press release detailing the $5 billion fine and the restrictions it's imposing on Facebook, though note the dissents (linked in the sidebar) from commissioners saying the action isn't effective enough. Lea Kissner, formerly Google's privacy lead, has a brief Twitter thread covering the other highlights.

Earlier this year, Twitter user "e-sushi" called out Facebook for asking for email passwords as part of signup, which led to mainstream media coverage of how this was "beyond sketchy" and eventually to Facebook removing the feature.

In the news: iOS vulnerabilities

Natalie Silvanovich, a researcher at Google's Project Zero, has a good blog post on the "fully remote attack surface" of the iPhone. It's pretty technically dense, but it gives a good sense of just how much code on iOS is involved in processing messages from the outside, from MMS to iMessage to voicemail. She and coworker Samuel Groß recently disclosed five iMessage security bugs, all of which could be triggered without any action by the recipient, and they have a demo of exploiting one of them.

Earlier this year she found a quite surprising attack against Visual Voicemail: not only can a malicious Visual Voicemail server exploit a bug in the phone app, and not only is the phone app unsandboxed (such that such a server could then attempt to attack all of iOS quite easily), an outside attacker can convince an iPhone to contact a new Visual Voicemail server!

Because of the difficulty of researching these sorts of attacks, Apple has recently announced a program to distribute special iPhones to new security researchers, which gives them root access to the phone so they can easily investigate how applications behave without requiring them to first figure out how to convince an application to talk to their server. For a few years, researchers been acquiring so-called "dev-fused" iPhones with security disabled - while these are only intended for Apple's internal use, a few have escaped Apple or its supplier Foxconn and made their way to the grey market, and even white-hat researchers have found them valuable. Apple is now formally acknowledging that officially letting third-party researchers have this access would be good for the platform's security.

In the news: Firefox for Android now supports U2F

If you're a Firefox for Android user, you should now be able to use your security key over USB (with the right adapter), Bluetooth, or NFC on your phone, or possibly enroll your phone's own biometric sensor as a second-factor device. Check out Mozilla's official blog post for the details. (And if you're not sure why you'd want to use a security key or what the advantage of WebAuthn is, see our two-factor authentication reference page.)

Transcript

Liz Denys (LD): Hey, Geoffrey, I finally picked up more washi tape. It has 8-bit hearts all over it.

Geoffrey Thomas (GT): Ooh, that sounds neat, Liz. Can I have some to put over my webcam? My last piece hasn't been sticking quite as well after I temporarily removed it when we video chatted to plan this episode.

LD: Sure! And for all of our listeners who might be wondering why we put washi tape over our webcams, this is the episode of Loose Leaf Security for you!

GT: We'll cover how to cover your webcam -

LD: [groan]

GT: - and discuss how both malware and better-intended software could turn your webcam on unexpectedly.

Intro music plays.

LD: Hello and welcome to Loose Leaf Security! I'm Liz Denys,

GT: and I'm Geoffrey Thomas, and we're your hosts.

LD: Loose Leaf Security is a show about making good computer security practice for everyone. We believe you don't need to be a software engineer or security professional to understand how to keep your devices and data safe.

GT: In every episode, we tackle a typical security concern or walk you through a recent incident.

Intro music fades out.

LD: Before we talk security news, we have a couple Loose Leaf Security updates! First, we're starting a weekly newsletter that is going to include short summaries of interesting security news. Information about any new episodes or any other new Loose Leaf Security content will also be included.

GT: We'll still going to include this security news segment in the podcast, but we'll be able to better highlight more stories by adding the newsletter format, too. Sometimes, we run across deeply thought-provoking stories where the only practical takeaways are practically a footnote in their narratives, and we've found ourselves skipping them and finding another way to work that content into later episodes because discussing those types of stories doesn't work so well over a podcast, where our listeners aren't guaranteed to have the article in front of them.

LD: The new newsletter summaries are also a better fit for linking to video content and for expanding on older, but still relevant stories. You can sign up for this newsletter at https://looseleafsecurity.com/newsletter.

GT: Which actually brings us to our second Loose Leaf Security announcement: in addition to podcast episodes, we'll also be covering some security- and privacy-related topics in blog-style articles, where we can go into more detail than we could in an episode.

LD: Our first article is already live! It's about some authentication issues I ran into with Instagram earlier this month- I got stuck in an 'Unusual Login Attempt' verification loop that didn't actually work.. We talk about what to do if you, too, get temporarily locked out of your Instagram account because of that loop, and we also talk more generally about what that incident means for all social media users.

GT: Another nice thing about blog-style articles is that we can target multiple audiences, and so we've also included some suggestions for web developers working on this type of verification.

LD: We'll include articles we write in our new weekly newsletter, or if you read blogs in an RSS reader, you can subscribe to Loose Leaf Security's feed. And as a reminder, you can sign up for our new weekly newsletter at looseleafsecurity.com/newsletter.

GT: First off in news from the outside world, a quick update on a Facebook story we've covered a few times. Earlier this year, in our episode "Using a password manager effectively," we discussed how if you gave a phone number to Facebook to send two-factor authentication text messages to, they were linking it with profiles, and a few months before that, in "Physical attacks to your computers and disk encryption," we talked about how they had started using that phone number for marketing purposes - and if you replied to the text messages they sent you, they'd even post that to your Facebook page.

LD: The FTC recently announced a five billion dollar fine against Facebook for privacy violations, and they also require various privacy changes. One of them is that they can't use phone numbers they received for two-factor authentication or another security purpose for advertising.

GT: It doesn't seem like it prevents them from adding it to your profile or letting people search for it, but it does prevent marketers from targeting you based on that phone number, which was one of the controversies in the past.

LD: The order also prevents Facebook from asking for your email password when you sign up for an account.

GT: Facebook got a lot of heat for that earlier this year - when you signed up for an account, they would prompt you for your email password so they could go check for the verification email on their own. I guess it made it a little bit faster?

LD: But it comes at the cost of Facebook potentially having access to all of your emails and your contacts - they say they're not storing it, but given their history with privacy, that's not something I'm excited to trust them on.

GT: They did stop doing that on their own after the outcry, so it's not clear the FTC's order will accomplish much.

LD: Also, Facebook still tries to access your email to quote "reset your password immediately" if you use one of the providers they can connect to over the OAuth protocol, namely Gmail, Hotmail and Yahoo, and while this doesn't give Facebook your email password, it still gives Facebook much more access than they need. Since Facebook only needs to access some information from a single, specific email and you can do that verification manually in under a minute, granting them access to all your email is an unnecessary risk.

GT: I wouldn't be surprised if Facebook is asking for this kind of access because many users are comfortable giving third-party access to other services in other contexts, like giving budgeting software access to their bank transactions.

LD: Well, while the protocol setup is similar, there is a big difference with giving Facebook access to all your emails and giving your budgeting software access to your bank transactions: at its core, you do want your budgeting software to see all of those transactions, but you don't really want Facebook to see all of your emails - just maybe that one to verify it's you.

GT: Right, it's really important to think about the scope of what specific thing you're trying to accomplish and compare that with the scope of access you're giving when linking accounts like this. If the scope of access is larger than necessary, that's a red flag.

LD: Also, if a service is offering to replace something that isn't actually inconvenient in the first place with a purportedly more convenient alternative, you should be skeptical of why they're offering to do this. In this case, you're probably already logged into your email somewhere, so it's not likely that it's actually even faster for you to connect it to Facebook than to just recover your account by clicking the link in that email yourself.

GT: Google's security research division, Project Zero, recently disclosed several security bugs in Apple's iMessage. These can do everything from crashing your iPhone's home screen to actually sending files back to whoever's texting you and could be triggered just by people sending you messages.

LD: They've been fixed in the latest iOS updates, so if you haven't updated your phone, it's a really, really good idea to do that as soon as possible.

GT: One of the researchers, Natalie Silvanovich, had previously discovered a pretty nasty attack against the Visual Voicemail feature, which did get disclosed via Project Zero's policies before Apple managed to put out an update for it. She's been taking a broad look at the fully remote attack surface of the iPhone and iPad, and has a good post about it in Project Zero's blog, which we'll link to in the show notes.

LD: One neat thing that Apple announced recently is that they're distributing special iPhones to security researchers that give them easy access to all the components of iOS, so that researchers don't have to first find a good way to reverse-engineer their way onto the system's internals just to see what's there at the next level. Historically, Apple has been very good at security design, but because they're closed-source unlike Android, it's a lot harder to say, "let me see what sorts of messages the texting app is going to crash on."

GT: Ironically, it might be Apple's good security design that has led to this problem - it's hard to find a jailbreak or similar exploit for new versions of iOS, so you can't immediately say, "let me apply my regular reverse-engineering tools to the new versions of these built-in apps." I think that's been a good decision on the whole, and iOS has had a pretty good security track record over the years, but these recent vulnerabilities genuinely aren't great.

LD: Apple also announced some great changes to their bug bounty, the amount they pay researchers who find vulnerabilities in their software and disclose it to Apple. Bounties are intended to both incentivize research and compete with the black market for software vulnerabilities. The new bounty goes up to a million dollars for finding an automated attack that gains persistent control of an iPhone even after it's rebooted, and the bounty program now covers macOS as well, which was notably missing before.

GT: A quick update for Android users: the Firefox mobile app now supports the U2F standard for second-factor authentication. We've mentioned several times how U2F is the strongest form of two-factor authentication generally available for websites - our episode "Two-factor authentication and account recovery" covers why in more detail.

LD: Not only is it the strongest form of two-factor, in a sense it's the easiest - you just tap a button instead of copying a code from somewhere. Firefox for Android supports not just physical U2F devices you can connect over USB, Bluetooth, or NFC, it also supports the fingerprint scanners on several newer Android devices. They've got a blog post with the details, which we'll link in the show notes.

GT: We'll get to today's main segment after a quick break.

Interlude music plays.

LD: Today, we're talking about why you should cover your web cameras when you aren't actively using them. Before we get into why, including you specific incidents where webcams unexpectedly exposed their owners, we're going to talk about how to cover your webcam. There's a bunch of fancy plastic web camera cover slides, but you can also just put colored, removable tape over it, like painters' tape or masking tape. I'm personally a fan of washi tape, a decorative, paper-based tape you can find at craft and stationery stores.

GT: Note that if you choose to use washi tape, an attacker who gets access to your webcam will probably be able to see if it's light or dark near you - washi tape isn't fully opaque, but it generally obscures what's happening.

LD: Yeah, I have a bunch of different washi tapes that I use to seal letters I send to friends and family, and some designs obscure my webcam better than others. Sometimes, I'll put two layers on it to make it more opaque. Whenever I want to use a different washi tape over my webcam, I make sure to test how much it covers my camera before relying on it.

GT: And if you're getting one of those plastic webcam cover slides, make sure it stays in place over your webcam after you put it in your bag and move it around - it doesn't do much good if it's regularly sliding out of place.

LD: Yeah, I've considered switching to something like that because washi tape eventually wears out, but between the possibility of it sliding and how it just doesn't look as obviously different when it is and isn't covered, I've stuck with washi tape. Old habits die hard, I guess.

GT: If you want to use a cover slide, just make sure it's designed so it stays in the covered position when you're not using your device.

LD: If possible, also get in the habit of checking that your webcam is actually covered when you expect it to be.

GT: So why should you bother covering your webcams, be it with tape or a plastic slide cover? If you're diligent about closing programs that access your camera when you're done, shouldn't your software and your operating system's architecture keep it off when it's supposed to be off?

LD: In an ideal world, yes, but if you catch malware or if a piece of software you use gets a bug, access to your webcam could be exposed to attackers. We talk about how you can do what you can to avoid malware and download software you need from trusted sources in our episode "Malware, antivirus, and safe downloads."

GT: But if you do, unfortunately, get malware or have buggy software that exposes your webcam, having it covered keeps your physical surroundings private. It's a solid, independent line of defense to keep wherever you keep your devices private.

LD: Also, unlike with software, it's really, really clear when your webcam is physically covered - you can just check that the colored tape hasn't moved or that your slide cover is covering the lens.

GT: Yeah, a physical cover is really easy to verify, which makes me feel a lot more comfortable that no one's covertly taping me.

LD: Which actually brings us to the first way attackers try to extort people who don't tape their webcams - a confidence scam where the attacker sends a blackmail email asking for money in exchange for deleting videos they claim to have from your webcam. Often, they claim to have videos of you watching sexually explicit content, and that's why these are often called "sextortion" scams.

GT: Wait, isn't this basically the plot of an episode of Black Mirror?

LD: That Black Mirror episode is honestly a lot more disturbing and extreme and specific than these scams, which isn't surprising as it is a generally dystopian show, though it does pretty accurately describe a way to actually carry out this type of attack. The main character in that episode, Kenny, downloads an anti-malware tool that's actually malware, that malware records him through his webcam, and the attacker who wrote that malware blackmails Kenny into doing some very extreme things. Fortunately, most sextortion scams aren't as specific or extreme as that Black Mirror episode - which makes sense because that fictional attacker had to spend a lot of targeted time going through the footage that they recorded of Kenny to find something to blackmail him over and then take even more specific time exploiting only him.

GT: Right, typically, it's not someone who actually has a video of you doing anything at all. It's usually just spammers emailing a ton of people in a non-targeted way, because they don't need everyone to fall for the scam and send them money, just enough people to make it worth their while.

LD: It takes a lot less time and energy to programmatically send a lot of people hollow threats meant to stir up fear.

GT: Wait, Liz, you actually got one of these emails last year, right?

LD: I did, Geoffrey! I was actually pretty amused because I definitely had washi tape covering my webcams then, and besides, I don't even watch sexually explicit videos - they're just not my thing. The particular sextortion scam email I got was actually bit more clever than the average one. Typically, the attacker writes just enough details about how this type of attack could work to worry the recipient, but notably leaves specifics out - they don't mention exactly where the victim downloaded the malware or which adult sites they were visiting while the attacker was recording them because the email sender doesn't actually have any videos of the victim. In the email I got last year, however, the attacker actually did include a little bit of personal information - it said "I know this is your password" about one of my former passwords. It turns out that I no longer used my password anywhere at the time because I knew it had been in a breach. And because I knew it was in a breach, I knew that's where they got this instead of a keylogger they claimed to have placed on my machine.

GT: Oh, that is clever - not everyone updates their passwords after a breach or necessarily even knows they're in a breach, so for some of the recipients, the inclusion of that password would give the sender of the scam a lot of additional credibility.

LD: Yeah, and that's one of the many reasons it's worth keeping on top of which of passwords of yours have been in breaches. One resource for keeping on top of breaches is the website haveibeenpwned.com, which tracks breaches of passwords and other personal information that's been compromised. As we mentioned in our very first episode, "Securing your online account passwords," you can even sign up for future breach alerts from Have I Been Pwned, so you get an email every time your emails address is seen in another known breach.

GT: Your password manager may also have a section where it compares the passwords you've stored against known breaches - as we discussed in our episode "Using a password manager effectively," 1Password will show which of your passwords are in known breaches in the Watchtower section, and LastPass does this as part of their security challenge.

LD: Another tactic used in these sextortion emails is creating a sense of urgency so that the recipient doesn't feel like they have the time to think clearly as to whether or not it's actually likely that their computer has malware and that that malware has enabled the attacker to record them. The particular email I got said that I only had one day to pay them before they started sending copies of the purported video of me to contacts they claimed to have grafted via a keylogger.

GT: It is possible for an attacker to grab your contacts by credentials stolen from a keylogger, and it is also actually possible that an attacker knows whether or not you've opened their email without action on your part - an attacker can tell that you've seen the email by including a tracking pixel image. Tracking pixels are images that are small, often just a single pixel large, located at specific web address that's unique to the email sent to you. Since most email clients automatically load all images in an email when you view that email, most email clients will request the tracking pixel image from the website that hosts it, and that host can record that it's been requested. Since the tracking pixel is located at a unique web address for just the email sent to you that someone probably wouldn't otherwise stumble upon, they would know that you opened the email when their web host says someone requested it.

LD: The scammer who emailed me did mention a tracking pixel, but ironically, they didn't actually include any images in my email. By the way, tracking pixels aren't only used by attackers - they're widely used in marketing emails because companies like to know which subject lines and contents are most effective with their target audience, and an email app called Superhuman used to put them in every single email its users sent.

GT: Anyway, I'm guessing you didn't actually send the sextortion emailer any money like they wanted?

LD: I didn't, and I hope that no one else sent them the bitcoins they requested, either. If you're curious what this email said exactly, we'll include it in our show notes.

GT: Alleged or actual malware isn't the only way your webcam might get compromised - exploitable bugs in legitimate software could also give an attacker the ability to watch you through your webcam.

LD: That's exactly what happened earlier this summer with a vulnerability in Zoom, a popular video web conferencing provider, that security researcher Jonathan Leitschuh disclosed in July.

GT: There were two issues that, when combined, caused a real problem here. The first is that, on macOS at least, when you follow a link to a Zoom call, the way that Zoom's website activates the app is that it the app has a little web server running on your machine, and Zoom's website makes a request to it.

LD: You might remember that this is the same architectural decision in one of the questionable password managers we talked about in our last episode, "Password managers: how they should work and when they didn't" - and any website you visited could access that password server.

GT: In theory, this wouldn't be so bad if it only connected you to legitimate Zoom meetings, which it does - but there's a feature that meshes badly with this. Zoom lets the meeting creator say that they want people who join to immediately have their camera turned on.

LD: I suppose this is useful for people using Zoom at work - if you're joining a daily meeting, it's a little simpler to just drop in. But this feature works for any Zoom call, whether or not you've ever interacted with the meeting organizer before.

GT: So the net effect of this is that you can just visit a website and it can activate Zoom and see you through your camera, as long as you have Zoom installed. You'll see it activate - assuming you're at your computer - but you won't have a chance to say no first.

LD: When the researcher suggested that Zoom show a prompt before turning on the camera, they said, and I quote - "Zoom believes in giving our customers the power to choose how they want to Zoom. This includes whether they want a seamless experience in joining a meeting with microphone and video automatically enabled, or if they want to manually enable these input devices after joining a meeting."

GT: Wow, I guess part of the reason it took so long to patch is they put the researcher in touch with the PR team instead of the security team. So a common practice for security reports is 90 days before public disclosure, to give companies a fair chance to fix things and protect their users, but also keep some pressure on them so they don't leave the issue unfixed for some less-ethical attacker to discover. Zoom took a while to get in touch, saying that their security engineer was out of office?

LD: They only have one security engineer? Or even if so, they don't have anyone else familiar enough with their security practices who can answer questions?

GT: Yeah, the timeline isn't great. And they ended up applying only the initial workaround that the researchers suggested, and by the time of the 90-day mark, it turned out the workaround was incomplete.

LD: So, I guess a lot of people uninstalled it in a hurry?

GT: Yes, but it turns out uninstalling it doesn't actually work. The little web server stays running, and one of the features of that server is that it can reinstall Zoom on command.

LD: Wow. So an attacker can have their website access this server, which will cause Zoom to get reinstalled and then immediately pop you into a meeting with your camera turned on.

GT: Exactly. And none of this was, precisely, a bug. They built these features on purpose - the Zoom developers wanted links to immediately open the Zoom app, they wanted the app to immediately turn on your camera, and they wanted it to be easy to reinstall Zoom if you uninstalled it. In retrospect, those were all dangerous decisions, but they were all intended features of the Zoom app.

LD: Yeah. It's one thing to say, you should keep your computer safe from malware, or you should run anti-virus, or whatever - and to be clear there are worthwhile steps to keep yourself safe, we do have a whole episode called "Malware, antivirus, and safe downloads" after all. But this is the software you intended to download. These are all features of the genuine Zoom app.

GT: So this issue actually completely changed how I thought about the purpose of webcam covers. I've had one for a while because why not, but I was mostly thinking, isn't this a last line of defense against malicious software and aren't there so many other things that malicious software could do if it somehow got access to my computer?

LD: True - if you're only worried about malware, like the one the scammer claimed was on my computer, that malware could be doing much worse things than just opening your camera, like, stealing all your private photos from any chat services that you're logged into. Or stealing money from your bank account directly - there's no reason they need you to send them bitcoins.

GT: But this isn't malware at all, and that makes it a much more realistic attack. Zoom isn't malicious or backdoored, it's real software that people genuinely want to have installed so they can videoconference with their coworkers or friends. It just had these bugs.

LD: Zoom isn't going to have functionality to steal money from your bank account. It's pretty unlikely that someone can send you a malicious Zoom link that goes and uses something built into Zoom to transfer money into their account without your knowing. Worst case, they can sign you up for a more expensive Zoom plan. But the whole point of Zoom is to connect your camera to other people.

GT: So this simple physical defense of sticking some tape on your webcam does actually help in a very practical way. Zoom said it's a shinier feature for our users if we just turn on the camera automatically, but this way you're guaranteed that you have to do something physical to open the camera.

LD: Oh, that reminds me of the hardware microphone switch on recent Macs - there's a physical disconnection when your lid is closed. So if someone finds a way to trigger your Mac to remotely wake up and join a call, it still can't record any audio.

GT: Yeah, that's a great design - and that brings up a great point, you would still have been connected to audio even if whoever was calling you via Zoom couldn't see you. So the camera cover still isn't a complete defense. It's still worth researching what sorts of features an app has and whether you really want them or not.

LD: But it's a very practical belt-and-suspenders approach, or what security folks call defense in depth. If one of the defenses fail, you're not going to get caught with your pants down.

GT: Maybe literally, in this case. So for macOS Zoom users, is there anything you still need to do?

LD: Well, they've patched the issue, and more importantly, Apple pushed a behind-the-scenes software update to disable the Zoom sleeper agent that would automatically reinstall it.

GT: So as long as you're staying up-to-date with software updates, there's nothing else you specifically need to do right now - besides covering your camera.

LD: Let's take a look at one more case about webcams and privacy. In fall 2009, the school district of Lower Merion, Pennsylvania, a suburb of Philadelphia, issued MacBooks to all its high school students. Those laptops had theft tracking software installed, and one of the things this theft tracking software did was take photos every few minutes so the school district could try to tell where a misplaced laptop was.

GT: Did the students know that the laptop was taking pictures?

LD: No - and worse than that, the theft tracking software prevented normal use of the webcam, so students thought that the webcam had been disabled entirely.

GT: What about the green light? Shouldn't it be impossible to turn on a Mac camera without the light turning on?

LD: Yeah, that is one of the practical safety features on the Mac, and a few students did notice the green light flicker on and off, but they didn't get an answer from school officials about what was happening.

GT: So what happened with the photos?

LD: One student was called into an assistant principal's office after photos were taken of him at home showing what she claimed was proof of drug use. The parents sued the school district, and the student says he was just eating candy.

GT: So the district admitted that it was taking photos of this student at home, like, in his room?

LD: Yeah, and it came out that they had photos of the student partially dressed, photos of family members, and so forth - basically not surprising if students are just leaving their laptops in their room open and going about their day. The district eventually got rid of the software and settled the lawsuit for over $600,000.

GT: That is super creepy - I mean I will just leave my laptop around the house while I'm doing other things, and I really don't expect it to be watching me.

LD: The theft tracking software also captured files and chats that were on the laptop, so students who were using them as their personal laptops had all of their personal conversations with friends monitored by the school district, too.

GT: Honestly, that doesn't surprise me as much - when I use the laptop my employer has issued me, I do expect that they are, or at least could be, monitoring my chats and files. But it's a bit different in that, one, I'm in an industry where this sort of monitoring is common, and, two, I'm an employee - I have a contract with them and the relationship is very different from a student, especially a minor student, getting a laptop from their school district.

LD: Certainly, one of the creepiest parts here is that the students haven't consented to this monitoring, but putting all the creepiness aside, from a security perspective, this case is also particularly alarming to me because the school administrators were actually using the theft tracking software exactly as it was intended to be used. While I don't feel like students should need to physically cover the webcams on their school-issued computers so school officials they should be able to trust don't spy on them, this case is a good reminder that any device where you aren't the sole owner is intrinsically compromised.

GT: Yeah, I mean, my employer tells me that they're monitoring what I do and that they need it for regulatory reasons. And they basically make it clear to me that they're the admin of the laptop and I'm not.

LD: The school district actually said that they avoided telling students that they were being monitored, on the grounds that it would have made theft tracking harder. I don't really buy that argument, though - I think they were just scared of pushback.

GT: Yeah, so some employers require their employees to install software that gives them even more control over their employees' personal devices in exchange for the ability to access work accounts without carrying a second, work-only device. But they make it clear to employees what sort of access they have, and it's very rare for them to want photos - they usually just want the ability to remotely wipe their employees' devices.

LD: I think the idea here is that employees are likely to have work materials like notes on their devices outside of just the software they use specifically for their jobs, but a remote wipe will also lose the employee a lot of non-work related materials, too, unless they're all contained in easy to access backups.

GT: But it's also really hard to guarantee that you have a backup of everything that's yours on a device you share with your employer, without backing up everything - including your employer's property.

LD: Right, and also, if you grant your employer that level of access to your devices, they'd have the ability to install a lot of other types of software, too, including spyware, and you might not even notice they installed it. Your employer probably wouldn't intentionally do that - they're much more likely to install monitoring software so they know the sensitive information for your work isn't leaving your hands - but it only takes one employee with bad intentions who works with the employee device control software to install something that spies on you.

GT: So, personally, if an employer wanted to have access to wipe my phone or monitor my activity, I'd try as hard as I could to get them to give me a work-only device that they could have full ownership over. That way I retain full control over my personal device. On Android and iOS, at least there's generally support for what they call Mobile Device Management, or MDM for short, which gives a well-defined way for employers to set specific policies like passcode strength or the ability to do a remote wipe, without giving them full control of the device. But on desktops, any program you install from your employer is going to be able to fully access your machine.

LD: Yeah, this comes out of the distinction between mobile and traditional desktop OS security models, which we touched on last year in our episode "Securing your phone." Mobile apps generally only have the access granted by the operating system, and there's a permissions prompt for anything unusual like MDM. But if you install a desktop app, it can generally access anything on the system that any other desktop app could access.

GT: I've actually been refusing to install my workplace's chat app because they currently want the ability to wipe the phone, but apparently enough people have been complaining about it that our security team is trying to get their MDM software to only have the ability to wipe that one app. And I definitely wouldn't install something similar on my desktop. If I really had to provide a personal device for work, I'd try to find an old phone or laptop, and I wouldn't log into any of my personal accounts on it.

LD: Yeah, I don't want to fearmonger here, but it actually doesn't take that much time or effort to compromise someone else's computer. When you install software from your employer, they usually tell you what kind of access they're getting with it, but someone else who gets access to install software on your device would be able to install something else without telling you - and you wouldn't know about it. They could install spyware - anything from malware without any legitimate uses to something more subtle and legitimate seeming like theft tracking software. And they could do it all in the time it takes to use the bathroom or refill a water glass.

GT: That's why it's so important to lock your computers and maintain physical access over them and be careful when downloading software.

LD: Maintaining full ownership over your devices is actually genuinely challenging. We talk about the issue of physical access more in our episode "Physical attacks to your computers and disk encryption."

GT: Hopefully, no one compromises your computers, but if you have something over your web camera, someone who does at least won't be able to covertly take photos of you.

LD: You know, one of the things we try to do at Loose Leaf Security is push back on the idea that computer security is a lost cause - that someone's going to be able to hack you no matter what you do. And I know we're talking about some worst-case scenarios here because they really illustrate what the issues are at the heart of this problem, but I really want to say, there are some immensely practical steps you can take.

GT: Right. From sort of a theoretical standpoint, someone who gets access to your desktop can take over everything, but really the things we've been talking about in this episode are specifically attacks that don't involve attackers trying to be like totally evil and plotting against you specifically. Both Zoom and the school district's anti-theft software aren't trying to make your life miserable, they're just prone to misuse. And in the case of the email scam, there was no attack at all. A camera cover helps you say, "you know what, I can promise you that you didn't successfully record me."

LD: Realistically, it's not practical to keep your computer 100% theoretically secure. I do trust my friends, which is why I let them borrow my computer from time to time to look something up really quickly. But I definitely don't always lock my screen every time I get up at a coffee shop to get some more milk for my tea or whatever, and theoretically, someone could plug in a USB Rubber Ducky in those ten seconds. But it generally doesn't actually happen. I don't think you need to be like the guy who threw away all his computers because his Slack password might have gotten breached.

GT: Oh, yeah, I definitely used to think like that, but it's clear to me now that that's an overreaction. There's actually a whole bunch of takeaways from this Slack incident that we'll talk about in an upcoming article.

LD: And another practical case is using work devices - sure, in theory, the safest thing is to leave your work devices at work, but if you're traveling on a work trip, you probably do want to take a work laptop with you, and you'll probably want to use it in your hotel room. So a practical step there is to get a camera cover for your work computer, not because you specifically expect the company to do anything untoward, but it's good for peace of mind.

GT: Security isn't so much about absolutes - it's about finding reasonable tradeoffs to keep doing what you want to do and not worry about things going wrong. A camera cover is not only easy to use, but it protects against some very realistic things that could go wrong.

LD: That's all we have for today, and don't forget to subscribe to our new newsletter - the signup page is at https://looseleafsecurity.com/newsletter.

GT: Until next time, try not to let your life turn into an episode of Black Mirror.

LD: Or even an episode of Candid Camera.

Outro music plays.

LD: Loose Leaf Security is produced by me, Liz Denys.

GT: Our theme music, arranged by Liz, is based on excerpts of "Venus: The Bringer of Peace" from Gustav Holst's original two piano arrangement of The Planets.

LD: For a transcript of this show and links for further reading about topics covered in this episode, head on over to looseleafsecurity.com. You can also follow us on Twitter, Instagram, and Facebook at @LooseLeafSecure.

GT: If you want to support the show, we'd really appreciate it if you could head to iTunes and leave us a nice review or just tell your friends about the podcast. Those simple actions can really help us.

Outro music fades out.