Yes, You Should Tape Over Your Webcam (and Snowden stuff)

QOTD: “Cryptome does not offer security on the premise — learned here, there
and everywhere HTTPS Everywhere promises — that Internet, telecom, whole wide world users need to learn, be forced to learn, to provide their own security and to never ever trust those who promise it for them.” — John Young

If you can see the camera, it can see you. At least, that’s the lesson of some research out of John Hopkins. Apple computers have a little green LED that goes on when the webcam is powered up — supposedly. And Apple went to some trouble to ensure this actually happens.

Unfortunately, like everyone infected with the digital mind-virus, the Apple engineers did the “simple” thing and controlled the LED via a microprocessor.

Back in the day, they would have used a single damn transistor, or not even that, and directly coupled it to the camera’s power bus. But nooooo. Gotta use a microcontroller for everything these days. Who knows how to work with hardware anyway? Writing code is just so more logical, none of that analoguey black-magic debugging… it’s like the minute you get into hardware you start wondering if the stuff they taught you in school was really the best way to think about it, but as long as you stick to programming you don’t have to worry. It’s so convenient and comfy.

Anyway, by taking advantage of this designers’ Lay-Z-Boy, it’s possible to rewrite the firmware and selectively disable the LED. Sadly, I doubt too many people were really surprised.

Lesson: it’s too bad camera lenses don’t inherently light up to tell you where they are. Oh wait — *some* of them do retro-reflect enough light to make do in a pinch. You take a bright flashlight and look down the side while sweeping it around the room, looking for camera lens reflections.

Sadly, this does not always work. Advanced spy cameras use specially coated lenses to prevent this. And sometimes you’re just paranoid.

(I once spent the better part of an evening flashlight-sweeping every square inch of a hallway, trying to verify a rumor there were a large number of cameras hidden there. I turned up nothing, and not even any logical places where they might be found — and believe me, I inspected closely. If the rumor was true, the cameras were nano-scale. Which is actually possible, given what the TLA’s have thrown at the problem of technical surveillance.)

Snowden makes it clear he’s not interested in trading information for asylum. Smart.

But he’s equally interested in living in Germany as Brazil —
‘zersetzung’ or no. Given that the Appelbaum/Zersetzung story was covered by the official German news station Deutsche Welle (the German equivalent of Voice of America/Radio Free Liberty) perhaps things are shifting a little.

“Most laptops with built-in cameras have an important privacy feature — a light that is supposed to turn on any time the camera is in use. But Wolf says she never saw the light on her laptop go on. As a result, she had no idea she was under surveillance.

That wasn’t supposed to be possible. While controlling a camera remotely has long been a source of concern to privacy advocates, conventional wisdom said there was at least no way to deactivate the warning light. New evidence indicates otherwise.

Marcus Thomas, former assistant director of the FBI’s Operational Technology Division in Quantico, said in a recent story in The Washington Post that the FBI has been able to covertly activate a computer’s camera — without triggering the light that lets users know it is recording — for several years.

Now research from Johns Hopkins University provides the first public confirmation that it’s possible to do just that, and demonstrates how. While the research focused on MacBook and iMac models released before 2008, the authors say similar techniques could work on more recent computers from a wide variety of vendors. In other words, if a laptop has a built-in camera, it’s possible someone — whether the federal government or a malicious 19 year old — could access it to spy on the user at any time.

One laptop, many chips

The built-in cameras on Apple computers were designed to prevent this, says Stephen Checkoway, a computer science professor at Johns Hopkins and a co-author of the study. “Apple went to some amount of effort to make sure that the LED would turn on whenever the camera was taking images,” Checkoway says. The 2008-era Apple products they studied had a “hardware interlock” between the camera and the light to ensure that the camera couldn’t turn on without alerting its owner.

But Checkoway and his co-author, Johns Hopkins graduate student Matthew Brocker, were able to get around this security feature. That’s because a modern laptop is actually several different computers in one package. “There’s more than one chip on your computer,” says Charlie Miller, a security expert at Twitter. “There’s a chip in the battery, a chip in the keyboard, a chip in the camera.”

MacBooks are designed to prevent software running on the MacBook’s central processing unit (CPU) from activating its iSight camera without turning on the light. But researchers figured out how to reprogram the chip inside the camera, known as a micro-controller, to defeat this security feature. In a paper called “iSeeYou: Disabling the MacBook Webcam Indicator LED,” Brocker and Checkoway describe how to reprogram the iSight camera’s micro-controller to allow the camera and light to be activated independently. That allows the camera to be turned on while the light stays off. Their research is under consideration for an upcoming academic security conference.”

%d bloggers like this: