The China-based cyber-spy network known as “GhostNet” is a sophisticated group of hackers capable of logging its victims’ keystrokes, stealing their documents, capturing images from their screens—and staring creepily at them through their webcams.
In a report released last month, Canadian researchers concluded that GhostNet has cracked at least 1,295 computers in 103 different countries, specifically targeting the Dalai Lama and other Tibetan activists and officials. Stealing documents and logging keystrokes—that I understand. You can get all sorts of useful information reading someone’s e-mail or looking at their bank records. But peeking at them through their Web cameras? That seems creepy even by the standards of shady cyber-spying rings. It’s one thing to read the Dalai Lama’s IM conversations. It’s another to actually watch him LOL.
GhostNet might be the most prominent example yet of webcam infiltration, but it’s certainly not the first. The practice dates back to 1998, when a group of hackers calling itself the Cult of the Dead Cow designed a piece of software that, when downloaded onto a computer, let someone control the machine remotely. Anything you could do sitting at your desk, they could do thousands of miles away, from creating documents to playing MP3s to popping open the disk drive. They dubbed the program Back Orifice—a twist on Microsoft’s BackOffice. The authors “were not malicious guys,” says Frank Heidt, CEO of Leviathan Security. “They thought it was funny as hell.”
Webcam scams do occur, though they’re far less common than other types of online extortion. In 2004, four hackers in Spain were arrested after threatening to post candid webcam videos online unless their victims paid up. In 2008, a Canadian man told young girls that he had nude pictures of them and would post them on the Internet unless they posed for him again.
Governments and businesses have adapted. For example, the Department of Defense has regulations about where you can carry a laptop. And unlike the most advanced computer worms, this isn’t a threat that’s constantly evolving to outpace security measures.
Since Back Orifice hit the market, the basic methods of cyber-peeping haven’t changed much: Just get your target to download an e-mail attachment or click a link that triggers an automatic download, activate the camera, then sit back and watch. “Writing the malware is a total triviality” even for middling programmers, Heidt says. Back Orifice is still available for download, and beginners can find instructions on how to write their own programs with a simple Google search. Or you can just take a college course on how to do it.
What’s changed is the prevalence of cameras. You can’t buy an Apple laptop these days without a built-in camera. Even Sony’s smallest notebook has a webcam. Sometimes they’re practically invisible: The MacBook Air’s built-in camera is “so smartly integrated, you hardly notice it’s there,” brags Apple. That said, almost all laptops have a light that turns on whenever the camera is on—a feature that hackers can’t disable since it’s controlled electronically, not programmatically.
Still, webcam espionage isn’t very common. Most scammers are interested in money, and video of someone’s slack-jawed mug isn’t going to yield much cash. “Most stuff you’d capture on a camera, they’ve already posted on Facebook,” says Kevin Haley of Symantec Security Response. *Even if you did have hundreds of hours of video and audio capturing someone’s conversations, it’s a lot harder to index and search than written information. (Some programs solve this problem by activating the camera only if they sense movement.) If it’s profit the hacker wants, the contents of the computer are much more valuable than whatever’s happening in front of it.
If someone hacks into a webcam, therefore, it’s usually a targeted attack. Pure creepiness is one motivation. A 15-year-old girl in Texas reported in 2004 that a hacker who took over her computer would eject the disk drive and say things like, “I like your shirt.”
Then there’s spying on people you’d like to keep an eye on, such as, say, your spouse. One could see this being useful for private investigators, though PIs I spoke with say they don’t know of anyone hacking into webcams as part of their work. “The technology is there for it to happen,” says Charles McLaughlin, a PI in Andover, Mass. “But in the private sector, although there are some characters willing to break the law, most reputable PIs don’t.” You might get away with it if you install the spyware own your own computer—say, the one in the bedroom—but even that gets into shady legal territory.
More threatening than video is audio. By accessing a computer’s microphone, you turn the computer into a bug. It’s also more clandestine than video, since the microphone is always on and there’s usually no light to tip you off when it’s recording. “The mic thing worries me a lot more,” says Chris Wysopal of the security firm Veracode. “Unless you can lip-read, [video alone] isn’t that useful.”
So how do you prevent someone from spying on you? The usual Internet hygiene applies. Don’t click the weird attachment your computer-illiterate relatives send you, update your antivirus software regularly, and so forth. If you want to be really cautious, the best solution is the simplest: Put a piece of tape over the camera. It may be the laptop equivalent of the tinfoil hat, but it’s the only way to absolutely guarantee privacy. The microphone is trickier, since you can’t tape it up. You can disable it, though, by plugging a converter or some other cord into the computer’s microphone jack, which turns off the internal mic.
But ultimately, there’s only so much you can do. Vulnerability is a fact of cyber life: Anytime you open a portal to the outside world, it makes intrusion possible. The problem is when we don’t even know the portal exists, or are only dimly aware of it. There’s a general rule that you shouldn’t write anything in an e-mail that you wouldn’t want shared with the world. Perhaps the same should apply to dancing in your underwear while your laptop is watching.
Correction, April 6, 2009: This article originally misspelled the name of Symantec Security Response. ( Return to the corrected sentence.)
