America Exposed - Institute for Critical Infrastructure Technology

America Exposed - Institute for Critical Infrastructure Technology
America Exposed
Who’s Watching You Through Your Computer’s
Camera?
May 2017
By: James Scott, Senior Fellow, The Institute for Critical Infrastructure Technology
1
America Exposed
Who’s Watching You Through Your Computer’s Camera
May 2017
Authored by: James Scott, Sr. Fellow, ICIT
Except for (1) brief quotations used in media coverage of this publication, (2) links to the
www.icitech.org website, and (3) certain other noncommercial uses permitted as fair use under United
States copyright law, no part of this publication may be reproduced, distributed, or transmitted in any
form or by any means, including photocopying, recording, or other electronic or mechanical methods,
without the prior written permission of the publisher. For permission requests, contact the Institute for
Critical Infrastructure Technology.
Copyright © 2017 Institute for Critical Infrastructure Technology – All Rights Reserved
`
2
Support ICIT & Increase Webcam Privacy
CamPatch®, the world’s leading manufacturer of webcam covers, is
proud to donate 100% of net proceeds to ICIT.
Custom Branded Webcam Covers are a powerful tool for security
training initiatives, and are a valuable and impactful promotional
giveaway item.
Visit www.CamPatch.com or contact
sales@campatch.com to learn more.
Upcoming Events
The Annual ICIT Forum
June 7, 2017, The Four Seasons Washington D.C.
www.icitforum.org
`
3
Contents
Are You Being Watched? .............................................................................................................................. 4
Computing Devices Offer Rapidly Evolving Surveillance Capabilities ........................................................... 4
Hacking Cameras is Trivial............................................................................................................................. 9
“WebcamGate” and Creepy Gaming Surveillance Technology .................................................................. 13
Mitigating Mass Camera-Based Surveillance .............................................................................................. 15
Sources ........................................................................................................................................................ 18
`
4
Are You Being Watched?
No other exploit is as vicious or expedient with its results as camera activation malware. An
adversary is virtually guaranteed a successful blackmail or espionage campaign when you have
compiled hours upon hours of video footage of a powerful executive or government official
“satisfying their intellectual curiosity” in front of their computer, in the privacy of their home
office, in the wee hours of the night. With the devastating S.J. Res 34, adversaries are going to
be zeroing in on pre-scrubbed metadata from flimsy and vulnerable ISP networks, while
continuing to pilfer other networks for PII, EHR, etc. for surgically precise psychographic
targeting of politicians and critical infrastructure executives. Big data analytics makes it easy to
target the most senior executives with elevated privileges and camera activation malware is the
crème de la crème of espionage and blackmail mechanisms.
Every computer, smartphone, and internet-enabled mobile device has a camera and
microphone that can be used by malicious threat actors to surveil and spy on the user. The
weaponization of a device’s camera is effortless and can be accomplished by the most
inexperienced cyber-adversary using outdated malware. In many cases, the device may even
come pre-installed with spyware and be designed to monitor the user population without their
knowledge, awareness, or consent. How frequently are you within 2 feet of an unsecured
camera? How about within 6 inches? How many unsecured cameras, connected to softwaredriven devices, circulate about your home and workspace? Phones, tablets, PCs and other
devices are rarely out of the modern consumers’ reach. Many devices now even have a camera
on both sides for added user convenience. Nearly every consumer IoT, smart, and personal
device comes readily equipped with a web camera that could potentially be leveraged to collect
information about the user and their surroundings [1]. Due to the perpetual impending risk of
corporate dragnet surveillance and malicious data collection and exploitation, it is imperative
that users cover the cameras of all devices when the device is not being used to communicate
with authorized parties.
Computing Devices Offer Rapidly Evolving Surveillance Capabilities
The unsecured cameras on PCs and mobile devices pose a serious threat to the private sector,
to individual users, and to national security. In attempts to subsidize costs, to promote user
innovation, and to free users of unenforceable antiquated policies, many organizations allow
users to bring their own personal computing devices into the work environment and to connect
those devices to a segment of the corporate network. Adversaries infect user devices with
malware via spear-phishing, watering-hole attacks, and other malicious campaigns. Attackers
even compromise corporate devices that reside behind sophisticated layered defenses due to
security oversights, poor cyber-hygiene, third-party lateral access, etc. Therefore, each and
`
5
every device within the organization’s environment is a potential espionage vector for
sophisticated and unsophisticated adversaries alike. A picture is worth a thousand words, and a
video is worth much more. Threat actors can capture internal images and videos of employees,
work functions, documents, the building layout, physical security measures, proprietary
research, Intellectual property, etc. Even knowing who frequents a high-security environment
or how often personnel uses a given system could be valuable knowledge to a cunning
adversary. For instance, a script kiddie could use the knowledge of the office behavioral
patterns to install a second-stage malware at a time when personnel are not paying attention
to the target system. Meanwhile, a cyber-terrorist or Hail-Mary threat actor might use the
workplace surveillance to facilitate a cyber-kinetic attack. Moreover, a sophisticated nationstate adversary could use captured information such as sensitive documents, strategy
meetings, or private user data, in their espionage campaigns.
Figure 1: The NanoCore RAT Can Remotely Compromise Webcams
NanoCore is a customizable RAT capable of remotely activating webcams and recording video or capturing
pictures. Script kiddies and other malicious adversaries can purchase it on Deep Web markets and forums for
$10 or less and easily use it in targeted attacks or broader campaigns.
`
6
Foreign companies in foreign nations manufacture the vast majority of computing devices.
While this process lowers the cost of devices in U.S. markets, it also presents an enormous
cybersecurity risk. Devices and the software that they depend upon can be manipulated and
left intentionally vulnerable by the manufacturer or by the law enforcement of the originating
nation. For instance, China requires that all companies that operate within its borders be
subject to a high-ranking on-site government liaison who has the authority to oversee and
direct operations according to China’s 13th Five-year plan. The plan includes initiatives to
become a technological superpower and a global economy leader. As a result, Chinese nationstate Advanced Persistent Threat (APT) groups frequently target U.S. organizations to collect
intelligence, to exfiltrate data, and to steal Intellectual Property (IP). The liaison in each
organization could direct the manufacturer to knowingly include malware or exploitable
vulnerabilities within the firmware or preinstalled software of the device [2]. Malware that
exploited the camera functions without alerting the user would be trivial to include and
operate. How often does your device have an active internet connection without your full
knowledge of the data transfer? How many applications came pre-installed on your computing
devices and how many of those applications are you still unable to remove? How many
applications have you downloaded that ask permission to access your camera? For how many
of those applications was access to your camera critical to their core functionality?
`
7
Figure 2: The Nuclear RAT 2.0 Can be Used to Compromise Webcams, and it Costs Less
Than a Quarter
The Nuclear RAT 2.0 is a cheap but effective malware capable of weaponizing the victim’s
webcam.
`
8
Infecting and exploiting the cameras of computing devices was not challenging for malicious
adversaries a decade ago, and it is no more difficult today. Sophisticated and unsophisticated
threat actors can easily install malware capable of capturing images and videos from computing
devices by infecting the device prior to purchase, by poisoning a trusted update, by leading the
user to a watering-hole site, through social engineering, etc.
Figure 3: The GinX Ransomware Captures the Victim’s Camera
on Windows and Mac
`
9
GinX adds impact to its ransomware demand by capturing the victim’s image with the infected
system’s webcam and displaying it back to the victim. This is a common ransomware scare tactic
meant to unnerve the victim and disrupt their attempts at logical or systematic thought.
Hacking Cameras is Trivial
Hacking into a webcam is not difficult by any means. Different webcams operate on different
code and therefore may necessitate slightly different exploits. For instance, Logitech webcams
store information about the victim’s hardware in the Windows registry. A Hexadecimal Boolean
value displayed in the Registry key can be altered to control the LED light that would notify the
user that their webcam is active. Realtech webcam drivers can likewise be hacked. The DLL
drivers can be patched with any decent Hex Editor to disable the LED or compromise the
webcam. The iSeeYou exploit can be used to exploit the iSight cameras found in Apple systems
`
10
dating pre-2010. A command line tool called uvcdynctrl can be delivered to Linux systems via a
malicious payload and used to disable the LED or facilitate further compromise [3]. The bottom
line is that no matter the manufacturer of the camera or the designated operating system,
there exists tens or hundreds of obfuscated or fully-undetectable malware capable of
weaponizing the victim’s webcam. Some, such as jRAT (which can target Windows, Linux, or
Apple), AndroRAT, DroidJack, and countless others, have a high compromise success rate.
Nearly every malware that allows the attacker to execute arbitrary code or to alter user settings
can be used to activate the system’s webcam and to capture photos and video. Only a slight
increase in sophistication is necessary to disable signals that might alert the user (such as the
webcam light) and to store and exfiltrate the data. Webcams are arguably one of the easiest
system components to remotely access and exploit. Even without a Remote Access Trojan (RAT)
(such as the few displayed throughout the document) or a more sophisticated malware, threat
actors can leverage one of the plentiful vulnerabilities inherent in the webcam software itself
because the manufacturers continue to fail to incorporate security-by-design throughout the
developmental lifecycle of the component. For example, the Shodan IoT search engine features
25 common exploits that range from buffer overflows of instant messaging clients to malicious
downloads to ActiveX exploits to poisoned updates. Even an unsophisticated techno-upstart
with little or no knowledge of Deep Web or malware operation could remotely exploit the
webcam on a target system by downloading Metasploit (which comes pre-installed on Kali
Linux and Backtrack) and following a YouTube video. The Metasploit commands can even be
copied and pasted from online guides [4]. If for some reason the victim already has Meterpreter
installed on their system, then the compromise takes seconds rather than minutes [5].
Edward Snowden alleged that the NSA’s Optic Nerve operation enabled law enforcement to
capture webcam images of random Yahoo users at 5-minute intervals. He claims that over a sixmonth period in 2008, over 1.8 Million users’ images were captured and stored on government
servers [6]. Whether or not his allegations are true, for over a decade, unsophisticated hackers
have been able to remotely enable webcam and microphone devices on victim systems in order
to capture user data [7]. Now, hot-mic-ing and picture or video captures are the fundamental
components of any pseudo-respectable Remote Access Trojan (RAT) and espionage malware
available on Deep Web markets and forums.
`
11
Figure 4: REMCOS 1.7 Can Also Target Webcams
REMCOS is a fast, light, and highly customizable RAT that is also capable of enabling the attacker full control
over the webcam functionality of the victim system.
With the ubiquitous and pervasive adoption of mobile computing devices over the past decade,
attackers have included these malicious data collection capabilities in the numerous malware
designed to target Android, iPhone, and Linux mobile devices. In a demonstration of the
simplicity of the vector, one University student claimed in a blog post that his malicious Android
app kept the user’s camera running in the background by using a 1-pixel by 1-pixel preview
screen [8]. More advanced spyware such as Blackshades RAT and nearly every other RAT on
Deep Web markets and forums, seize command and control functionality over the user device
[9].
`
12
Figure 5: BlackShades RAT 5.5.1 is Cheap, Available, and Effective
The Blackshades 5.5.1 remote access Trojan is typically delivered via drive-by-downloads or infected media. It
can also self-propagate by sending malicious watering-hole links via the victim's social media platforms to their
contacts. The malware can be used to remotely access the system, execute commands, operate the webcam,
etc. without requiring the permission or authorization of the victim user. Blackshades is often used in botnet
attacks that further distribute the malware; that sell access-as-a-service; or that conduct distributed denial of
service (DDoS) attacks.
The WikiLeaks “Vault 7” release of supposedly CIA tools stirred outrage and incited mass
paranoia about the U.S. government’s ability to covertly collect information from smart devices
[10]. In reality, the capabilities of the featured malware are not uncommon or necessarily
sophisticated. Smart televisions and many other IoT devices are effortlessly and frequently
compromised by unsophisticated adversaries who collect images, videos, and audio and who
execute arbitrary commands without alerting the user. For instance, the “Weeping Angel”
`
13
malware weaponized Samsung televisions into intelligence collecting devices. These devices,
like many others, are inherently vulnerable because their software is developed without
incorporating security-by-design throughout the developmental lifecycle. As a result, smart
televisions and other smart devices that feature microphone and camera features, are riddled
with vulnerabilities that even the most unsophisticated attacker can exploit if they can deliver
malware to the device through a poisoned update or watering-hole attack or if they can
remotely exploit the device by compromising erroneously open ports that can easily be
discovered through an IoT search engine such as Shodan. Smart TV’s are not unique in their
vulnerability or ease of exploit. Nearly every mass-marketed device that runs code has
exploitable vulnerabilities and flaws waiting for adversarial discovery and exploit.
Figure 6: Script Kiddies Build Camera Exploitation Functionality into Their Malware
Compromising a victim’s webcam is so easy that when designing new malware, many script kiddies either
include the feature by default or as a last minute, tertiary after-thought.
“WebcamGate” and Creepy Gaming Surveillance Technology
Microsoft’s Xbox One briefly caused a privacy panic when users were understandably
concerned that the motion sensor, which also collects video and listens for voice commands,
was designed to be perpetually active, even when the console was hibernating. Kinect has a
microphone, a video camera, and it recognizes users’ voices and faces. Kinect can also detect
users in the dark, discern specific voices in a crowded room, and read people’s heart rates by
scanning their faces [11] [12]. GCHQ even evaluated the device for its “potential and
capabilities” [6]. In response to user qualms, Microsoft altered the data collection and design
`
14
functionality of the Xbox One so that the device could be configured not to collect data in
hibernation mode. Further, the Kinect could always be unplugged and privacy conscious users
could always completely shut down the Xbox One. That said, many users, especially the
uninformed teenage demographic to which the console is marketed, are not trained to be
privacy conscious. Malicious adversaries could easily infect the Internet enabled devices with
malware through the web browsing feature, open ports, or downloaded game modifications.
A game console is a software controlled device, so attackers can weaponize any associated
camera by compromising the system. Obviously, game consoles have some native security
measures implemented; however, at the end of the day, systems like the Xbox One are just
stripped down (or in some cases “suped-up”) PCs. In fact, the Xbox One is very similar to a
Windows 8 system. Hackers can exploit the device camera along a number of attack vectors.
The simplest is by exploiting the Skype application installed on the device since it will have all
the privileges necessary to access the camera. The console is more of a “walled garden” than a
traditional Windows system and adversaries are less likely to tailor design malware to
compromise the system because the return on the investment of resources is not significant
compared to that of a PC focused campaign. However, IoT botnets, which require massive
computational power and targeted attacks are still feasible and are more than possible.
Figure 7: Camera-Focused Targeted Attacks Are Not Going Away
Human nature never changes. Even before the internet, cameras were used by nefarious individuals to surveil
unsuspecting victims illegally. Now, in the digital age, every device has one or more camera and the same
malicious threat actor can target tens to thousands of victims with considerably less effort and a significantly
greater success rate. So long as the technology persists, users will need to safeguard their security and
privacy through common sense practices such as shuttering device cameras when not in use.
`
15
Students are also at an unprecedented risk of unauthorized monitoring during every second
they spend in front of a screen. Online predators identify youths’ PCs and mobile devices by
establishing contact over social media or gaming applications and then by either luring the child
to a watering-hole site, by convincing them to share their information, or by remotely
compromising an application on their system.
Meanwhile, children are occasionally remotely surveilled on school-issued devices. For
instance, the “WebcamGate” scandal in 2010 focused on the unauthorized monitoring of
students from two high schools in Lower Merion Township of Pennsylvania. The ensuing
lawsuit, Robbins v. Lower Merion School District, revealed that 66,000 images of students were
captured while they were in the privacy of their homes. The laptops captured an image every
15 minutes the device was in use and could be remotely configured to capture an image at
intervals as low as every minute. Students had widely believed that the webcam functionality of
the laptops had been disabled because the administrator had configured the components not
to function unless the students were using specific programs. The images and other student
information such as chat logs were transferred from the student laptops to school servers
where they were later reviewed by school authorities, who allegedly also shared the snapshots
with others. The district quickly settled the lawsuit for $610,000. Every emerging technology
and every issued device have the potential to become the next “WebcamGate.” Rather than
allow students to become potential victims, parents can proactively protect them by covering
the webcam when it is not in use [13].
Mitigating Mass Camera-Based Surveillance
Practically every RAT and espionage malware has the capability to remotely compromise and
activate cameras in order to capture videos and images of the target user. Script kiddies pride
themselves on the ease at which they can surveil unsuspecting users for “sexploitation”,
blackmail, degradation of character, and other schemes. Cyber-criminals can use device
cameras to steal intellectual property, to plan social engineering campaigns, etc. Advanced
cyber-mercenary groups, such as Carbanak, may even use the camera functionality of victim
systems in order to learn the procedural operations of niche systems. Nation-state sponsored
Advanced Persistent Threats (APTs) include webcam exploits in their malware toolkits so that
they can surveil target systems and so that they can capture activities useful in the coercion of
critical infrastructure and intelligence personnel. Users will be hard-pressed to purchase any
marketed devices that actually incorporate security-by-design. While a cultural shift in requiring
device cybersecurity-by-design is essential to the future security of the nation, currently, it is
unrealistic to demand that every user (the vast majority of which remain cyber-hygienically lazy
`
16
and unaware of cybersecurity risks) avoid every vulnerable camera-bearing device on the
market.
The stark reality is that at this very moment, a malicious threat actor, located across the world,
could be watching you read this publication if the webcam on your is not covered. They could
be plotting dozens of different attack vectors to inflict further harm on you or your family. The
government cannot secure your webcam. Law enforcement cannot prevent hackers from
targeting you for one reason or another. Anti-malware applications can detect and remove
many malware; however, few cybersecurity applications are sophisticated enough to remove
malicious programs prior to execution (i.e. before the hacker has already compromised your
webcam) and even fewer applications are capable of detecting novel, mutating, or fullyundetectable malware.
Only you have the ability to prevent cyber-adversaries from weaponizing the cameras on your
PC, phone, tablet, smart TV, game console, and other IoT devices. Your options are simple. You
could remove all the drivers and software functionality of the webcam; though, the component
would no longer be available on any devices. Similarly, you could physically drill out the device
cameras. These options are inconvenient at best.
The simplest and optimal solution is to just shutter device cameras when the feature is not in
use, in order to prevent information leakage and unintended capture and exposure. Users could
use tape or a post-it; however, those options leave a residue on the lens and could
inadvertently fall off. Further, many users avoid covering their webcams because homemade
covers may appear unprofessional. During a conference at the Center for Strategic and
International Studies, James Comey admitted that he even got occasionally mocked for using
tape on his personal devices, stating, "Heck yeah, heck yeah. And also, I get mocked for a lot of
things, and I am much mocked for that, but I hope people lock their cars… lock your doors at
night. I have an alarm system. If you have an alarm system you should use it; I use mine."
Comey believes that covering webcams is one of the "sensible things" that every user should be
doing to "take responsibility for their own safety and security" [7].
Instead of eschewing security or suffering ridicule, users can purchase personalized, durable,
and reusable webcam covers. Webcam covers fundamentally function as an “I accept”
mechanism for each webcam use; thereby promoting user privacy knowledge, awareness, and
consent. Users can apply recyclable webcam covers to computers, laptops, tablets, mobile
phones, gaming devices, and other products without worry of smudging the device lens or
having to find a new cover after each use. Further, some brands enable users to customize
`
17
their webcam covers with corporate logos or personalized designs. It also offers educational
material concerning webcam security for citizens, professionals, and organizations.
ICIT Contact Information
Phone: 202-600-7250 Ext 101
E-mail: http://icitech.org/contactus/
ICIT Websites & Social Media
www.icitech.org
https://twitter.com/ICITorg
https://www.linkedin.com/company/institute-for-critical-infrastructure-technologyicit-
https://www.facebook.com/ICITorg
`
18
Sources
[1] "Are Hackers Using Your Webcam To Watch You?". Us.norton.com. N.p., 2017. Web. 26 Apr. 2017.
https://us.norton.com/internetsecurity-malware-webcam-hacking.html
[2] J. Scott and D. Spaniel, China’s espionage dynasty: Economic Death by a Thousand Cuts in
Amazon.com: Books. CreateSpace Independent Publishing Platform, 2016. [Online]. Available:
https://www.amazon.com/Chinas-Espionage-Dynasty-EconomicThousand/dp/153532743X/ref=asap_bc?ie=UTF8. Accessed: Jan. 12, 2017.
[3] "Webcam Exploit: Disable Webcam Light." Techmeout.org. N.p., 2016. Web. 27 Apr. 2017.
https://techmeout.org/tag/webcam-exploit/
[4] "How To Hack Webcam Using Metasploit(Kali Linux/ Backtrack)". The Hackers Store. N.p., 2016. Web.
27 Apr. 2017. http://www.thehackerstore.net/2016/02/hack-webcam-with-metaspoilt.html
[5] "Hack Like A Pro: How To Secretly Hack Into, Switch On, & Watch Anyone's Webcam Remotely".
WonderHowTo. N.p., 2016. Web. 27 Apr. 2017. https://null-byte.wonderhowto.com/how-to/hack-likepro-secretly-hack-into-switch-on-watch-anyones-webcam-remotely-0142514/
[6] Ackerman, Spencer, and James Ball. "Optic Nerve: Millions Of Yahoo Webcam Images Intercepted By
GCHQ". the Guardian. N.p., 2014. Web. 26 Apr. 2017.
https://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam-images-internet-yahoo
[7] Kumar, Mohit. "FBI Director — You Should Cover Your Webcam With Tape". The Hacker News. N.p.,
2016. Web. 26 Apr. 2017. http://thehackernews.com/2016/09/hacking-webcam-cover.html
[8] Zorabedian, John. "Yes, Your Smartphone Camera Can Be Used To Spy On You…". Naked Security.
N.p., 2014. Web. 26 Apr. 2017. https://nakedsecurity.sophos.com/2014/05/28/yes-your-smartphonecamera-can-be-used-to-spy-on-you/
[9] Munson, Lee. "Over 100 Arrested In FBI Blackshades RAT Raids". Naked Security. N.p., 2014. Web. 26
Apr. 2017. https://nakedsecurity.sophos.com/2014/05/19/over-100-arrested-in-fbi-blackshades-ratraids/
[10] Cullison, Alan. "Wikileaks Reveals CIA Hacking Projects, From Weeping Angel To Hammer Drill".
WSJ. N.p., 2017. Web. 26 Apr. 2017. https://www.wsj.com/articles/wikileaks-reveals-cia-hackingprojects-from-weeping-angel-to-hammer-drill-1489017814
`
19
[11] Hollister, Sean. "Could The NSA Use Microsoft's Xbox One To Spy On You?". The Verge. N.p., 2013.
Web. 26 Apr. 2017. http://www.theverge.com/2013/7/16/4526770/will-the-nsa-use-the-xbox-one-tospy-on-your-family
[12] Totilo, Stephen. "Xbox One's Kinect Can Turn Off, Microsoft Says, Noting Privacy Worries".
Kotaku.com. N.p., 2013. Web. 26 Apr. 2017. http://kotaku.com/xbox-ones-kinect-can-turn-offmicrosoft-says-noting-510100564
[13] Masterson, Teresa. "School Spies On Students At Home With Webcams: Suit". NBC 10 Philadelphia.
N.p., 2010. Web. 26 Apr. 2017. http://www.nbcphiladelphia.com/news/local/School-Spies-on-Studentsat-Home-with-Webcams-Suit-84712852.html
[14] Griffin, Andrew. "Wikileaks Just Published The Biggest Set Of CIA Documents Ever. Here's Everything
That's In Them". The Independent. N.p., 2017. Web. 26 Apr. 2017. http://www.independent.co.uk/lifestyle/gadgets-and-tech/news/wikileaks-cia-what-are-they-explained-vault-7-year-zero-julian-assangesecrets-a7616826.html
`
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising