Mark Zuckerberg of Facebook does it. So does FBI Director James Comey. Should you?
What they do is cover up their laptop webcams — sometimes with just a piece of opaque tape — blocking scuzzball computer hackers from activating the built-in cameras and spying on them. Perhaps in their bedrooms.
The hackers do it using a type of malware, or malicious software, that lets them remotely hijack computers. In hacker lingo, they take control and “enslave” computers.
Motives of the hackers vary. Some are Peeping Toms. Others are extortionists. Still others lurk to obtain any kind of personal information or image to sell on the underground global market.
At a forum on cybersecurity this week in Washington, Assistant Attorney General John P. Carlin, who heads the national security division, said he was all for taping over webcams, given the prevalence of computer hacking.
“It does seem like a good idea,” Carlin said.
He’s got brainy company.
Zuckerberg, the Facebook chief executive, posted a routine-looking photo last week to his own Facebook account — 70.2 million followers — that touted Instagram, the Facebook-owned mobile photo-sharing app. Sharp-eyed viewers noticed that a laptop computer behind him had silver tape over the webcam and the microphone jack.
FBI Director Comey admitted in a question-and-answer session April 6 at Kenyon College in Ohio that he saw a colleague with tape over his webcam and decided to follow suit.
“I have, obviously, a laptop, personal laptop. I put a piece of tape over the camera. Because I saw somebody smarter than I am had a piece of tape over their camera,” Comey told students.
Data security experts say the threat is real, prevalent and worth precautionary action.
“It’s not bad advice, per se. The effort it takes is very minimal,” said Satnam Narang, senior security response manager at Norton by Symantec, the California-based global data security firm.
The culprits commonly use RAT malware — which stands for remote access Trojan — and the hackers are sometimes called ratters. They attach the malware to photos, music files, documents or video and lure the user to click.
An infected email might say: “Check out my new Hawaiian video! I went surfing naked!” said Hemu Nigam, a former internet crimes prosecutor for the Department of Justice and founder of SSP Blue, a Los Angeles-based online safety advisory firm.
If you think you’d notice a little light coming on, indicating the webcam is in use, you could be wrong, experts said.
“It’s been shown that there is software that is able to disable the little light and still activate the webcam,” said Balint Seeber, the director of vulnerability research at Bastille, a cybersecurity firm with offices in Silicon Valley and Atlanta.
Signs of paranoia about webcams are rising.
The trailer for Oliver Stone’s upcoming biopic about Edward Snowden, the National Security Agency spy contractor, shows the actor portraying him in a bedroom scene in which he nervously looks over at his exposed laptop webcam. The movie has a September release date.
Webcam peepers can be after many different things.
“There have been cases of former lovers who hack webcams to spy on their exes, sexual deviants who collect images for their own use, and sextortionists, who use images and videos to demand ransoms or get victims to perform additional acts via their webcam in order to keep the photos private,” Krystie Caraballo, the general manager of CamPatch, a maker of removable webcam covers, said in an email.
Webcams in offices or manufacturing plants can get views of whiteboards or capture trade secrets, she added, and microphones can be hacked as well, to allow eavesdropping.
The RAT malware is easily obtainable and out-of-the-box easy, said Adam Benson, deputy executive director of the Digital Citizens Alliance, a nonprofit organization focused on internet safety.
“What’s scariest about it is not who’s doing it but how easy it is to do,” Benson said.
Malware with names like Sub7, Cerberus, njRAT, DarkComet and Sakula can let hackers root around a computer’s hard drive, performing all tasks — without consent.
“They can see into people’s lives, which is pretty eerie. There are some sick people out there,” said Dan Ford, forensic analyst and tactical security engineer at Rook Security, a global IT security firm based in Indianapolis.
“We call it creepware,” said Narang, of Norton by Symantec. “The end goal is to steal information. You can sell that information en masse. … The extortion part and the Peeping Tom part is a small subset.”
But it can be terrifying to the victims.
“When that webcam goes on and that hacker watches that teenage girl in her room, he is digitally raping her,” said Nigam, the former prosecutor.
Curiously, Apple Inc. filed a patent claim this week that allows it to disable iPhones from recording video or sound or taking photos in venues where it’s prohibited, such as concert halls or movie theaters.
Not all computer-savvy experts resort to webcam blocking.
“I’m pretty lazy,” said Matthew D. Green of the Information Security Group at Johns Hopkins University, who acknowledged that he doesn’t cover his webcam. “That’s just because I’m a middle-aged computer science professor, and I don’t think anyone wants to look at me.”
Seeber, the vulnerability expert, said those applying tape to their webcams shouldn’t rest easy. If they use wireless devices like a mouse, the radio frequency between the device and the dongle plugged into the computer make it vulnerable, too.
“You can actually hack into someone’s computer through that wireless dongle,” he said.