Schneier on Security

I remember seeing how to find them using google a while ago (it numbered in the *thousands* for just 1 brand). I'm not really surprised that hackers would take over webcams (though not sure why they would go to the effort of using SubSeven when theres so many w/ a web based interface pointing to the world.

Occasionally, such trojans hijack the cameras with hilarious consequences:
http://www.ntk.net/bo2k/
(from 1999)

Presumably, the reason that people use viruses to hack into people's web cams when there are ones simply open is that the USB/firewire ones are more "interesting". The ones sitting open tend to be sold as do-it-yourself security cameras, or easy-to-do scenery webcams, and thus aren't in people's bedrooms. (I suppose it's possible that they get used for security cams covering changing rooms, etc, but I doubt that, somehow.)

Yawn.

I thought the Register had a more interesting tidbit here about the lack of common-sense security features in Windows: http://www.theregister.co.uk/2005/03/18/windows_server_firewall/

Perhaps some analysis would help this blog entry...something like "note to 'security' camera vendors: taking a month or two to properly test and secure your products will more than pay for itself in the near term."

or

"Cam attacker is caught. Once again, we see trojans at work, but are we at a point that someone should be held liable? Software company, camera company..."

This was one of the juiciest cam "hacks" of all time (no virus/trojan needed):
http://www.graffe.com/forums/showthread.php?t=26886

By searching google with "inurl:"ViewerFrame?Mode="

an attacker could easily pick from a vast array of targets (before most of them were "corrected"). Nothing special had to be done other than click the link to "pwn" the webcam, and the attacker could even control it and reprogram it. In the link above a lot of the kiddies spend some serious time into repositioning the webcam on the victim's system and even the victim - while they are wondering why in the world the camera appears to have a mind of its own. Most of them figure out that their webcam by default is not in a "secured" state ...

Israel Torres

While I had a number of neferious attempts (based on web server log entries) to take over my christmas webcam - see http://www.komar.org/cgi-bin/xmas_webcam - I don't believe any of those were successful, although they would have been a bit "disappointed" if they had been successful! ;-)

@Resonant Information
Technically speaking, the article is about SubSeven, which was a trojan that controlled the cam, not about weaknesses in the cameras themselves. As Israel points out, the google crawl attack was based on a unique interface URL that acted as a fingerprint.

Perhaps you should clarify your statement "a lot of webcams are horribly insecure by default" to be something more like "when you connect a webcam to a Microsoft OS, your horrible insecurities and risk of exposure might get even worse".

Lens cap. The less that $1 solution.

If one ignores the fact that technology was involved, it seems a pretty steep fine for a guy doing what movies have glorified and generations before have attempted - get a glimpse in the college womens showers.

Ross Anderson wrote a letter to The Economist magazine recently:

SIR – From the viewpoint of individual victims, identity theft is not theft but defamation (“What's in a name?”, March 5th). A forged signature is null and void, so if a bank carelessly pays a forged cheque drawn on my account then that is their problem, not mine. But two things have changed with electronic banking. First, banks now use contract terms to shift the onus of proof to the customer when there is a dispute. Second, credit agencies pass on derogatory information about defrauded account holders, long after they know that the account holder is the victim rather than the perpetrator. The remedy is to enforce existing law and restore the incentives for banks to properly authenticate their customers.

Ross Anderson
Cambridge, Cambridgeshire

(Since he's in Britain, this may not apply the same way to US law.)

In other cases, it's even easier. There are lots of webcams out there that are completely open to anyone who logs into them. You can even search for them using Google.

ROFL! HAHAHA!
j00 h4v3 b33n 0}wn3d!

i was wondering if there is a way to controls someones webcam in this way. lets says they visit a website, somehow their camera is then turned on and displayed to them on that website with them actually not doing anything to turn it on and being surprised that they can now see themselves on the internet. this would not be for malicious purposes but to kinda scare the person.