In this story, someone took control of a webcam using the Subseven Trojan.
In other cases, it’s even easier. There are lots of webcams out there that are completely open to anyone who logs into them. You can even search for them using Google.
Occasionally, such trojans hijack the cameras with hilarious consequences:
http://www.ntk.net/bo2k/
(from 1999)
theorbtwo • March 18, 2005 8:59 AM
Presumably, the reason that people use viruses to hack into people’s web cams when there are ones simply open is that the USB/firewire ones are more “interesting”. The ones sitting open tend to be sold as do-it-yourself security cameras, or easy-to-do scenery webcams, and thus aren’t in people’s bedrooms. (I suppose it’s possible that they get used for security cams covering changing rooms, etc, but I doubt that, somehow.)
Davi Ottenheimer • March 18, 2005 9:31 AM
Yawn.
I thought the Register had a more interesting tidbit here about the lack of common-sense security features in Windows: http://www.theregister.co.uk/2005/03/18/windows_server_firewall/
Perhaps some analysis would help this blog entry…something like “note to ‘security’ camera vendors: taking a month or two to properly test and secure your products will more than pay for itself in the near term.”
or
“Cam attacker is caught. Once again, we see trojans at work, but are we at a point that someone should be held liable? Software company, camera company…”
Israel Torres • March 18, 2005 9:46 AM
This was one of the juiciest cam “hacks” of all time (no virus/trojan needed):
http://www.graffe.com/forums/showthread.php?t=26886
By searching google with “inurl:”ViewerFrame?Mode=”
an attacker could easily pick from a vast array of targets (before most of them were “corrected”). Nothing special had to be done other than click the link to “pwn” the webcam, and the attacker could even control it and reprogram it. In the link above a lot of the kiddies spend some serious time into repositioning the webcam on the victim’s system and even the victim – while they are wondering why in the world the camera appears to have a mind of its own. Most of them figure out that their webcam by default is not in a “secured” state …
Israel Torres
alek • March 18, 2005 11:23 AM
While I had a number of neferious attempts (based on web server log entries) to take over my christmas webcam – see http://www.komar.org/cgi-bin/xmas_webcam – I don’t believe any of those were successful, although they would have been a bit “disappointed” if they had been successful! 😉
Davi Ottenheimer • March 18, 2005 12:16 PM
@Resonant Information
Technically speaking, the article is about SubSeven, which was a trojan that controlled the cam, not about weaknesses in the cameras themselves. As Israel points out, the google crawl attack was based on a unique interface URL that acted as a fingerprint.
Perhaps you should clarify your statement “a lot of webcams are horribly insecure by default” to be something more like “when you connect a webcam to a Microsoft OS, your horrible insecurities and risk of exposure might get even worse”.
H Heaton • March 18, 2005 4:05 PM
Lens cap. The less that $1 solution.
Chris Becke • March 20, 2005 4:02 AM
If one ignores the fact that technology was involved, it seems a pretty steep fine for a guy doing what movies have glorified and generations before have attempted – get a glimpse in the college womens showers.
Anonymous • March 20, 2005 12:43 PM
Ross Anderson wrote a letter to The Economist magazine recently:
SIR ? From the viewpoint of individual victims, identity theft is not theft but defamation (?What’s in a name??, March 5th). A forged signature is null and void, so if a bank carelessly pays a forged cheque drawn on my account then that is their problem, not mine. But two things have changed with electronic banking. First, banks now use contract terms to shift the onus of proof to the customer when there is a dispute. Second, credit agencies pass on derogatory information about defrauded account holders, long after they know that the account holder is the victim rather than the perpetrator. The remedy is to enforce existing law and restore the incentives for banks to properly authenticate their customers.
Ross Anderson
Cambridge, Cambridgeshire
(Since he’s in Britain, this may not apply the same way to US law.)
Wiz-Kid • March 22, 2005 5:11 AM
In other cases, it’s even easier. There are lots of webcams out there that are completely open to anyone who logs into them. You can even search for them using Google.
ROFL! HAHAHA!
j00 h4v3 b33n 0}wn3d!
olive green • October 18, 2007 6:28 PM
i was wondering if there is a way to controls someones webcam in this way. lets says they visit a website, somehow their camera is then turned on and displayed to them on that website with them actually not doing anything to turn it on and being surprised that they can now see themselves on the internet. this would not be for malicious purposes but to kinda scare the person.
Kate • November 16, 2008 1:21 PM
Is this true really?
Coz sometimes my BUILT IN webcam light comes on and sometimes it doesnt.
=| Really though it’s scary.
Mr. Zzzzzzzzzzzzz • November 16, 2008 4:02 PM
Yes Kate, it is possible to remotely control someone’s webcam.
Even for when this blog post was made (2005) this was old news.
I’d be more scared if this feature can be abused by Joe Cracker: http://news.cnet.com/2100-1029_3-6140191.html
Mr. Zzzzzzzzzzzzz • November 16, 2008 4:06 PM
erp … and this link: http://www.schneier.com/blog/archives/2006/12/remotely_eavesd_1.html
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Corbin • March 18, 2005 8:19 AM
I remember seeing how to find them using google a while ago (it numbered in the thousands for just 1 brand). I’m not really surprised that hackers would take over webcams (though not sure why they would go to the effort of using SubSeven when theres so many w/ a web based interface pointing to the world.