Hackers Taking Over Webcams

In this story, someone took control of a webcam using the Subseven Trojan.

In other cases, it's even easier. There are lots of webcams out there that are completely open to anyone who logs into them. You can even search for them using Google.

Posted on March 18, 2005 at 7:25 AM • 15 Comments

Comments

CorbinMarch 18, 2005 8:19 AM

I remember seeing how to find them using google a while ago (it numbered in the *thousands* for just 1 brand). I'm not really surprised that hackers would take over webcams (though not sure why they would go to the effort of using SubSeven when theres so many w/ a web based interface pointing to the world.

theorbtwoMarch 18, 2005 8:59 AM

Presumably, the reason that people use viruses to hack into people's web cams when there are ones simply open is that the USB/firewire ones are more "interesting". The ones sitting open tend to be sold as do-it-yourself security cameras, or easy-to-do scenery webcams, and thus aren't in people's bedrooms. (I suppose it's possible that they get used for security cams covering changing rooms, etc, but I doubt that, somehow.)

Davi OttenheimerMarch 18, 2005 9:31 AM

Yawn.

I thought the Register had a more interesting tidbit here about the lack of common-sense security features in Windows: http://www.theregister.co.uk/2005/03/18/...

Perhaps some analysis would help this blog entry...something like "note to 'security' camera vendors: taking a month or two to properly test and secure your products will more than pay for itself in the near term."

or

"Cam attacker is caught. Once again, we see trojans at work, but are we at a point that someone should be held liable? Software company, camera company..."

Israel TorresMarch 18, 2005 9:46 AM

This was one of the juiciest cam "hacks" of all time (no virus/trojan needed):
http://www.graffe.com/forums/showthread.php?...

By searching google with "inurl:"ViewerFrame?Mode="

an attacker could easily pick from a vast array of targets (before most of them were "corrected"). Nothing special had to be done other than click the link to "pwn" the webcam, and the attacker could even control it and reprogram it. In the link above a lot of the kiddies spend some serious time into repositioning the webcam on the victim's system and even the victim - while they are wondering why in the world the camera appears to have a mind of its own. Most of them figure out that their webcam by default is not in a "secured" state ...

Israel Torres

Davi OttenheimerMarch 18, 2005 12:16 PM

@Resonant Information
Technically speaking, the article is about SubSeven, which was a trojan that controlled the cam, not about weaknesses in the cameras themselves. As Israel points out, the google crawl attack was based on a unique interface URL that acted as a fingerprint.

Perhaps you should clarify your statement "a lot of webcams are horribly insecure by default" to be something more like "when you connect a webcam to a Microsoft OS, your horrible insecurities and risk of exposure might get even worse".

Chris BeckeMarch 20, 2005 4:02 AM

If one ignores the fact that technology was involved, it seems a pretty steep fine for a guy doing what movies have glorified and generations before have attempted - get a glimpse in the college womens showers.

AnonymousMarch 20, 2005 12:43 PM

Ross Anderson wrote a letter to The Economist magazine recently:

SIR � From the viewpoint of individual victims, identity theft is not theft but defamation (�What's in a name?�, March 5th). A forged signature is null and void, so if a bank carelessly pays a forged cheque drawn on my account then that is their problem, not mine. But two things have changed with electronic banking. First, banks now use contract terms to shift the onus of proof to the customer when there is a dispute. Second, credit agencies pass on derogatory information about defrauded account holders, long after they know that the account holder is the victim rather than the perpetrator. The remedy is to enforce existing law and restore the incentives for banks to properly authenticate their customers.

Ross Anderson
Cambridge, Cambridgeshire

(Since he's in Britain, this may not apply the same way to US law.)

Wiz-KidMarch 22, 2005 5:11 AM

In other cases, it's even easier. There are lots of webcams out there that are completely open to anyone who logs into them. You can even search for them using Google.

ROFL! HAHAHA!
j00 h4v3 b33n 0}wn3d!

olive greenOctober 18, 2007 6:28 PM

i was wondering if there is a way to controls someones webcam in this way. lets says they visit a website, somehow their camera is then turned on and displayed to them on that website with them actually not doing anything to turn it on and being surprised that they can now see themselves on the internet. this would not be for malicious purposes but to kinda scare the person.

KateNovember 16, 2008 1:21 PM

Is this true really?
Coz sometimes my BUILT IN webcam light comes on and sometimes it doesnt.


=| Really though it's scary.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..