Over the weekend my friend sent me an article claiming that the FBI can secretly activate webcams to spy on people without turning on the LED. That is a juicy headline, and I found many articles leading with that bombshell. They all referenced a Washington Post story that described the hunt for an elusive potential terrorist named Mo. It seems like a great deal of nuance was missed in some of the posts about this story, so I thought it merited some clarification.
Hacking the Webcam
At first glance, the impression is that the FBI’s hacker team can simply commandeer anyone’s laptop and turn it into their own surveillance system. According to the story in the Post, however, the user would still need to open a file or click a link to initiate a malware intrusion. Basically, the same tactics used by phishing scammers to steal your credit card information can provide the authorities with a way into your computer. Practicing good internet security protocols (don’t click unknown links, go to the actual website rather than linking from inside an email, etc.) should be enough to defeat this type of FBI surveillance.
The second huge revelation is this notion that the webcam can be activated and viewed remotely without turning on the LED that indicates an active video feed. Since the first webcam was built into the bezel of a laptop, the prospect of an active camera controlled by an outside entity has given the willies to countless users. Are you SURE the LED has to come on when the camera is working? Of course, even the telltale light hasn’t been enough to protect people from unwanted viewing as we saw when a school district spied on students through their school-issued laptop webcams.
Can this even be done?
The Post reports that the FBI has been able to turn on the camera without activating the LED for years, according to former Bureau official Marcus Thomas. I was skeptical… could the FBI, elite though they are, really be able to achieve a security breach that the whole of the global hacker community has been unable to decipher? What if they had inside information on the design of the camera module… a back door to go through? That would require complicity from the manufacturer. If they can do it to any webcam, then that complicity would be spread across many manufacturers from multiple countries. The practicality and jurisdiction of this don’t really add up. Even if we grant that they can gain access to the camera through their malware attacks, I am unclear on how they would deactivate the LED. If the light is an indicator to confirm that the camera is on, it would be logical to have the LED and camera power wired together. That kind of hard connection would make it impossible to decouple the two via a software command. This is just speculation on my part, as I am not very familiar with camera PCB layout, but it does seem like the logical way to link the two.
One important detail to note: the FBI malware never worked as intended in tracking Mo, and he has not yet been arrested or even located. Maybe the whole issue of whether webcams are being hacked like this exists only in the hypothetical for the time being.
As is common with stories like this, the law has not adequately kept pace with the advancement of technology. Surveillance has become more difficult as communication moves away from tappable phone lines onto mobile devices, VOIP, peer-to-peer video, and cloud-based information transfer. It is only natural for law enforcement to push the limits of what it can do to get information. I won’t delve too deeply into the balance of security vs. civil liberty, but I will say that at least in the case of Mo and several others referenced by the Post, warrants were required to initiate these operations. The fact that warrants were denied in some cases also proves there are (for now) constitutional limits on the reach of the investigators. That is some comfort in a time of looming uncertainty for online personal privacy.
For all the sophistication of the FBI’s search capabilities, at least the area of webcam security has some foolproof protections. An opaque physical shield can still defeat any attempt to spy through that camera lens. Some options:
And this reliable old standby.
This is a story worth following as further developments emerge. More details may clarify exactly what kind of access the FBI can truly gain. Until then, keep an eye on that webcam.