Why webcam indicator lights are lousy privacy safeguards
That tiny light next to your webcam is supposed to play a big role in protecting your privacy 鈥 it lets you know when the camera is recording. But, if you're like most people, you probably won鈥檛 notice when it鈥檚 on at all, which means you wouldn't know if someone is听surreptitiously filming you.听
"Every time that the webcam indicator is on, the webcam is recording," says Rebecca Portnoff, a PhD candidate at the University of California at Berkeley. "Even if you think it鈥檚 impossible, that you haven鈥檛 Skyped anyone, that you鈥檙e not recording anything, that it must be some kind of glitch, the webcam鈥檚 recording."
The webcam light is a type of privacy indicator, which is a听notification that a user鈥檚 data is being collected in some way. Other privacy indicators include the green Secure Socket Layer lock in the website address bar听that indicates a secure connection or the pop-up on a smartphone asking for consent to share your location with an app.
"One of the big problems we see today is that it鈥檚 really hard to know how an application is using your data," says Serge Egelman, a research scientist at UC Berkeley鈥檚 Department of Electrical Engineering and Computer Science. "Once you鈥檝e granted access to it, it鈥檚 essentially gone."
In a presented at conferences earlier this year, Ms. Portnoff and five of her Berkeley听colleagues examined the effectiveness of webcam lights. At various points during the experiment, the webcam, along with the LED light, turned on and made a 10-second recording.
Fewer than half of the participants noticed that the light was on when they were doing computer tasks, while only five percent who were working on a paper-based task in front of the computer noticed the light turn on. Most people also听didn鈥檛 understand that the light meant the camera was recording.
While webcam lights can save people from听embarrassment in an unintended Skype or FaceTime call, not noticing the light can also open up people to a specific kind of malware that known as听remote administration tool (RAT) that can be used to access victims' webcams, microphone, screen, and files.
Portnoff became interested in the topic while browsing Hack Forums, which hosts discussion boards for topics such as gaming and coding as well as more topics on hacking techniques such as听鈥,鈥 a digital attack that involves infecting victims鈥 machines with a RAT.
鈥淕iven that people do things like changing their clothes in front of their computers and taking their computers into the shower with them so they can listen to music and all sorts of stuff,鈥 Portnoff said, 鈥渨e think it鈥檚 critical to pay attention to the problem of getting users to notice the webcam LED even when they鈥檙e not actively on their computer.鈥
It is difficult to get an accurate count for how many people are victims of this kind of spying because of a lack of reporting on an individual level, but Paul Shomo, a digital forensic specialist at the security firm Guidance Software, said ratting should be taken seriously despite the lack of concrete statistics.
鈥淲here we鈥檙e seeing it a lot right now is against federal targets,鈥 he said, 鈥渨hich is very likely state-sponsored cyberterrorism, but could also be cybercrime syndicates.鈥
The kind of ratting Mr. Shomo is referring to doesn鈥檛 always involve a webcam. Often times at the state level, Shomo said, the attackers are targeting information to steal. These attackers can be significantly more advanced than the amateur attackers seeking easy ratting solutions on Hack Forums, and RAT malware听can be difficult to detect. Shomo has seen cases in federal agencies and companies where ratting malware was not discovered for over a year.
For the lower-end ratting involving webcam spying, Mr. Egelman, the Berkeley researcher, notes that it isn鈥檛 likely to happen on a particularly large scale because there needs to be a human on one end actively using the software to access the victim鈥檚 camera. Still, the consequences can be severe.
To help users become more aware of when the camera is in use, the second part of the study tested a new indicator. When the webcam turned on, an opaque red camera icon would fill the screen and shrink into the upper right hand corner, blinking for seven seconds before it went away.
Awareness of the light improved dramatically. More than 90 percent of participants noticed the camera turn on while doing computer-based tasks. It did not, however, substantially increase understanding that the light鈥檚 presence meant the camera was recording.
Until better indicators are developed for the webcam, Portnoff and Egelman recommend placing a sticker over the webcam and using antivirus software. For other applications, pay attention to what permissions they ask for.
鈥淭he biggest thing is to be cognizant of what data could be collected,鈥 Egelman said, 鈥渁nd then trying to make informed choices about which services and applications actually use them.鈥
听
