Last week, WSJ's Joanna Stern posted a piece in the Personal Tech column that pondered an interesting question related to the cameras that are now embedded into modern laptops – "How secure are these tiny eyes into our private lives?"
Interesting question. Well, tell me Personal Tech column, how secure are these things?
The bad news is, it was possible for Mr. Heid [a certified ethical hacker and chief research and development officer at Security Scorecard] to get into my Windows 10 laptop's webcam and, from there, my entire home network. He also eventually cracked my MacBook Air.
That sounds pretty bad, and might have many reaching for the electrical tape to cover their cameras. However, the very next sentence deflates much of the drama of its predecessor.
The good news is that both operating systems were initially able to thwart the hacker. It took me performing some intentionally careless things for him to 'succeed.'
Hmm… "some intentionally careless things."
Must read: Apple products you shouldn't buy (February 2019 edition)
This is where the narrative starts to fall apart. In fact, the hoops that Stern had to go through to allow the "hacker" access to a Windows 10 machine were quite detailed. Stern even goes as far as admitting to having "played along" with Heid's requests.
When I opened the attached Word doc, Microsoft 's built-in, free anti-virus software, Windows Defender, immediately flagged it. When I clicked the link to the "reel," the file that began downloading was identified as a virus and deleted. The system worked, but I wanted to see what would happen if I were someone who didn't have anti-virus turned on in the first place, or who turned it off because it got annoying.
I went into Windows settings and disabled real-time virus protection. I was able to download the 'reel' without issue. But when I double-clicked the document, Microsoft Word opened it in a protected view. I intentionally dismissed the warning sign and enabled editing of the document.
That's a lot of playing along. In fact, it's only a few steps short of a hacker asking the victim to mail them the laptop, making sure to write the login password on a post-it note.
Getting into a macOS system was even more convoluted.
Hacking a 2015 MacBook Air running the latest MacOS version, Mojave, also required a multistep process (and some missteps by the "victim"). This time the malware was embedded in an .odt document, an open-source file format.
To open it, I downloaded LibreOffice. The free version of the popular open-source office suite isn't in the Mac App Store, however, so I had to disable the Mac security setting that prevents unverified developer software installation. This is something that comes up often when downloading the many popular apps that aren't in the App Store. (I could have paid $14 for a version in the App Store, however.)
Once I installed LibreOffice, I turned off its macro security setting, per the hacker's instructions. There are scenarios where you might do this—say, for instance, because your company used a specially designed inventory spreadsheet or sales form—but for most people, it's a bad idea.
Note: According to the piece, Heid was able to pull all this off using "off-the-shelf hacking tools," whatever they might be.
I'm sorry, but short of taking a screwdriver and wrenching the camera out of the laptop's bezel, I don't see any way to prevent a hacker gaining access to the system's camera when someone so compliant is at the wheel. If someone is willing to download this, install that, and disable the other, it's like the hacker is sitting at the keyboard, and pretty much has free reign over the system.
I'm also confident that someone paranoid enough to have a piece of tape over their webcam isn't likely going to be as obedient, and if they happen to strike that perfect balance between suspicious and obliging, there's little to prevent the hacker coming up with some bogus story to get them to remove the obstruction ("oh, that tape on the screen is covering the flux capacitor that's needed to power the decode circuits.").
Rather than make me wary of webcam security, Stern's piece reinforces just what a good job modern operating systems do of protecting users from hackers, even throwing up warnings to try to protect them from their unconscious incompetence.
For enterprises that hand out laptops to all and sundry, this is where educating users about risks, about not ignoring warnings, and maybe not being so compliant when dealing with random folks remotely who ask them to disable stuff pays off dividends.
Maybe there is also a case for having laptops that don't have cameras installed, and to use detachable USB cameras where needed. But that only removes one attack surface. There's nothing stopping the hacker from just asking the oh-so amenable user to just email them the information they want.
I also find it interesting that the piece is worried about webcams, and suggests that sticking tape over them is sensible, while saying nothing about the built-in microphones that are also present in modern laptops.
The piece does go on to make some sensible recommendations in relation to password usage – which can be distilled down to "don't reuse passwords, and change ones that have been compromised" – which I think helps to accomplish a lot more than covering a webcam camera does.
That said, if you're using a crusty old laptop running an old operating system that hasn't seen updates in a while, then covering the webcam might make some sense, but the truth is that it'll just be the tip of the security headache that you're facing.
If covering your webcam camera makes you feel better, go for it. It's your laptop, and those eyes are looking into your work and life space. You can use something as simple as electrical tape or a sticky note, you don't need to invest in some special sticker to do the job. But I'd also recommend that you have a bit of a think about why you're doing this.
Do you cover your laptop's webcam? If so, why? If not, why not? Let me know!