The Latest Weapon in Your Battle for Online Privacy: Duct Tape

Duct tape: You can use it to make wallets. You can use it to remove warts(!). You can use it to hem your pants, to catch pesky flies, to create a makeshift bandage, or, should it come to that, to save your life during an aborted space mission.

And add one more use to the list: Duct tape can also help you to protect your privacy as you use your computer. Maybe even the computer you are using to read these very words right now. Because you know how the camera that's built into many machines is supposed to indicate its on-ness or off-ness with a light? And how you are taught to assume, quite logically, that an off light means an off camera?

Not always, apparently. 

A story published earlier this month in The Washington Post featured Marcus Thomas, former assistant director of the FBI’s Operational Technology Division, telling the paper that the agency has long had the ability to activate a computer’s camera—unbeknownst to the computer's user. As the Post summed it up:

The FBI has been able to covertly activate a computer’s camera—without triggering the light that lets users know it is recording—for several years, and has used that technique mainly in terrorism cases or the most serious criminal investigations.

And new research from Johns Hopkins, reported yesterday by the Post's Ashkan Soltani and Timothy B. Lee, offers an external confirmation of that claim. Stephen Checkoway, a computer science professor, along with his grad student and co-author, Matthew Brocker, found a way to bypass the security features of the Apple machines. They focused on 2008-era devices, which feature a "hardware interlock" between the camera and the indicator light meant to ensure that the camera can't turn on without alerting its owner to the activation.

In other words: They'd found a way to bypass the green light, in every sense. 

In their paper (title: "iSeeYou: Disabling the MacBook Webcam Indicator LED"), the pair describe how they, essentially, hacked into the Apple computers' iSight devices, reprogramming the cameras' micro-controllers in a way that would allow for independent activation. And in a way that would allow the activator to bypass the indicator light. Their research, it's worth noting, has not yet been published—but it is, the Post puts it, "under consideration for an upcoming academic security conference."

And it's not simply 2008 Mac products that are vulnerable, Soltani and Lee write.

While the research focused on MacBook and iMac models released before 2008, the authors say similar techniques could work on more recent computers from a wide variety of vendors. In other words, if a laptop has a built-in camera, it’s possible someone—whether the federal government or a malicious 19 year old—could access it to spy on the user at any time.

Checkoway and Brocker contacted Apple about their findings, they note in the paper, in July. And while "Apple employees followed up several times," they write, "they did not inform us of any possible mitigation plans."

Think about that for a second. Think about the relationship you share with your computer. You likely spend more of your daily hours in its presence than you do in the presence of your spouse. Or your children. Or your best friend. Your personal computer, often, sees you when you're sleeping. It knows when you're awake. It is Santa Claus, basically, is what I'm saying, which makes it fairly frightening that its automated list of your daily doings can be hijacked by people who are considerably less jolly than St. Nick. 

Soltani and Lee report on another abuse of the built-in camera—one that involved a man, Jared Abrahams, iSight-spying on a woman (who identified herself as Miss Teen USA Cassidy Wolf). Abrahams sent pictures of Wolf to her—pictures he had taken using her own computer. The FBI says it found software on Abrahams’s machine (a Remote Administration Tool, or RAT) that allowed him to spy remotely on Wolf, along with "numerous other women." Abrahams pleaded guilty to extortion in October. 

So what's to be done? There are, perhaps, legal solutions—the kind we may well be heading toward when it comes to the surveillance of the NSA. There are, perhaps, software solutions: hacks to battle the hacks. Or the answer, as it so often does these days, may come down to the compliance of Apple itself. Perhaps, some have suggested, Apple could simply build into its newest computer models a flap that would cover the iSight lens when it's not in use—a complicated software problem solved by an elegant hardware solution. 

Until then, though? I suggest you find your own elegant solution—your own little hardware hack that will cover your camera lens as you use your computer. While companies and agencies and universities do their dance over your privacy, you should probably, at the very least, go get yourself some duct tape. 

Important update: Don't just take my word for the whole duct tape thing ... take Stephen Colbert's.

Thanks to Evan Selinger for the tip!