Can hackers spy on you through your devices' camera and microphone?

Who’s using the camera and microphone on your device?

Cybercriminals are working hard to breach mobile devices’ security. Can they gain access to a victim’s embedded camera and microphone?


An unsecured smart device could give hackers VIP access to your sensitive conversations and paperwork – digital and physical. As such, it pays to be proactive about mobile device security – whether you’re a low-level employee, CEO or a newly elected world leader handling classified documents and discussing global affairs.


But first, a completely unrelated Tweet:



Can the camera above your phone or laptop screen really be used to spy on you? Can hackers really listen in with the built-in microphone? Let’s examine these concerns and how people at all levels – and security clearances – in an organisation can guard against them.


How at-risk are devices?


There’s an adage that the only secure device is no device, and there’s a grain of truth to that. It’s safe to assume that, for every gadget out there, someone is actively working on a way to compromise it. With the growing presence of smartphones and tablets in modern organisations, business and network security is increasingly dependent on mobile security.


Already, mobile-enabled data breaches are causing problems for a number of organisations. A joint report from Lookout and the Ponemon Institute found that 67 per cent of organisations have experienced a cyber intrusion as a result of mobile device usage. The financial damage and resulting impact on corporate reputation and brand equity from such breaches can be staggering – reaching up to US$26.4 million (AU$34.4 million).


But can these attacks involve the taking over of a device’s camera or microphone? Yes, and it’s already been done.



The crackdown on creepware


We’ve looked at the dangers of malware in the past, so it should come as no surprise that this type of malicious code is once again at the heart of a cybersecurity risk. Malware unwittingly installed on a victim’s device – be it smartphone, laptop or tablet – is a key strategy for hackers looking to gain access to a camera or microphone.


With malware, a hacker can see everything this smartphone's camera can.With malware, a hacker can see everything this smartphone’s camera can.






This intrusion method was the focus of the 2014 Blackshades raids, a global crackdown on hackers that led to 90 arrests following a two-year operation, according to a CNN report.


Blackshades is a sophisticated piece of malware that can remotely control computers, whether that be reading files, logging keystrokes or accessing the embedded webcam. Because it is inexpensive, can run undetected and provides such unmitigated control, it quickly became a popular remote administration tool – or RAT – in worldwide cybercriminal circles.


One Blackshades attack involved encrypting victims’ files and holding them hostage – much like with Cryptolocker malware – but it’s the ability to access the device’s webcam that earned it the nickname creepware.


The moniker is rather apt, as Blackshades could give a hacker with minimal skills full view of wherever a victim had their laptop open, such as a conference room, office or even their bedroom – a major breach of personal and business cybersecurity.



Access under the radar


The effectiveness of Blackshades and other forms of creepware comes from the ability to control a camera and microphone without alerting victims. On an uninfected device, it is quite clear when the camera is active – laptop webcams typically have an indicator light, and smartphones will open an on-screen preview of what the camera sees.


So, how does creepware find a way around these safeguards? It’s a fairly simple explanation: Shutting down those indicators is an easy feat for people with strong technical skills. Matthew Brocker and Stephen Checkoway – researchers from Johns Hopkins University – proved this by using a vulnerability to disable the LED indicator on the Macbook iSight camera. Building upon their results, Szymon Sidor – a 2014 doctoral student at MIT – discovered a workaround to the indicator on embedded smartphone cameras. He created an app that ran in the background and opened the image preview in a 1×1 pixel window – virtually invisible to a device’s user.


Watch Szymon’s program in action here:




Guarding against creepware


It’s important to remember that creepware such as Blackshades and methods of accessing a camera undetected are just another type of malware, which means organisations are clearly at risk.


3 per cent of employee’s mobile devices will be infected with malware at any given point.

The Lookout and Ponemon Institute report found that, on average, 3 per cent of employee’s mobile devices will be infected with some form of malware at any given point. These malicious programs have a number of routes onto a device, but some of the most common include phishing attacks and compromised apps. In fact, in its 2016 Mobile Threat Report, McAfee noted that there were 37 million pieces of malware found on outlets like Google Play and the Apple App Store in a six-month period.


The bottom line is that there are many ways for cybercriminals to gain access to common business devices, including their embedded cameras and microphones. Organisations have their work cut out in combatting this risk, but they don’t have to go it alone.


Telarus’ mobility services provide organisations with solutions that securely connect employees to their company’s private network, bypassing the risks inherent with the public internet. We also mitigate online risk with our managed security platform. To learn more, contact Telarus today.

Related Stories