Although they presumably have access to cutting-edge security tools and first-rate professional advice, Facebook CEO Mark Zuckerberg and Federal Bureau of Investigation Director James Comey still use a surprisingly low-tech piece of security equipment.
Both reportedly place a piece of sticky tape over their computers’ webcams to make sure that even if hackers get access to the machines, they still can’t spy through their cameras.
"There's some sensible things you should be doing, and that's one of them," Comey said at a September conference.
Years of reports have said that hackers, including some employed by the FBI, can sometimes activate webcams without turning on the indicator light, and research released last year by a team at the University of California, Berkeley, suggested that distracted users may not even notice the lights when they do turn on unexpectedly.
All of this has made physical security precautions to block out webcams and other recording devices—Zuckerberg reportedly also covers his computer’s microphone—more mainstream than ever. A recent survey from virtual private network provider Hide My Ass! reported that 82% of computer users polled were concerned about webcam spying, and that 35% had already taken steps to cover their cameras.
Hide My Ass! even released a promotional webcam cover, designed to allow would-be intruders to see nothing but a static image of a cat. "Instead of just blacking out a computer’s webcam with a piece of tape or a shutter, we wanted to give the public a way to protect their everyday privacy and simultaneously send a personalized message to intruders," said Cian Mckenna-Charley, the company’s marketing director, in a statement.
While there’s no sign that Zuckerberg and Comey themselves have ever had their webcams tampered with, the problem is more than just a theoretical worry. In 2014, a California man pleaded guilty to charges related to allegedly hacking into multiple women's computers, surreptitiously taking nude photos and attempting to blackmail his victims. Pranksters have reportedly also taken control of networked baby monitors, frightening parents and children. Computer stores have been accused of installing spying software on the devices they sell, and a Pennsylvania school district agreed in 2010 to pay more than $600,000 to settle a lawsuit alleging district employees spied on students through cameras installed on school-issued laptops.
In some cases, malware used to remotely activate webcams and spy on users has been used for international espionage, says Kevin Haley, director of security response at Norton by Symantec, the security vendor.
"We see these used by nation-states to spy on others," he says. "They’re done by criminals when they get inside an organization and they want to steal something."
Hackers can even hijack webcams in offices to observe people typing in passwords, he says. The sheer size and complexity of video files means that it's generally not possible to fully automate webcam snooping—a human typically has to be on the other end actually spying to make use of the hacked device. But there are still enough hackers more than willing to actively watch webcam feeds to make such attacks a threat, he says.
And since any software tools used to disable webcams, microphones, and other input tools can generally be overridden by hackers with sufficient control over a computer, physically obscuring the devices generally does make sense, he says.
"You could turn off the driver if you knew what you were doing on the machine, but of course, if somebody’s on your machine, they could turn it back on," he says, referring to the low-level software that controls the camera. "Blocking your webcam is kind of your last line of defense."
Makers of computers, phones, and other connected devices historically don’t provide built-in ways to physically disable potential spy gear. It could be that they are reluctant to provide built-in ways to block cameras and microphones since it would add to the complexity of the devices—and make potential customers think of hacking risk, which is hardly a great marketing point, he suggests.
"The last thing they want to do is make you think about somebody being able to spy on you when you’re trying to decide on a new computer," says Haley.
It also runs against a decades-old culture in the computing industry that emphasizes software control, rather than physical switches, in digital electronics, says Gunter Ollmann, the chief security officer at San Jose-based security firm Vectra Networks.
The risk isn’t just limited to traditional webcams, says Ollmann, whose company reported on vulnerabilities in one inexpensive networked camera earlier this year. He adds that internet-enabled household tools like home security cameras and networked TVs with cameras and microphones can also be hacked. So can videoconferencing tools often installed in offices, which can sometimes be used as a gateway into other office machines.
"Those webcams themselves are compromised as if they were a computer and used for additional nefarious harm into the network it’s connected to," Ollmann says. "The current generations of these technologies are still highly vulnerable to network exploitation and compromise."
In addition to taking physical steps to block or disable webcams and microphones—connecting an external microphone cord with nothing attached will often disable a laptop’s internal microphone—computer users can take traditional steps like keeping firewalls and security software up to date and monitoring device makers’ websites for security patches, he says. But many devices, especially those geared toward home users, simply don’t deliver security updates, even if newer versions are safer, he warns.
"There’s not an awful lot of product support for year-old technology in the consumer sphere," he says. "They’re just not patched or updated. Security is a cost to these companies."
Ultimately, that may mean that as such devices, not to mention smartphones, and wearable recording devices like Google Glass and Snapchat Spectacles become ever more ubiquitous, people may simply learn to guard themselves around any electronics and seek deliberately private spaces for private activities, he says.
Edward Snowden, the National Security Agency whistleblower, reportedly insisted his Hong Kong lawyers place their cell phones in a refrigerator to avoid remote spying, and some government agencies restrict where employees can bring personal devices for security’s sake.
"It’s not just our home to which we’re deploying these technologies," says Ollmann. "They’re now in our workspace and public and private areas, so we’ll constantly be monitoring against these things."