Aaron Aupperlee | September 17, 2016

Covering webcam 'doesn't hurt,' not a replacement for good computer security, experts say

FBI Director James Comey does it and thinks you should, too.

A piece of tape or cover to block the webcams built into laptop screens can serve as a robust cyber-security measure against hackers.

“There's some sensible things you should be doing, and that's one of them,” Comey, whose FBI notoriously hacked webcams to spy on targets, said last week during a conference at the Center for Strategic and International Studies in Washington.

But how at risk are we to webcam hacks? Cyber security professionals told the Tribune-Review that webcam hacks on an ordinary, everyday, average American are rare, but a piece of tape is a small price to pay for peace of mind.

“Most casual users, you probably don't need to worry about it,” said Trevor Hawthorn, chief technology officer of Wombat Security, a Pittsburgh-based cybersecurity company that gives out branded sliders that sit on top of a laptop and can cover a webcam. “We literally give them away for free.”

Hawthorn covers his webcam. So do Wombat's top executives. But Hawthorn also stressed that they — and Comey and Facebook's Mark Zuckerberg, who also tapes his webcam — are not your average computer user.

Hacking a webcam is an easy way for hackers to prove they are in control. Releasing images from a hacked webcam can be embarrassing to people in the security field or public eye. Hawthorn could lose clients who doubt his firm's capabilities. Zuckerberg could lose Facebook users who question how secure their accounts are. For Comey, the risks extend to compromising investigations or national security.

Those results could be attractive to a hacker. Photos of you or even your personal information likely aren't.

“If somebody is going to take the time, the energy and maybe the money — if a hacker is going to make that investment in those things — it better have some sort of payoff,” Hawthorn said.

Hackers typically gain access to a person's computer, and thus their webcam, through a piece of malware. Hawthorn said hackers can write their own malware or buy ready-to-use products on the Internet's seedy underbelly, known as the “dark web.” Once armed with malware, the hacker has to install it on the target's computer. This is most commonly done through an email that contains a link or an attachment: click on the link or download the attachment, and the hacker is in. Once inside, the malware connects back to the hacker. Now the hacker has access to personal information, can monitor keystrokes to steal passwords and credit card numbers and can activate a webcam without the user's knowledge.

“It's not that easy, but certainly there are certain people out there that have perfected their craft,” Hawthorn said.

“Me personally, yes, I do cover my webcam, but that's not my only security precaution. If you think about it, putting tape over your webcam, that's a security measure you put in place in case everything else fails. This is your last stopgap.”

David Brumley, CEO and co-founder of ForAllSecure, the Pittsburgh company behind Mayhem, an autonomous computer that won a Defense Advanced Research Projects Agency-sponsored hacking competition, agreed with Hawthorn that the average person's risk to webcam hacking is low. Brumley, also director of Carnegie Mellon University's CyLab Security and Policy Institute, said he doesn't typically agree with the FBI's approach to cybersecurity but does agree with the director on the tape issue.

“I would say that's a pretty reasonable thing to do,” said Brumley, who admitted he doesn't tape his webcam. “It doesn't hurt, but by the time they're able to look at your webcam, they're able to capture all our keystrokes anyway.

“It's not like that piece of tape is a replacement for really good security.”

Brumley hopes Mayhem, which competed in a digital game of Capture the Flag — protecting itself while attacking others — will develop into a tool that can automatically detect a computer's vulnerabilities and patch them before hackers have the chance to exploit them.

“Mayhem's goal isn't necessarily to stop someone from hacking and taking over your webcam. It is to prevent someone from accessing your system altogether,” Brumley said.

Aaron Aupperlee is a Tribune-Review staff writer. Reach him at 412-320-7986 or aaupperlee@tribweb.com.