When Miss Teen USA announced she had been blackmailed over nude photos taken via her webcam, she said, "I wasn't aware that somebody was watching me [on my webcam]. The [camera] light didn't even go on, so I had no idea."
Is that possible, asked Naked Security. "Can webcams be rigged so as to record without the light coming on?" Chester Wisniewski, senior security advisor at Sophos, responded, "Some laptops allow you to turn the light on and off in software, others only work physically. I think it is certainly possible, if unlikely."
Now we learn, in a report published by The Washington Post, it is not only possible, it is done by the FBI. Details came to light in a Post article on court documents seeking – and gaining – authority to hack a suspect's personal computer and place spyware on it. "The FBI’s elite hacker team," reports the Post, "designed a piece of malicious software that was to be delivered secretly when Mo [the suspect] signed on to his Yahoo e-mail account, from any computer anywhere in the world, according to the documents." The method used is a classic spear-phishing attack. In this particular incident, the attack worked, but the malware failed.
However, the purpose was to obtain any information possible to tie Mo into bomb threats made shortly after 12 people were shot in a movie theater in Denver in July 2012. "The most powerful FBI surveillance software can covertly download files, photographs and stored e-mails, or even gather real-time images by activating cameras connected to computers, say court documents and people familiar with this technology", continues the Post.
According to Marcus Thomas, a former assistant director of the FBI’s Operational Technology Division in Quantico, and now on the advisory board of Subsentio, "The FBI has been able to covertly activate a computer’s camera — without triggering the light that lets users know it is recording — for several years, and has used that technique mainly in terrorism cases or the most serious criminal investigations." It is apparently used sparingly to avoid the practice becoming common knowledge through the court applications for authority.
That authority is not automatically granted. One application noted by the Post and not involving Mo – which included the plan to activate the suspect's webcam – "was rejected by a federal magistrate in Houston, who ruled that it was 'extremely intrusive' and could violate the Fourth Amendment."
Nevertheless, it raises the possibility that this type of surveillance has been used by the FBI, and possibly other government agencies, without general public knowledge. "We have transitioned into a world where law enforcement is hacking into people’s computers, and we have never had public debate,” said Christopher Soghoian, principal technologist for the American Civil Liberties Union. "Judges are having to make up these powers as they go along."
French news site Numerama gives it wider relevance: "Webcam Kinect will probably no longer be seen in the same way as formerly by many players..."