Are viruses that can activate computer and smartphone cameras 'real'?

Factual Questions
1

Ever since personal computers and smartphones became widespread in Western world and internet connectivity to large amounts of info rose across the world, computer viruses have become an inventable nasty side effect.

I’ve been hearing for a while about companies like Yahoo,Microsoft,Skype,Sony Entertainment etc…getting hacked. The list is too long to write down. With the revelations by Edward Snowden, it seems that state-sponsored agents apart from the US are also responsible for some major hacks of governments, high profile individuals and companies.

However what disturbs me about viruses is that those that can activate video and audio recording on electronic devices without your knowledge. I know the NSA, FBI, CIA obviously has the technological capabilities and probably legal loopholes that allow for this. But can anyone hack into my computer and spy on me covertly and possibly drain my bank account?

Is this something that anyone can design and is a possible threat or is it just mostly paranoia?

A good example is a series of hacks in August 2014 informally known as ‘The Fappening’ where notable female celebrities had their Apple accounts hacked and sexual images of them were leaked onto 4chan and Reddit.

Now my question is assuming this incident hadn’t occurred, I would make a reasonable guess that these celebrities would have rudimentary computer skills and mild caution over computer privacy. With this in mind, could a random hacker implant spyware on their computer and monitor or extort them for money?

2

According to Wikipedia "The images were obtained via the online storage offered by Apple’s iCloud platform for automatically backing up photos from iOS devices, such as iPhones."

Also: “*How hackers attack webcams
Most hackers utilize so-called Trojan horse attacks, says Stiennon. You click on an attachment or download a piece of music or video infected with malware, and a hacker is able to remotely control your PC’s functions.”

Official Site | Norton™ - Antivirus & Anti-Malware Software*

3

It is unquestionably possible for you computer to be compromised in a way where someone can remotely access it, its camera, and take pictures of you. A dated example of such a program is Back Orifice 2000.

It does not even need to be malicious software. For example, in Robbins v. Lower Merion School District, school officials used “security software” inappropriately to spy on kids in their home. There are less creepy examples too, like people activating the anti-theft features on their Apple laptops in order to take picture of the thief once they turn it on.

So yes, it is very possible. It is also very rare and anyone with half-decent antivirus doesn’t need to be worried unless they are a person of interest to the NSA or something. The celebrity hack involved stealing existing photos rather than taking photos.

I wrote this thinking of a PC, but a cellular phone would be vulnerable too. More so an Android phone rather than an iPhone, especially if you are side-loading apps.

4

Organizations, whether legitimate (intelligence agencies) or not (hacking groups) are going to do their best to maintain a cache of software exploits, i.e., vulnerabilities in different software programs that they know how to leverage to gain control of a computer. The best exploits are called “0-day” exploits, which represents the number of days the vulnerability has been known to the public. Once a company releases a patch for a certain vulnerability, the clock starts ticking, because the patch will almost always reveal to the world what the vulnerability was, which puts every unpatched copy of the software at risk. This is why automatic updates are now standard practice.

Most hackers don’t have access to good 0-day exploits, because finding them and maintaining secrecy is hard and costs money. But that doesn’t matter, because you can take a 30-day exploit and scan the internet for versions of that software that haven’t been patched yet. If 90% of computers are patched in a week, that still leaves a healthy target pool. For 99.9% of technologies users, having a basic firewall and getting automatic updates is enough to stay safe, because most bad guys only have the resources to go after the low hanging fruit.

If you’re famous, though, or have attracted the interest of the NSA, then someone somewhere is going to have to figure out what software you have installed on your device and put together an attack vector using their cache of 0-day attacks. It will probably still have to involve some social engineering - a spear-phishing attack, for instance, to get you to expose some basic service to the internet (most home PCs just don’t have a lot going on that might be exploitable). If they want to leverage your webcam, they’ll have to figure out the specific hardware you’re using so they can crack/update the firmware to get the camera to turn on without the light. This also takes money and time; it’s not going to be as easy as it looked in Snowden.

tl:dr; If you take basic precautions and aren’t of particular interest to anybody, you’re probably fine.

5

There is a tremendous difference between “hacking” as in “writing and installing malware on somebody’s device” and as in “I successfully guessed Suzy Celebrity’s password and used a box-stock computer and browser to log onto iCloud as her and download all her pix, even the naked ones she probably shouldn’t have taken in the first place.”
What is the worst that hacking can possibly do to you? Take all your money and trash your reputation. What is the most probable amount of hacking you will suffer in your life? Zero.

What actually happens over your life will fall somewhere in the middle. Take some basic precautions, use good passwords and different ones for every site & app, and all will be well.

Think about it just like this:

What is the worst that crossing a street can possibly do to you? Cripple or kill you. What is the most probable amount of harm from crossing streets you will suffer in your life? Zero.

What actually happens over your life will fall somewhere in the middle. Take some basic precautions, look both ways before stepping off the curb, and all will be well.

6

Since this is in GQ, I’d like to correct this inaccurate statement. “The list” is not too long to write down. “The list” is finite, in fact it is a subset of a finite set.

7

Also consider what your laptop camera and phone camera are usually pointing at 99% of the time - the inside of your pocket, the ground, and the wall on the far side of the room.

8

One of the scariest possible exploits is the Stagefright bug.

Someone sends you a specially crafted multimedia text message. Without even opening it, certain Android phones can then be taken over. Any malware could then be installed which can do whatever it wants on the phone without the user being aware.

Works easily on Android 2., 3. Harder to exploit on 4.*. Supposedly fixed on 5 and higher.

There are tons of bugs that require you to visit a web site, open an email or a text message (example), etc. to infect your computer. This one doesn’t require any of that.

One of the problems is that a lot of phone owners don’t have the option to upgrade to a newer OS. If your phone is “old” (maybe just a year or two since release), the provider may not want to waste money providing an upgraded or patched system.

The state actor type people work with elite commercial entities to find and use exploits that few if any others know about. Who knows how many Stagefright type bugs are out there.

9

Fortunately there’s a simple and unhackable way to protect your computer’s camera from unauthorized use. Put a piece of opaque tape over the lens when you’re not using it. Depending on how often you use the camera, this may or may not be viable.

The LED on the camera is supposed to tell you when it’s activated. Unfortunately, there is a way for a hacker to disable the LED.

10

And the reverse is true, that the LED may be lit when the camera isn’t active. For example, most webcams also have built-in microphones, and if you run an application that could use the microphone then it may activate your webcam to make that microphone available when needed. So the LED will be on when the camera isn’t in use. The bottom line is that the LED is not a reliable indicator of the camera’s status either way.

11

True, the list is not* too long* to write down, but it is growing faster than you can write, and as long as new companies can be created without restriction it is for practical purposes an infinite set. The OP’s statement is figuratively useful in describing the situation.

12

The OP starts talking about camera and microphone monitoring but ends up with bank account draining. Those two things don’t really go together. If I wanted to steal all your money the cam & mic are two things I’d not bother messing with.

13

I am old. As in: old enough to get away with ignorance of "all this damned computer and ‘smart phone’ crap the kids these days are using.

Yet I seem to be among the few who understand that “if it is online, it will exist forever and can be stolen/copied by anyone who wants it”.

I did security protocols for software updates on computers when a “computer” filled a large, cool room (they require cooled air).
The lesson: you cannot keep anything safe - all you can do is raise the level of effort required to steal it.

Fort Knox is the old standard. Cheyenne Mountain is a newer example.

The Web is the ultimate challenge for young males - and those people will invest truly scary amounts of time to learning enough to break something.

The “Cloud” has the potential to allow the harvesting of simply everything.

For starters, we need a requirement that the owner of a bit stream be pointedly informed if you are going to, under any circumstance, put the bit stream in a public area. Esp. if that area is the cloud - which, by definition is to be readily accessible by everybody in the whole damned world.

And this time “everybody in the whole damned world” is NOT hyperbole. Scary, ain’t it?
(yeah, yeah, I know: “That’s not how the cloud works - you don’t know what you’re talking about”.
No, I do not have any idea how to place on, or retrieve from, the cloud. But I understand the concept of a massive public database containing simply everything.

Air gaps, people - air gaps.

Is it really too much to ask that you write down your note and carry it with you? Do you really have to share it with the world?

Did any of the “celeb” women whose sex pics were pulled form Apple’s cloud sue Apple for unauthorized distribution? Yeah, I know - it was in the “Terms and conditions” that you automatically click to get past that silly screen.
I want a Court decision on “did that sentence, buried on 3 pages of really tiny print, constitute agreement to put images in a public place?”

14

I’m…not going to click on that.

Not really. I don’t really want strangers looking at my vacation pictures or reading my email, but I’m not exactly scared of it, either. My bank account is of greater concern, and has better security on both ends, but even there, is it scarier than the possibility that the bank itself could go under in a recession or be hacked? Is it scarier than the fact that a stock market crash could wipe out my retirement? Or (like LSLGuy said) the fact that I could get hit by a bus when I cross the street?

As for the celebs in the Fappening, I would guess that for most of them, they didn’t want the public looking at their sexy pics, but weren’t so bothered by the idea that they wanted to avoid storing them on line. The ones who were that bothered made a mistake and learned a lesson, but I bet plenty of them continue to do it, because there are worse things than having your sexy pics leaked. Not to condone what happened, or minimize the trauma for those who were genuinely traumatized by the loss of privacy (and I’m sure they were many) but is it worse than having your house broken into? Having your accountant run off with your life savings? Starring in a feature that goes direct-to-DVD? I feel bad when I read about those things happening, but I don’t expect celebs or anyone else to completely change their lifestyle to partially mitigate the risk. You take reasonable precautions and prepare for the worst, just like anything.

15

"Yet I seem to be among the few who understand that “if it is online, it will exist forever and can be stolen/copied by anyone who wants it”.

actually that’s a technical fallacy as as soon as programming gets changed or websites get updated or webhosting goes out of business things like pics do become non viewable and or erased … … in fact the SDMB its self lost several years worth of content in early 2004 or 5 when due to I wanna say hacking type stuff when we were down for 3 months aka the "winter of our missed content " what makes it last forever is google keeping backups of the pics when the original host has taken it down ect…

Although of an of note is theres always the ones whos scandal is a badge of honor …Years ago there was a scandal with a cheerleader assistant who partied with the kids and they were taking pics and one of the males wanted a pic of her and another cheerleader he liked together

now its always been unclear whos idea it was but they decided to take the pic topless with their arms around each other

it was such a big deal at the time and people were moralizing and fired and the like like above … the other day I clicked on the now college age girl who was in the pic in a clickbait “what ever happened to … articles” The unedited pic is her facebook profile page … and she had a new pic right next to it saying " still hot as ever and a shout out to the assistant "

16

To me, there is no question that computer viruses are “real” – of course they are. But the question I find fascinating is, are they “alive”? There is (or was some years ago when I read about this) a substantial number of CS professionals who would say they meet the same criteria of life as biological viruses, aside from the biological part.

17

By any reasonable definition of life, computer viruses are not alive. Neither are biological viruses.

And speaking as a computer science professional, the opinion of computer science professionals on what constitutes life is no more authoritative than that of any random person on the street. So get a few more opinions than mine. :slight_smile:

18

Then again, most biologists don’t consider biological viruses to be “alive”, either. And it’s a much smaller jump from a biological virus to something that’s unambiguously alive than it is for a computer virus. For one thing, a biological virus causes its host to produce proteins, the building blocks of a cell, but a computer virus does not cause its host to produce silicon chips and copper wire.

19

There is no magic lightbulb inside a microbe that tells you whether something is “really” alive. We know what viruses are and what they do. We know a whole lot about what cells are and do. “Alive” and “life” are labels that we made up and can apply to whatever set of characteristics we like. Most biologists find it more useful to have a label for everything made out of cells that does the things cells do, and a different label for things that are made out of nucleotides and proteins that do the things viruses do. A few would rather have a label for all of those things together and a different label for everything else. There is no deep mystery there and no “real” answer.

20

This is the wrong way to think about it. Software is patient. It doesn’t matter what the camera is pointing at most of the time. It matters if it ever points at something sensitive or private.

I believe that this is very wrong. The most probable amount of hacking you’ll suffer in your life is quite a lot. The chance that zero of your data will be hacked is close to Zero. Yahoo announced in the last year that they had about 1.5 billion accounts compromised. Most people reuse insecure passwords on many accounts. Pretty much every car currently released allows components that connect over radio to the outside world access to the CAN bus, which is unsecured. Hospitals are increasingly getting hit by ransomware. The NSA has the budget and capacity to record every voice call made everywhere in the world, and their contractors regularly exfiltrate sensitive data.

Seriously, the chance that your data and devices will remain secure in perpetuity are pretty darn close to NIL.

The consequences don’t have to be catastrophic. Keep an eye on your email and bank accounts, use a password manager with a strong password, and go buy an old school Polaroid for your sexy pics.