Without wishing to scare you, the short answer is: it’s very easy for anyone to view your webcam. The long answer is: some networked webcams require nothing more than a secret URL, while most USB or built-in laptop webcams would need the computer to be compromised first.
Here are three ways of viewing a webcam without your knowledge.
The Obvious: Spy Software
Remote Administration Tools (or RATs) are often installed in corporate environments to help upgrade, configure and track machines remotely. In 2010, two high schools in the Lower Merion School District had lawsuits brought against them for using the remote monitoring features of an application called LANrev without students knowledge. The Mac laptops had been issued and were owned by the school, used by the students for home study. However, the security software that had been installed on these machines contained a feature called Theft Track, which enabled the administrators to remotely view the webcams.
Despite claims that the feature was only used in cases of reported laptop theft, many students reported briefly seeing the webcam indicator light flicker on, and some took measures to tape over camera. The district later admitted 56,000 images of the students had been taken.
A newer version of the software has since been released which has this feature removed.
Fix the problem: tape over the webcam if you’re using a borrowed machine – you never know who might be watching.
The Easiest: Bugged Networked Cameras
Particular models of TRENDnet cameras that have since been patched and are no longer sold (though thousands remain in use) were vulnerable to the degree that any sane person would find terrifying: you need only know the public IP address of the camera. These cameras are typically used in small businesses, home security, and to monitor children and babies.
Although TRENDnet tried their best to contact the leaked list of affected IP addresses, a year on about 5% of them remain accessible. You can see from the screenshot below that most are now inaccessible. However, it is still possible to scan for these cameras, and more up to date lists can be found on hidden TOR nodes (What is the TOR network?).
I’m not making this up: here’s the live stream from that restaurant which isn’t yet fixed. If you know where it’s located, do let them know.
A number of Foscam branded cameras were all subject to a similar bug, requiring the attacker to simply hit Enter when asked for a username and password to view the live stream. Unfortunately, Foscam also specialise in baby monitors. The difference in this case was that these baby monitors had a built-in speaker, through which the parents could remotely soothe their child. As it turns out, so could anyone who accessed the cam using the hack, as two families (August 2013, April 2014) found out the hard way – having woken up to obscenities being shouted at their babies.
… the camera then turned from his petrified daughter to point directly at him. “Then it screamed at me,” Adam said. “Some bad things, some obscenities. So I unplugged the camera.” (Quote from FOX19 interview)
Fix the problem: if you own a FOSCAM (model numbers: FI8904W, FI8905E, FI8905W, FI8906W, FI8907W, FI8909W, FI8910E, FI8910W, FI8916W, FI8918W, and FI8919W), update the firmware immediately. TRENDnet customers, visit the support page to see the full list of affected models and to download an update.
Better still – don’t plug a camera into the Internet, and if you absolutely must, then ensure you register the device with the manufacturer’s website so that should a security breach occur, you’ll be the first to know about it and able to take action. The trouble is of course, that bugs such as this can be in the wild for years before anyone has the slightest clue – as was the case with the recent HeartBleed OpenSSL bug.
More Difficult: Any Webcam
Hacked networked cameras are one thing – they’re designed to broadcast their images anyway, just not normally to the entire world – but is it possible to access any old regular laptop webcam? And would you even know if it was being accessed?
The good news is that generally speaking, no, a hacker can’t simply sit here and type in a URL to look at your webcam. What they can do though, is systematically scan a network for vulnerable operating systems and automatically inject a Trojan if something useful is found. This is fairly easily thwarted by staying behind firewalls, closing ports that aren’t needed and staying up to date with security fixes – in other words, taking a basic level of precautions. This is why using Windows XP is now thoroughly dangerous: there will be untold numbers of bugs left unfixed from this point forward.
Instead, it’s more likely a hacker will simply ask you to install a Trojan, and you’ll do it quite willingly. This might be through a malicious email attachment disguised as a .scr or .exe file; a rogue webpage which you visit in a vulnerable browser (Internet Explorer 9 ,10 and 11 were recently affected by this nasty bug), or something as simple as a phone call from a purported Microsoft employee offering to fix your virus infected Windows machine (which wasn’t infected, but now is).
The point is that once the attacker has installed their Trojan root kit on your machine, anything is possible – including opening up your webcam stream. The tool most commonly in use today is called Metasploit, which once installed opens up a smorgasbord of remote control functions, including key logging and remote viewing of webcams. Your system is thrown wide open for the hacker.
Most webcams have some kind of LED that indicates when it’s on, but depending on the hardware this can be bypassed – so you wouldn’t even know.
So the answer to “how easy it for someone to hack my webcam?” is really… it depends. But you can make it as difficult as possible by having the latest security updates installed and running a reputable virus protection system, as well as simply educating yourself about the various attack vectors that hackers will use.