

The Hacker is Watching - gatsby
http://www.gq.com/news-politics/newsmakers/201201/luis-mijangos-hacker-webcam-virus-internet?printable=true

======
defen
"Mijangos told me that he'd figured out how to turn off a camera's LED,
cloaking himself completely."

Anyone know if this is actually possible? I don't know anything about laptop
cameras, but it seems like you wouldn't want the LED to even be under
software/firmware control - just put it in series with the camera circuit. An
LED has to have a significantly lower failure rate than a camera, right?

~~~
artursapek
That was interesting. I also have a hard time believing his claim about
infecting a phone with a text.

~~~
breckinloggins
There would have to be a buffer overrun in the text message handling code plus
a way to exploit it in 160 characters. That sounds difficult, unless I'm wrong
about the fact that the carrier enforces the limit.

I could maybe see doing it with MMS or iMessage. The more I think about it,
the more interesting this question is...

Has anyone heard of any exploitable flaws in a phone's SMS software?

~~~
tryke
CVE-2009-2204 was a vulnerability in iOS' SMS handling (versions < 3.0.1).

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2204>

------
dexen
Doesn't take a hacker to watch through a webcam. Lets not forget the 2010
story of school spying on students at home:
[http://en.wikipedia.org/wiki/Robbins_v._Lower_Merion_School_...](http://en.wikipedia.org/wiki/Robbins_v._Lower_Merion_School_District)
They even disciplined the student for breaking some school regulation while he
was being observed...

------
safetyscissors
This article seems a bit sensationalised. It kind of reminds me of the late
90s early 2000s where NetBus and BackOriface were popular.

~~~
drdoooom
the good old days.

------
chrisdroukas
"Whoever devised the malware—a sophisticated program capable of dodging
antivirus software—clearly had a leg up on university cops."

You don't say.

------
nessus42
I miss the old Apple iSight webcams that had a metal iris that would close
when you turned it off. There was a time when Steve Jobs apparently didn't
want to be Big Brother.

~~~
dholowiski
My asus laptop has a physical shutter that i can close.

------
tomjen3
Good, then I wasn't too paranoid when I put aluminum foil over the webcam on
my laptop (which for some reason didn't have an LED attached to it).

Interestingly enough if the guy had used tor and an online hosting system
brought with his stolen credit cards, he would properly never have been court.

------
six881
Well this is quite the coincidence.

After years of thinking people were 'paranoid' for putting stickers/tape/etc.
over their webcams, just yesterday I started doing the same thing.

Like most people, I also used to think the indicator light would always come
on when the webcam was active (as in, it would be part of a hardware circuit
or something similar), but I now know this is not the case (at least on my own
laptops).

One example of this is the Prey anti-theft agent[1]. If your laptop is stolen,
you can remotely take pictures using the laptop's webcam (similar to what
happened in the many 'stolen laptop' stories we've seen on HN where images of
the thief are then posted online). When I test out this feature of Prey on my
own laptop, it successfully takes the pictures for me but the webcam's
indicator light is never turned on. It's worth trying this for yourself.

Anyway, (IMHO) you're better safe than sorry since a tiny sticker isn't a big
deal.

[1] <http://preyproject.com/>

~~~
paxswill
As an anecdote, I noticed in my tests of Prey that I just don't notice the
light in that instant it's turned on. If someone wants to jut get quick
pictures of who's using your computer, momentary blinks are probably going to
be unnoticed while longer periods of activity are more likely to be noticed.

------
enneff
"Then again, the bureau hadn't seen this kind of webcam hijacking until it
heard about Mijangos."

Huh? I remember seeing trojans that could do this back in 2000. I find it hard
to believe that this hasn't come up before.

------
Karellen
"Mijangos wasn't looking for trouble, not at first at least, but information
on coding is just a few clicks from sites on criminal hacking."

WTF?!?

OK, literally, that /might/ be true, /if/ you had the right search terms to
start with. But "just a few clicks from" is also a pretty obvious metaphor for
"not far from" or "almost similar to". The author is basically implying "ZOMG
most software developers are out to spy on you naked!"

What is this, part of the War On Things You Don't Understand?

Fuck that.

------
glimcat
And that's why you can still charge a humorous amount of money to reboot
someone's computer with a diagnostic disc in the drive.

------
driverdan
This guy was clearly full of shit when he claimed to be able to infest both
Blackberries and iPhones via text.

~~~
bri3d
It's certainly not unheard of for memory corruption issues to exist in SMS
handling code - see <http://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2009-2204> . There's also a pretty wide remote
exploit vector in MMS - you have an entire TCP + HTTP stack, image decoder,
and render mechanism to exploit in that case. I don't know of any published
MMS exploits in the wild for any recent phones, but that's not to say it's
impossible.

I do agree that the article as a whole sounds like 90s/early-2000s paranoia
combined with the standard glorification of "cyberpunks," though - it's just
not the "iPhone via text" anecdote that's raising red flags.

