back to article Flash flaw potentially makes every webcam or laptop a peephole

A security flaw thought to have been fixed by Adobe in October 2011 has reappeared thanks to a new vulnerability involving Flash Player browser plug-ins. The as yet unpatched vulnerability creates a means to seize control of webcams without permission before siphoning off video and audio from victims' PCs. The clickjack-style …

COMMENTS

This topic is closed for new posts.
  1. Refugee from Windows
    Alert

    Wonder how

    Does this exploit cope with the piece of black insulating tape stuck over the webcam?

    1. Anonymous Coward
      Anonymous Coward

      Re: Wonder how

      How do you masturbate on Chat Roulette?

      1. Anonymous Coward
        Anonymous Coward

        Re: Wonder how re: anon@08:20

        with one hand

    2. Dave Ross
      Happy

      Re: Wonder how

      Be even safer, never turn your computer on!

    3. Velv
      Headmaster

      Re: Wonder how

      As per the article:

      "Tinfoil hatters who tape over webcams when they aren't in use have been vindicated by the discovery of the problem."

    4. Mark Allen

      Re: Wonder how

      Black tape doesn't stop the mic from working.

      1. WonkoTheSane
        Thumb Up

        Re: Wonder how

        Not needed if you don't use the USB hub on the monitor.

        Laptop users, however may have a problem doing that.

      2. Aitor 1

        Re: Wonder how

        Well I have an HP "Elitebook". The mic failed in 3 months.. so maybe the answer is "buy crap".

        1. Anonymous Coward
          Anonymous Coward

          Re: Wonder how

          It didn't fail, HP travelled back in time, bought the microphone company and then wound it down like every other acquisition and so the mic ceased to exist.

          HP - Your trusty technology terminator.

      3. Euripides Pants

        Re: Black tape doesn't stop the mic from working.

        Superglue does.

    5. Anonymous Coward
      Anonymous Coward

      Re: Wonder how

      Has anyone got some 'sample' exploited user links I can click on for a proof of concept? Preferably used by nubile females so that I can feel appropriately sympathetic.....

    6. Anonymous Coward
      Anonymous Coward

      Re: Wonder how

      Why don't laptop manufacturers all:

      1. Have a little plastic door which slides across the front of the webcam; and

      2. Combine this with a switch which isolates the microphone (directly in the signal path, not via the CPU)

      Problem solved in 99% of cases.

      Just my 2¢, which is approximately what this would cost to implement.

      1. JaimieV

        Re: Wonder how

        It'll add a couple of mm to the depth of the bezel, which is a no-no in the current MacBook Air led style market.

        I'm pretty sure I had a Compaq in the early 2000's which had a slide cover, nothing new under the sun!

    7. Anonymous Coward
      Anonymous Coward

      Re: Wonder how

      Disable the Mic and Webcam in Device Mangler! Its the easiest option and its fast to undo.

    8. Anonymous Coward
      Anonymous Coward

      Re: Wonder how

      +1, but remember that duct tape does nothing to disable microphones.

  2. Anomalous Cowshed

    NSA conversation

    "Hello Sir? This is X, technical press monitoring service"

    "OK X, what you got"

    "We can access webcams now, apparently there's a flash flaw"

    "Well done, X. We didn't have that yet. It's one small webcam for each man, one giant leap for electronic surveillance."

    1. Justicesays
      Devil

      Re: NSA conversation

      >"Well done, X. We didn't have that yet. It's one small webcam for each man, one giant leap for electronic surveillance."

      I'm thinking the reply would actually be along the lines of:

      "Is that it? We've had that for years, Adobe is an American company after all, we got them to put a back door in.

      Keep me informed if it turns out this is the back door being discovered rather than a bug."

  3. Anonymous Coward
    Anonymous Coward

    Surprise!

    Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

    People need to give themselves a shake and stop using MS products!

    1. Psymon
      FAIL

      Re: Surprise!

      Really?

      I mean, come on! Nobody can be this stupid, surely?!?

      You sir, have to be trolling, but in case you aren't, I shall explain for the hard-of-thinking. Flash is Adobe, Chrome is Google.

      No Micorosft products listed here, good sir!

      Wow. They walk among us!

    2. Miek
      Linux

      Re: Surprise!

      Sadly, that is not the case.

    3. Anonymous Coward
      Anonymous Coward

      Re: Surprise!

      The article doesn't mention Microsoft even once, so I can only assume you were reading something different

      1. Evil Auditor Silver badge
        Coat

        @AC 09:01 GMT Re: Surprise!

        The article doesn't mention Microsoft even once, so I can only assume you were reading something different

        No, all you can assume is that the comment was posted by Eadon.

        1. Anonymous Coward
          Anonymous Coward

          Re: @AC 09:01 GMT Surprise!

          Let's be realistic. They specifically mention PC's, Chrome and Flash. Almost all users of this combination are going to be running Windows.

    4. Anonymous Coward 15
      FAIL

      Re: Surprise!

      Eadon, you seem to have ticked the AC box by mistake.

    5. Jess

      Re: Surprise!

      The article doesn't state that this exploit is limited to chrome on windows, though it most certainly won't work on my Mac. (Because chrome isn't available for it.)

      1. Anonymous Coward
        Anonymous Coward

        Re: Surprise!

        Lighten up! That's a classic "The Register" comment from a few years ago that I like to post on any security related article. It emphasises the point that it is popular things that get hacked, not buggy things. For years MS were held up as being crap with security because of bad design or poor programming. Now Google are popular we're starting to see that it's nothing to do with how well you design or code something and all to do with how much hackers want to hack you.

        In ten years MS will be nowhere, Google will the new, incumbent monopoly abusing mega corporation and some new company will have all the tech fan boys salivating. The more things change....

        1. Anonymous Coward
          FAIL

          Re: Popular, not Buggy things get hacked.

          Whilst it's true that without the popularity, nobody would bother, without the bugs it wouldn't be possible

          So have a nice big 'fail' for your [il]logic.

      2. Amorous Cowherder
        Facepalm

        Re: Surprise!

        "The article doesn't state that this exploit is limited to chrome on windows, though it most certainly won't work on my Mac. (Because chrome isn't available for it.)"

        Oh yeah? Strange as I when I wander along to the official Chrome download link via Safari it seems to recognise my Hackintosh box and offers me the latest version of Chrome of OSX!

        1. jubtastic1

          Re: Surprise! > Chrome

          Chrome on Mac requires 10.6 and up, there are a lot of old PPC machines still running 10.5

          1. Slabfondler
            Pint

            Re: Surprise! > Chrome

            I'll grant you that, glad I don;t have one though.

          2. cordwainer 1
            Go

            Re: Surprise! > Chrome

            There are not only PPC but also Intel Macs still running OS 10.5 Leopard, and even 10.4 Tiger. Chrome won't work on those either as it requires OS 10.6 minimum.

            Fortunately, however, many of those Macs are still vulnerable to the Java exploit that must be manually dealt with in older OS versions. So while users may not get the exhibitionist enjoyment of being secretly voyeured via webcam, they can still look forward to other forms of clandestine computer control :-D

      3. kinrossian
        Happy

        Re: Surprise!

        Chrome is available on Macs. I use it. But maybe will use Safari now until this is fixed...

      4. Slabfondler
        FAIL

        Re: Surprise!

        @Jess "though it most certainly won't work on my Mac. (Because chrome isn't available for it.)"

        Wow, just wow - what are you running on your mac? Chrome on Mac supported on OSX up to three years old. http://www.google.com/mac/

        1. Anonymous Coward
          Anonymous Coward

          Re: Surprise!

          I suspect Jess has a PowerPC Mac, while it's true that chrome supports 10.6 and above, 10.5 is the last OS X to support non-intel chips.

    6. The BigYin

      Re: Surprise!

      But it's not an MS exploit, it's an Adobe Flash exploit. Flash still runs on GNU/Linux when using Chrome.

      GNU/Linux has exploits too (which is why we get kernel updates etc). Almost all beyond trivial "Hello World" programs will have exploits.

      A PC is only secure as the monkey who configured it.

      That said, I do prefer GNU/Linux. That is partly personal preference, partly the fact I enjoy freedom and partly because I want to keep off the enforced upgrade-cycle. I can't afford a new PC every couple of years.

      As for webcams....

      1) They should have a physical cover; and

      2) They should have an indicator light hard-wired to the webcam power and beyond software control (cam is on? That light is on, no way to bypass without a soldering iron).

      1. DuncanL

        Re: 2) They should have an indicator light hard-wired to the webcam power

        Some do - my Logitech Pro 9000 has an orange ring that fades up and glows round the lens. Never really thought of it as a security feature before - neither I suspect did the designer who did it because it looks "cool"!

        1. The BigYin

          Re: 2) They should have an indicator light hard-wired to the webcam power

          A lot of those lights are software controlled though. Aye you 100% sure that Logitech one is hardwired to power?

        2. Anonymous Coward
          Anonymous Coward

          Re: 2) They should have an indicator light hard-wired to the webcam power

          "neither I suspect did the designer who did it because it looks "cool"!"

          Designer fail... "cool" features are implemented with blue LEDs, everyone knows that!

      2. eulampios

        @The BigYin

        Let's make it much easier:

        1. Use GNU Linux or *BSD, always check for and install updates whenever those are available (just click on that red button!)

        2. Make sure to have flashclock, adblock plugins and turn off java plugin on the browser (not only it is a matter of security but also a threat of getting annoyed by stupid ads)

        3. I prefer Firefox, it has a noscript plugin. Elinks, w3m, lynx and other text browsers still make a lot of sense.

    7. Anonymous Coward
      Anonymous Coward

      Re: Surprise!

      "Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft."

      Because Microsoft software is ubiquitous! Not difficult to understand is it?

      Why waste your time trying to attack a platform with a handful of users (in comparison).

      People don't need to stop using MS products. They need to realise that everyone out there is trying to get your cash, and if you're stupid enough to ignore a threat, you deserve to be hit.

      Platform has F-all to do with it. If OSX was the ubiquitous OS, OSX would be hit just as hard.

      W O W. Never thought that one through! Hardly surprising, I encounter this everyday from 100's of people.

      1. Anonymous Coward
        Anonymous Coward

        @Obviously!

        No, I refuse to use sarcasm tags, even when people like you make it so, so obvious that they are needed.

        This is an article about a bug with Flash on Chrome. MS don't make either product.

        To be fair, I often post ill thought out rants on the register if I'm having a shit day. Can I suggest a dinner time beverage? It may make the afternoon less fraught.

  4. Suburban Inmate
    Go

    Go back to Firefox?

    I just switched back to Mozilla Firefox, prompted by diabolical Flash performance and the fact that Chrome was bloated beyond belief. I still had the same flash problem on FF, unable to even play 420p youtube videos smoothly, until I happened upon the solution of disabling protected mode in Flash (disabling hardware acceleration made no difference). Thankfully I'm sensible when it comes to NoScript permissions, but I would hesitate when it comes to a non-technical user's system.

    1. eulampios

      @Suburban Inmate

      Although I have no problem watching flash videos in Firefox or Chromium and html5 performance is better than that of flashplayer, 720/1080p on both the older and low end hardware. I'd still recommend watching videos with a video player. I use mplayer or vlc. Try watching youtube videos in vlc.

  5. Graham Marsden
    Boffin

    "Tinfoil hatters who tape over webcams when they aren't in use"

    Or sensible people who have webcams with a manual shutter that's only opened when they're actually using the webcam...

    1. Anonymous Coward
      Anonymous Coward

      Re: "Tinfoil hatters who tape over webcams when they aren't in use"

      A shutter is hassle.

      Get a Microsoft LifeCam Cinema, One of the best USB cameras there is - and it has a nice blue warning light whenever it is active....

      1. Anonymous Coward
        Anonymous Coward

        Re:and it has a nice blue warning light whenever it is active....

        ..that is impossible to hack because?

        1. Anonymous Coward
          Anonymous Coward

          Re: Re:and it has a nice blue warning light whenever it is active....

          Because unless you are blind, you get a clear warning if it is on when it shouldn't be...

          1. Anonymous Coward
            Anonymous Coward

            Re: Re:and it has a nice blue warning light whenever it is active....

            FFS! I meant hack it so the light doesn't come on. Security obviously not your strong point....

            1. Anonymous Coward
              Anonymous Coward

              Re: Re:and it has a nice blue warning light whenever it is active....

              Shit, yeah, sorry. I'm not very clever....

            2. Anonymous Coward
              Anonymous Coward

              Re: Re:and it has a nice blue warning light whenever it is active....

              Right, so unpack, disassemble and hack the 'on camera' firmware - and somehow bypass Microsoft's codesigning checks, and flash a new copy - just to disable the LED?

              Security is my strong point actually, and we are heading into the world of fantasy for effort required versus result versus number of target users...

              And as far as I aware, this vulnerability doesn't let you do things like flash USB device firmware...

              1. Anonymous Coward
                Anonymous Coward

                Re: Security is my strong point actually,

                so you think "impossible to hack" means "tricky to hack" but you expect us to believe that security is your strong point? It's not. There's "cannot be hacked" and "can be hacked", "tricky to hack" fits in the second group.

        2. Annihilator
          Boffin

          Re: Re:and it has a nice blue warning light whenever it is active....

          "..that is impossible to hack because?"

          Because it's 99.9999% guaranteed to be a hardware trigger related to when power is heading for the CMOS chip.

  6. Wize

    Still looks like a bug in flash

    "Because the dialogues are on the same page as the adversary's code, they can overlay things, make it opaque, and so on, to effectively hide the dialogue warning."

    Surely you would have to then click the warning dialog box to accept before they had access to your webcam, or is Adobe saying they let them have access then they put up a warning dialog box to tell you its already happening?

    1. Al Jones

      Re: Still looks like a bug in flash

      If the warning can be made transparent, you can design your page so that the warning shows up lined up over a checkbox that the user is going to click anyway - instead of clicking "I agree to the terms and conditions", the user is actually clicking on the (transparent) Adobe permission box/button.

  7. heyrick Silver badge
    Coat

    Funny how this "discovery" comes so soon after the confirmation of PRISM...

    Mine's the one with the tin foil hat in the pocket.

    1. Anonymous Coward
      Joke

      in your pocket?

      It's not going to do much good in your pocket.

      1. Anonymous Coward
        Anonymous Coward

        Re: in your pocket?

        But make it the right shape and it'll look good on the TSA perv-scanners.

  8. MrDamage Silver badge

    Simple

    Turn the camera to face away from you when not in use. That way, all they get to see is the wall behind the monitor, and all they hear is the sounds of heavy breathing, and "fapfapfapfapfap".

  9. Anonymous Coward
    Anonymous Coward

    Let's get, err ...practical

    Does this danger still exist even after clicking the Flash web control not to allow it to access camera/mic?

    1. Matthew 3

      Re: Let's get, err ...practical

      Good question and one I'd like to know the answer to.

  10. pewpie
    Black Helicopters

    I have it on good authority...

    ..if you type the name 'Lucius Fox' into Google, it will cause the entire surviellance grid to explode in a beautiful shower of sparks.

  11. The Vociferous Time Waster

    Hardwired lights

    I don't want a hard wired warning light on my webcam because I have software to capture the image of any tool who steals it.

    1. TheVogon
      Mushroom

      Re: Hardwired lights

      You might not like what you see: http://www.vice.com/en_uk/read/plumbergeddon

  12. Glenn Charles
    Thumb Down

    Always-on

    Which is precisely why I objected to the change in computing thinking to the always-on computer and consequent vulnerabilities. Of course there was the miserable failure of "sleep" in the good old Windows system or worse "hibernate" which they assured us would take care of any possible ills. So we should have written our OWN platforms, back in the early days...nvm.

    Lol

This topic is closed for new posts.