It’s a truism that’s all too real – anything online can be hacked, and that includes that tiny lens above your laptop screen. And even if you’re already following the usual cybersecurity rules, it can be easy to forget about security for your computer webcam.
“Hacking webcams is more common than people think, largely because of how easy it is to do, how inconspicuous it is to the victim, and how pervasive webcams are,” says Jan Sirmir, Malware Analysis Team Lead at cybersecurity firm Avast.
A webcam can be hijacked through a legitimate app, program, or device that has a vulnerability exploited by attackers. Or, users might unwittingly download malware from phishing links, email attachments, or even a compromised website. This malware would allow a hacker to gain access to a webcam, allowing them to turn it on, watch and record everything that goes on, all without the victim realizing.
So how easy is it to hack a webcam? “Rather easy, but it is unlikely with the right precautions in place,” says Jeramy Kopacko, Sophos Senior Solutions Engineer. Here are nine things you can do right now to stop hackers in their tracks.
1. Use a webcam cover and microphone blocker for your laptop
Mark Zuckerberg is known to tape over his laptop webcam, as is ex-FBI Director James Comey. Physically covering the webcam means that if someone remotely controls the camera, they won’t be able to see anything and a mic blocker will prevent eavesdropping.
You can cover your webcam with a piece of black tape, or for a solution that blends a little more seamlessly into your laptop design, pick up a sliding webcam cover. We like Elimoons ultra-slim aluminum webcam covers ($7.99 for a three-pack at Amazon). Just be sure to remove the cover BEFORE shutting your laptop, especially if the webcam sits behind the glass that covers your display (see photo below). Apple recently issued a warning that webcam covers can damage the display on its MacBook and MacBook Air laptops.
For a mic blocker, Kopacko recommends the Mic-Lock Microphone Blocker ($6.99 on Mic-Lock, check price on Amazon). When plugged into your laptop’s 3.5mm jack, “the accessory works by tricking your device into thinking the mic is working functionally - the caveat being that an app, service, or even malicious actor cannot listen in. For those looking to save the $10 or so, a piece of tape will likely muffle the equipment enough to make your conversation difficult to eavesdrop."
Windows users can also buy software to block your webcam and mic. Kopacko recommends ShieldApps Webcam Blocker ($30), which will block and notify you of attempts to breach your webcam or microphone. There are free alternatives, he notes, but they don't receive software updates.
2. Turn off the external webcam for your desktop computer when not in use
If you have an external webcam for your desktop (not laptop), turning it off or unplugging it when it’s not in use is a simple way to prevent remote online access by cyber-attackers. “We’re all beholden to software companies to keep us safe. We can still enforce the physical portion of our safety,” says Kopacko.
Note that both Windows PCs and Macs let you determine which apps can use your microphone or webcam. (Windows users can go to Settings > Privacy > Camera and Settings > Privacy > Microphone. Mac users can go to System Preferences > Security [& Privacy] > Privacy.) However, if an app is compromised and allows a hacker to gain access to your device, it's entirely plausible they could enable those components anyway, says Kopacko.
3. Update your video conference app
Last year, security researchers found a security flaw in the Zoom app that would have allowed hackers to access users’ webcams by exploiting a vulnerability in a feature that allowed people to join meetings instantly. The company has since released a software update that patched this vulnerability, but while phone apps tend to update automatically, computer users often need to check and install updates manually.
This goes for all your apps – regularly check for updates and install them as soon as they’re available. “Exploiting out-of-date software on any device, webcams included, is another route that cybercriminals can take to access cameras,” says Sirmir.
4. Download apps only from official stores (and check the requested permissions)
This goes for video conferencing apps as well as apps in general, on both mobile and computer. Official stores include the site of the app itself – just make sure the software is trustworthy, by googling something like “privacy concerns” along with its name.
“On mobile, installing software from untrusted sources can lead to spyware finding its way onto your device that is capable of recording footage from your private life via the in-built camera,” says Sirmir.
And before installing any app, always read through the permissions it requests – does that free game really need access to your camera?
5. Be wary about clicking links
Whether in emails, texts, or online ads, clicking a malicious link could end up downloading malware that provides unauthorized access to your webcam – and via that, your computer or phone.
“Clicking on malicious links or downloading untrusted content that infects your device with malware is probably the most common hack targeting webcams,” says Sirmir. “If you’re sent a link or attachment in an email with grammatical errors or a heightened sense of urgency in the message, or if the sender’s email address looks strange – do not click or open it. It’s likely to contain malware.” For instance, sometimes hackers will try to make it look like the email is coming from a company with an address like email@example.com or they'll use a “spoofed” email address to make it appear that it is coming from someone you trust (check out our story How to Tell if an Email Has Been Spoofed).
6. Install a strong antivirus solution with webcam protection
Some antivirus programs for Windows and Mac specifically offer webcam protection features. These block access to the camera from unauthorized applications unless you allow it, alongside the usual cybersecurity protections such as anti-phishing. “This will help to prevent even the most targeted and seemingly legitimate emails from infecting your device,” says Sirmir.
7. Be wary of tech support scams
“People also need to be cautious of remote tech support,” says Sirmir. Remote tech support scammers, for example, can take advantage of the access they’ve been granted to laptops or computers by installing malware on them when consumers call up requesting help. Such malware would provide remote access to a device and its data, including control of the webcam.
If, in the course of web browsing, you suddenly see random pop-ups claiming your computer has been infected and that you should call Microsoft or Apple for tech support to fix the problem, hold up. The number will connect you to scammers who often request over-the-phone payment or remote access to your device – for fixing non-existent issues.
Sometimes this scam operates via phone calls or emails from those purporting to be tech support reps of trusted brands. Still, the danger is equivalent: When you provide remote access for a so-called technician, this allows someone to view all data on your device, as well as install programs that can be used to monitor you or steal your data. “Microsoft will not call you direct about a virus, ever. Scammers love to pose as a trusted brand,” says Kopacko.
And next time you do need computer repairs, make sure you trust the source providing tech service, whether you’re leaving your device in-store or providing remote access.
8. Change default passwords for other internet-connected cameras
Don’t forget those other webcams in your smart security system such as that pet camera or your baby monitor. These smart home devices often ship with default logins that are widely available online – and which many people neglect to update.
“Make sure you change the default password to access the device, and if possible, enable multi-factor authentication,” advises Kopacko. Regularly check for updates to these devices’ software, and ensure you’ve applied the most recent patch available to reduce the risk of a vulnerability being exploited.
9. Turn off your computer when not in use
Malware can’t turn a computer on when it’s physically off, says Kopacko. So, turn off your computer when you’re done using it instead of letting it go into sleep mode.
[Image credit: cybercrime illustration via BigStock, Apple, Mic-Lock]