Your television can watch you while you’re watching it; your notebook can follow you when you surf the Web and your smartphone can secretly scan every corner of your house. All these pictures could then land in the hands of hackers. Such a scenario may sound like part of a Michael Bay movie, but it is a real threat, as our connected devices are equipped with cameras that are not well protected and can allow people unauthorised access with relative ease.

There have been cases of PC rental agencies exploiting such weaknesses to track their customers and even schools have tracked students without their knowledge. Amongst the many things these spying mechanisms allow hackers to do is install malware. And some of the more malicious PC malwares can even lock up a PC and threaten to delete everything on it unless you pay a ransom, and an image of yourself through your own webcam is shown to show you proof of your being monitored.

Besides PCs and smartphones, there are also smart TVs with integrated webcams that can be misused. We show you how dangerous the situation is and how to protect yourself from your own devices.

Smartphone Scare

The smartphone is especially rewarding due to the large number of potentially hackable sensors. By secretly taking photos, an attacker can read the embedded GPS information and discover your exact location.

Researchers have developed a smartphone Trojan called Place Raider, which regularly takes photos and uploads them to a server without a user's knowledge. A virtual walkthrough of any location can be reconstructed from the multiple images.

Post-processing algorithms can use multiple photos to extrapolate a very sharp close-up of an object.

A smartphone can reveal intimate details about you not only through its camera but with its other sensors too.

With an active Internet connection, one or even two cameras and other sensors, your smartphone is an especially rewarding target for hackers on a mission. Unlike a stationary PC, it not only includes potentially compromising photos but a range of information that can be called up together with images connecting you to it—including details such as where and when the photo was taken. Researchers have already manipulated smartphones to create extensive and zoomable panoramas of a room by combining and interpolating a number of secretly taken photos. They could then simply flick through the composite image to find important information.

Even manufacturers of smartphones and their business partners are desperately interested in collecting such information. One such example is ad tracking, which Apple has introduced with iOS 6. It works by assigning a unique number that associates a user with a particular device. When visiting websites and whilst using apps, this number is sent to advertising servers whose operators get an exact picture of what interests you, and which advertisements you’d be more likely to act upon.

Ebbing espionage

If you think your smartphone and its webcam are protected by Android’s security mechanisms, think again. The operating system is dependent on two basic principles: the user must grant each app authorisations for what it wants access to, and apps are strictly separated from one another. This way malware can only upload stolen data if it has been authorised for Internet access. However, proof-of-concept app Soundcomber bypasses all of this. It only requires authorisation for sound recording and disguises itself as a harmless voice memo app. It secretly taps phone calls and extracts numbers entered or spoken into the phone. It then transfers these numbers to its author by calling up the Android browser, which does not require authorisation. It directs the browser to go to a specific URL, which includes the numbers that have been stolen. The URL is interpreted by the author’s server and he gains possession of the numbers. As an alternative, Soundcomber can also smuggle this data through a “dead postbox” to a second identical malware app. For this purpose, it changes the authorisations on different photos in your camera roll in a predetermined sequence. The information is then reassembled by the second app and then transferred via the Internet. Hackers can also transfer images this way.

Motion sensors

Besides the camera and the microphone, a smartphone’s motion sensors are also used to spy on users. This is supported by the research project iPhone, which uses the highly accurate accelerator sensors of an iPhone to determine what is typed on a PC keyboard set beside the smartphone on the table. The smartphone registers the vibrations and reconstructs the text typed in from the sequence and a dictionary, although it helps if you know the subject matter that is being typed in advance. The researchers managed a success rate of 80 percent.

Virtual Protection

While iOS users enjoy a certain amount of protection due to Apple’s store policies, users of Android devices must be really careful. Espionage is basically enabled by a combination of app authorisations (which users easily and often allow on Android mobile phones without much thought when installing an app).

“Once an app receives authorisation to access the camera and the Internet, it can always take photos and videos and upload them,” says Jan Böttcher, whose Hamburg-based company, Vukee.com, develops photo apps for Android and iOS. “That is why it is important to install apps only from reliable manufacturers and check the permissions they ask for.”

In order to protect yourself from spies, you should allow camera and Internet access only to a few apps that have been developed by reliable sources. For increased protection, review your authorisations often. You can easily block a photo filters app from accessing the Internet. Processed photos are saved on your mobile phone, so you can publish them through the Android gallery instead. iOS users cannot control App Store applications as precisely but can depend on checks done by Apple prior to listing in the store.

In Apple’s App Store for iOS, it is very difficult to find malicious apps, says Omar Abou Deif, head of app development at Vukee. Unlike Android, iOS apps can only remain active in the background if there is a very good reason for it doing so. Apple checks precisely why an app would like to run over a long period of time in the background and allows only a few to do so. No matter which platform you use, it is a good idea to uninstall apps that you don’t use regularly—once an app is removed it no longer poses a threat.

Don't just revisit your app permissions as an afterthought. Security apps such as LBE Privacy Guard (left) and SRT AppGuard (right) let you know what you're getting into and also revoke permissions which you may feel were granted by mistake.

Malware Malice

A webcam trojan on your PC behaves exactly like legitimate software. Via standard API calls and DirectShow filters, the video stream can be diverted from a legitimate program and sent anywhere via the Internet, potentially unnoticed.

To be completely sure that you are not being spied on, unplug your webcam when it isn't in use or turn it to face a wall (though sound might still be recorded). For notebooks, this is not possible—so a simple piece of tape or a cover over the lens will do. Special covers for the webcam lens look cleaner than adhesive stickers.

Simple steps

An external USB webcam offers the most control: you can cover it when you are not using it, turn it aside, or simply unplug it from the USB port. The last option also disables the microphone, which many people forget to consider. Secure hardware covers are getting harder and harder to find for notebooks. Function keys that switch off the webcam don’t offer 100 percent protection because the webcam can most likely be activated again with a software command. A solution would be to cover the webcam with black masking tape. If your webcam has an activity LED, pay careful attention: if it is often illuminated without a video chat or other relevant software running, even for just half a second at a time, you should immediately scan for malware.

As far as software goes, webcam espionage is usually carried out using backdoor Trojans, which is why the same measures generally recommended against malware are applicable: only install software from reliable sources, always update your antivirus, and use anti-spyware tools such as SpyBot Search & Destroy. Besides this, the Windows Firewall should always be active and you should only allow acceptable exceptions.

Get smarter than your Smart TV

The newest high-end TVs today come with integrated webcams. As with every product that has a camera and Internet connection, it is possible for the webcam to be secretly switched on and capture images. Smart TVs are quite an attractive target for malicious hackers and will be much more tempting if and when e-commerce activities via TV take off. To introduce malware into a smart TV, the attackers must develop an infected app that a user can voluntarily install. Another alternative is to install malware through websites the user surfs via the TV. This is difficult because of the several non-standard operating systems and browsers the manufacturers use. “Proprietary systems connected to the Internet through a home network router cannot be accessed from an external source”, says Stefan Ortloff, virus analyst at Kaspersky Labs. However, ex-CIA chief David Petraeus was vocal about the agency’s plans to use all options to tap smart TVs and other household devices of suspicious persons.

In order to check exactly which device communicates with which server, you will have to analyse your household data traffic. To do this, switch off all network devices except your PC and the device you wish to examine. Your router should let you see which devices are currently using the Internet connection and which IP addresses data is being sent to and received from.

Anyone who wants to feel completely safe from surveillance should, as with a PC webcam, simply unplug the camera when not in use, or if that is not possible, cover it with a physical barrier. The webcams of Samsung Smart TVs can be turned until the lens disappears under a protective cover.

- CHIP