8

A person I know got a spam email saying to pay a ransom of 1000$ for his personal information. The spammer sent him an old password he used in an old email as proof; the email is linked to his facebook account.

He is afraid the hacker had access to his camera and his personal information and info related to work. Is there a way the hacker could have enabled the camera and started recording after the user disabled it?

Note that the laptop doesn't have any real protection, just Windows Defender and firewall. He found the webcam was enabled after disabling it. Also, can windows enable the camera on its own after an update?

Improve this question
8
  • 2
    I'm voting to close this question as off-topic because its a fake scenario.
    – Jason
    Commented May 1, 2019 at 23:19
  • 8
    @Jason, yes this is a common scam, but is it a legitimate question? Can hackers enable the camera after the user has disabled it?
    – Jay
    Commented May 2, 2019 at 1:48
  • 2
    "laptop doesn't have any real protection. just windows defender and firewall." Sounds real to me. What do you want? A security guard patrolling?
    – sbecker
    Commented May 2, 2019 at 6:47
  • 2
    @Jason I don’t understand your comment. What makes you think this is a fake scenario? Do you not believe that SG_MTS has an acquaintance who received one of these very common scam mails and is nervous? Do you not believe that he found the camera enabled in the settings after previously disabling it? Nothing about the scenario seems likely to be fake to me.
    – Janus Bahs Jacquet
    Commented May 2, 2019 at 11:46
  • "The spammer sent him an old password he used in an old email as proof" Used in or used for?
    – Acccumulation
    Commented May 2, 2019 at 15:16

3 Answers 3

Reset to default
20

These emails are all scams. I get them and I don't even have a webcam on my desktop.

In theory a dedicated attacker could have done this, if they got in and used a privilege-escalation exploit to get kernel access.

But AFAIK typically randomly-targeted attacks for extortion purposes aren't going to be worth the risk of burning an unknown / unpatched 0-day exploit, so unless your computer doesn't get security updates, the chances of a casual attacker actually getting in are basically zero. And the amount of effort they'd have to put in (downloading watching videos of random people from the camera) to actually find people doing anything embarrassing is way higher than just making stuff up!

So the real risk is if you are a high-value target for some attacker, like maybe they want to read papers on your desk near your computer. Or the screen of another nearby device. They wouldn't be sending you blackmail emails about it.

There are no physical interlocks that would prevent the camera from being enabled without a physical keyboard press or physical mouse click. It's all software. AFAIK it's usually fairly secure software, behind multiple layers of protection (like it would require a kernel exploit to silently enable the camera without user interaction).

The only way to be sure is to physically cover the lens of your camera, and/or not point it at yourself when not using it. Just like the only way to be sure your computer isn't cracked is to keep it powered off (physically unplugged), and preferably encased in concrete, at the bottom of the ocean.

I think I've seen some laptops with a flap you can slide over the camera, possibly to protect the lens from dirt, or maybe privacy was one of the intended uses. Some stand-alone USB webcams have a physical lens-cover slider or iris.

Built-in microphones are more insidious because they're not directional.

Improve this answer
6
  • 1
    The only way to be sure is to physically cover the lens of your camera, or unplug it (tricky but possible inside a laptop). That disables the microphone as well.
    – Chris H
    Commented May 2, 2019 at 14:50
  • Just like the only way to be sure your computer isn't cracked it is to keep it powered off (physically unplugged), and preferably encased in concrete, at the bottom of the ocean. Wouldn't a vulcano's lava do the job either?
    – Barrosy
    Commented May 3, 2019 at 6:56
  • 1
    @Barrosy: no, that's how you securely delete your data once you no longer want the computer.
    – Peter Cordes
    Commented May 3, 2019 at 7:00
  • Oh you want to retrieve the device by fishing it up again from the deepest of oceans and pull it out of the concrete? Got it.
    – Barrosy
    Commented May 3, 2019 at 7:04
  • 1
    @Barrosy: I believe the optimal deletion procedure is to throw it in the volcano still in the concrete, so it stays protected until the heat penetrates the concrete and melts the silicon and/or iron oxide that were storing your data. (After first demagnetizing it at the Curie temperature). Fun fact: I don't think concrete actually melts at lava temperatures like 800 to 1200 Celsius. en.wikipedia.org/wiki/Concrete_degradation#Thermal_damage says it turns brown over ~1000 °C and is weakened. reference.com/science/melting-point-concrete-ac28d5cb2b50ed99 says thousands.
    – Peter Cordes
    Commented May 3, 2019 at 7:24
1

This is a well-known scam. as uSlackr describes. But that doesn't mean it can't be done. People are always finding new exploits. Everything can't be done until someone figures out how to do it. With hacking, the safe assumption is to assume almost anything is, or will be, possible, so take precautions.

For example, no hacker can make the camera see through painter's or gaffer's tape if you leave a flap of it in place when you don't actually need the camera.

But taking precautions is different from reacting to a claim that somebody actually did it to you.

Some scams work because there actually is such an exploit, making it seem more credible even if it wasn't used on you. There are lots of things that can be done by a very proficient, motivated, hacker. Intelligence agencies, with the resources of a government behind them, can pull off some pretty fancy spy craft.

When you have been told that someone hacked your system, part of evaluating the potential truth of it is to weigh the scenarios. You can never completely rule out that someone might potentially have done it, but you can compare likelihoods. If you aren't a valuable target (foreign dignitary, owner of really valuable secrets, a terrorist, etc.), it isn't too likely that someone is going to invest serious time, money, and effort to hack your system. If you're going to be a "hacking" victim, it's much more likely that it will be some simple target of opportunity or just a scam, where there wasn't actually any hack.

The scam you mention relies on easily available information, the human nature of the victim, and requires no actual hacking. Why would anyone go to the trouble of hacking your system when they can fake out a lot of people without really doing anything?

When a well-known scam like this is going around, the odds heavily favor that you're a scam victim rather than an actual hacking victim. There's an old aphorism coined by a medical school professor about not jumping to an exotic medical diagnosis when a more commonplace explanation is more likely: "When you hear hoofbeats, think of horses not zebras."

Improve this answer
2
  • "The scam you mention relies on easily available information" Passwords are easily available information?
    – Acccumulation
    Commented May 2, 2019 at 15:15
  • @Acccumulation, unfortunately, yes. See forest's comment on uSlackr's answer. And while that person doesn't use the data troves available on "darknet" sites, there have been huge hacks of personal data from major Internet players, and it is available. It isn't necessarily current info (after people have been affected by a breach, hopefully they change their passwords). But when they get a notice from a scammer containing an old password or other personal data, people forget that the breaches were in the news and fall for the story of it having been obtained by hacking the user's computer.
    – fixer1234
    Commented May 2, 2019 at 16:07
0

There are a lot of factors that could be at play here. The short answer is yes, malware can enable a camera on a laptop even if the user disabled it. While Windows defender provides SOME protection, I would recommend getting some true anti-malware software such as Kaspersky or Trend Micro and scan the computer.

Seeing as the scammer sent an old password, my guess is there is a key logger on the computer (a piece of malicious code that records what buttons are pressed) and that's how the information was harvested

Improve this answer
2
  • 7
    There is little real risk here of a keylogger. I have received a hundred threatening email in the past year that references an ancient password.
    – uSlackr
    Commented May 1, 2019 at 21:54
  • 4
    It is much more likely that this password was decrypted from one of thousands of leaked user databases. Plugging the email into haveibeenpwned.com should confirm that your password/email combo is in fact public knowledge.
    – Aron
    Commented May 2, 2019 at 1:25

Not the answer you're looking for? Browse other questions tagged .