Coding a Webcam Spyware is Too Easy! Be Careful.

Chaidhat Chaimongkol (chch22) Y12

I made a webcam spyware in less than a day - it is too easy. I intended this research to inform and give awareness of this issue for people to be careful of how simple it is to create one. Creating a computer virus for malicious intent is unethical and illegal.

My program can open your webcam without turning on your camera light or antivirus! Sort of. This is one of my rare projects which I unfortunately will not make the source code public. If you wish to check out my other projects, please check out https://github.com/Chai112

Electronic devices are an elementary and essential part of our modern lives from when we pick up our phones in the morning until we fall asleep with them in our hands. This stipulates that we spend the majority of our time dedicated to mingling with machines – ever so close to the expansive arrays of the latest sensors and tech monitoring our every move.

This leaves a gaping vulnerability for unethical programmers to exploit and maliciously exploit unsuspecting victims. It appears frequently on the news, the latest spyware or mass leaking of secrets. I am not interested in those ill-fated pursuits, however on researching and informing the public, I discovered how appallingly easy it is to program one – quite frankly, any semi-competent programmer can research and code a harmful program. In fact, I created one in less than a day of research and coding, and so can you!

Firstly, I figured out how to access a computer webcam using code. Normally, code would interact with devices such as your camera with a device driver through your Operating System (OS). This is facilitated by an Application Programming Interface (API) which abstracts and makes the code easier to program by the end user (Me).

I used an open-sourced and copyleft one, which really goes to show how great open-source is, people can learn from it and try things out they could never do. I decided to use ESCAPI by Jari Komppa for webcam capture, which is brilliant API which came with a lot of helpful examples. The code was in C++ which I had a fair bit of experience in but worked only for Windows.

This was when I realized that a spyware was stupidly easy to build – too easy. Of course, the developer had made his camera program with good intentions but an unethical person (i.e. me) can reengineer it to do bad. On running the example programs it came with, I was shocked to find no antivirus prompt – no security requests. Once I double clicked it to run, it did – opening my camera and taking a picture without asking me or anything. I have the default antivirus Windows comes out of the box with.

The example program runs on any CLI (e.g. PowerShell) and immediately takes a photo of me. It is printed in ASCII shading. https://github.com/jarikomppa/escapi/blob/master/simplest/main.cpp

It was only a bit of experimenting and debugging I found out that the minimum time the camera can be on for (and the indicator light to be on) is around one second. This means that your camera will only intermittently flash its indicator light which is quite difficult to notice unless you are paying attention. The light's usually dim anyways – maybe when the screen is on high brightness, you enable the spyware. Maybe when the light goes off, you create some really distracting popups to hopefully subvert the user’s attention before you snap a picture of them. My computer’s camera light is also white so it’s more difficult to spot than a green one.

Some cameras (Logitech ones) you can change a registry key to turn off the indicator completely! This usually prompting a security alert, but you can disguise it as a trojan program (e.g. installer) - go search it on Google! Luckily, there are a lot of sources claiming the Macbook cameras are actually power-connected so you’ll be fine (hopefully).

From this step onwards, since the data captured is stored in a variable in memory, I can use another library and API called STB which transforms data into an image file.

Violá! A bit of twisting with the colour values, I can capture a HD, colour screenshot of myself using this program in less than a second of the indicator light turning on. Unbelievable!

Image 1: I assigned the data incorrectly with the API

Image 2: First successful capture. I used the values in example so its only greyscale, 3 bits.

Image 3: Trail and erroring the bit shifting of RGB values. Data is encoded in a 4-byte integer but I want it in 3x1 byte unsigned character.

Image 4: Success! Captures in less than a second of the camera being on.

We can delay the program by a random offset so it takes pictures when we least suspect it. I tried this on myself but the indicator light turning on for a second was still a bit noticeable. Maybe on an old laptop, the light is dimmer and less noticeable, I might have gotten away with it. I had an idea – what about if the user leaves the computer, say for ten minutes without any input into it, it will start taking photographs. It is very difficult to notice the intermittent flashing light from far away and if it takes it in say 1-hour intervals, it is pretty much impossible.

This is implemented via a keylogger. This is also extremely illegal (and so is the webcam capturer). I use yet another open-sourced Keylogger by Ege Balci. Now it even detects keystrokes! This is used in a lot of spyware attacks to steal bank data and passwords – like the Zeus virus. It is too easy for anyone to just code this or use an online one. The data logs and image files can be written and stored (with a few extra lines of code, ironically in “Beginners’ C++ Guide”). Once there is no input for over 300 seconds, it takes a screenshot. Then repeat.

This data can be shipped off to a malicious server or deployed on a botnet. This is where I stop and draw the line because this is where a harmful program can turn into multiple, replicating ones which propagate rapidly. It would be extremely illegal and unethical to do so – even though it would be somewhat trivial for a semi-seasoned programmer and with a lot of copy pasting as I’ve shown above.

The only last thing I have to do is make sure the program doesn’t show up in the taskbar. This is done very easily with just one line of code. Now it is next to impossible to find the program running in one of 202 background processes – if you name it well enough, its near to impossible to find.

Tip: badly-designed computer viruses (like mine) usually use a lot of CPU or memory. So sort by CPU usage! Mine is cap.exe using 12.8%. Other spyware may use tricks to put itself to sleep to use less CPU and battery.

In conclusion – this is a very seriously easy thing to do and anyone of ill-intent can very well infect your computer with spyware with only in less than a day’s worth of research and coding. Please use a thin camera cover or post-it note over it (even though Apple just released a press release not to use one on their computers) and always power-off your computer when you are not using it. Microphone recording attacks are even worse – there is no way to know if it is on or off.

Windows wise, I personally would recommend you to go to the device manager and locate your microphone and camera, and right-click on it to “Disable device”. This means that your OS will stop communicating with the driver and therefore this attack will not work.