Digital Life
Charlotte Hannah
August 16, 2013

Everybody Panic: Yes, Hackers Can Watch You Through Your Webcam

I have a friend who always keeps a Post-It note over her laptop’s built-in webcam to keep hackers from spying on her. I’ve always chuckled at her paranoia — but maybe she’s the one having the last laugh.

It turns out it is indeed possible for someone to remotely access your webcam without your knowledge or consent — and yeah, there’s a black market for this stuff.

A few months ago, an investigation by BBC Radio 5 Live uncovered websites where people can buy access to computers with hacked webcams. At least one of these websites was charging $1 for a computer owned by a woman, and the same amount for 100 computers owned by men.

Access to the victim’s webcam can be achieved in several different ways. One, called clickjacking, involves creating an invisible layer in your browser. When you think you’re clicking on something innocuous — say, the Play button on a video — you’re actually giving permission to access your webcam. Another method involves tricking the victim into downloading software that allows their webcam to be accessed remotely.

For the most part though, you’re probably not at risk as long as you follow all the usual Internet safety tips:

  • Keep Java, Flash, your browser and your anti-virus program updated.
  • Use different passwords for all your accounts.
  • Enable secure browsing whenever you can. (You can tell you’re using it if the URL starts with https://)
  • Don’t click on ads or links you don’t trust — and if your friend posts something on Facebook or sends you an email with a weird link along with some vague statement that doesn’t seem like something they’d write (“hey u’ll nevr guess wat pic i found of u” from your English major friend, for example), don’t click it.

This TechCrunch article has some other tips, along with a link to a site where you can test whether your browser is susceptible to clickjacking.

If you’re running Firefox, you can also install NoScript to block scripts from running without your authorization. (It can get kind of annoying having to manually authorize every single script though.)

Or, if all else fails, you can put a Post-It over your webcam like my friend does. I also recommend only ever surfing the Internet while wearing an identity-concealing horse mask just for good measure.