ShareThis Page

Covering webcam 'doesn't hurt,' not a replacement for good computer security, experts say

| Saturday, Sept. 17, 2016, 10:00 p.m.

FBI Director James Comey does it and thinks you should, too.

A piece of tape or cover to block the webcams built into laptop screens can serve as a robust cyber-security measure against hackers.

“There's some sensible things you should be doing, and that's one of them,” Comey, whose FBI notoriously hacked webcams to spy on targets, said last week during a conference at the Center for Strategic and International Studies in Washington.

But how at risk are we to webcam hacks? Cyber security professionals told the Tribune-Review that webcam hacks on an ordinary, everyday, average American are rare, but a piece of tape is a small price to pay for peace of mind.

“Most casual users, you probably don't need to worry about it,” said Trevor Hawthorn, chief technology officer of Wombat Security, a Pittsburgh-based cybersecurity company that gives out branded sliders that sit on top of a laptop and can cover a webcam. “We literally give them away for free.”

Hawthorn covers his webcam. So do Wombat's top executives. But Hawthorn also stressed that they — and Comey and Facebook's Mark Zuckerberg, who also tapes his webcam — are not your average computer user.

Hacking a webcam is an easy way for hackers to prove they are in control. Releasing images from a hacked webcam can be embarrassing to people in the security field or public eye. Hawthorn could lose clients who doubt his firm's capabilities. Zuckerberg could lose Facebook users who question how secure their accounts are. For Comey, the risks extend to compromising investigations or national security.

Those results could be attractive to a hacker. Photos of you or even your personal information likely aren't.

“If somebody is going to take the time, the energy and maybe the money — if a hacker is going to make that investment in those things — it better have some sort of payoff,” Hawthorn said.

Hackers typically gain access to a person's computer, and thus their webcam, through a piece of malware. Hawthorn said hackers can write their own malware or buy ready-to-use products on the Internet's seedy underbelly, known as the “dark web.” Once armed with malware, the hacker has to install it on the target's computer. This is most commonly done through an email that contains a link or an attachment: click on the link or download the attachment, and the hacker is in. Once inside, the malware connects back to the hacker. Now the hacker has access to personal information, can monitor keystrokes to steal passwords and credit card numbers and can activate a webcam without the user's knowledge.

“It's not that easy, but certainly there are certain people out there that have perfected their craft,” Hawthorn said.

“Me personally, yes, I do cover my webcam, but that's not my only security precaution. If you think about it, putting tape over your webcam, that's a security measure you put in place in case everything else fails. This is your last stopgap.”

David Brumley, CEO and co-founder of ForAllSecure, the Pittsburgh company behind Mayhem, an autonomous computer that won a Defense Advanced Research Projects Agency-sponsored hacking competition, agreed with Hawthorn that the average person's risk to webcam hacking is low. Brumley, also director of Carnegie Mellon University's CyLab Security and Policy Institute, said he doesn't typically agree with the FBI's approach to cybersecurity but does agree with the director on the tape issue.

“I would say that's a pretty reasonable thing to do,” said Brumley, who admitted he doesn't tape his webcam. “It doesn't hurt, but by the time they're able to look at your webcam, they're able to capture all our keystrokes anyway.

“It's not like that piece of tape is a replacement for really good security.”

Brumley hopes Mayhem, which competed in a digital game of Capture the Flag — protecting itself while attacking others — will develop into a tool that can automatically detect a computer's vulnerabilities and patch them before hackers have the chance to exploit them.

“Mayhem's goal isn't necessarily to stop someone from hacking and taking over your webcam. It is to prevent someone from accessing your system altogether,” Brumley said.

Aaron Aupperlee is a Tribune-Review staff writer. Reach him at 412-320-7986 or

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.