Device Security

How much control are we really giving up to anonymous developers with access to an update hook? How secure are our machines?

I’m a big fan of the TV show Shark Tank, and I watch just about every new episode live when it airs. There’s something about entrepreneurs risking it all to make a dream come true that resonates with me.[ref]I would go absolutely bananas to see a WordPress-related or inspired pitched on the show![/ref]

This past season, though, saw some absolutely insane products pitched in the tank. One I found the most ridiculous was a product called eyebloc.

Eyebloc is a small, plastic cover that fits over the top of your laptop, covering the camera and preventing prying eyes from seeing what you don’t want them to see.

Why It’s Ridiculous

My home network is incredibly secure. I use unnecessarily tough encryption for connections, only allow a known set of devices to connect in the first place, and use strong passwords changed regularly to protect administrative tools. Considering I don’t do anything warranting that kind of protection in the first place, the lengths I go to when securing my information are a bit extreme.

Then again, I do this because I don’t know for sure how a nefarious individual might use information I otherwise consider “safe.” I’d rather they just not have my information in the first place.

I’m also very cautious when I use software online. All of my devices are networked together in such a way that if any of them changes state (software downloads, updates, system configuration changes, etc) I’m notified immediately.[ref]This shocked my wife when she tried to order a Christmas present online and accidentally clicked a button to update Java. It wasn’t really Java, so I shut the machine down remotely and fixed things. She was a bit confused, and disappointed I’d spoiled her surprise, but our machines stayed safe.[/ref]

The chances anyone could hack in to my system in the first place are remote. The chances of a successful hacker then installing camera-aware spyware are even more so.

Paying even $5 (the current price of Eyebloc on Amazon.com) to protect against such a remote eventuality seems insane.

Why It’s a Good Idea

Last night, something a bit odd happened.

I use HipChat for work. Because I’m lazy, I’ll usually leave it[ref]And Chrome. And PHPStorm. And Vagrant. And Skype. And Terminal. And Toggle. And Git Gui. And …[/ref] running when I head out of the house after work. I lock my machine before leaving the desk, but otherwise things are set up so I can quickly get back to work the next day.

Yesterday was no different. My last Skype/HipChat call was around 3. I finished work a little after 4 and locked my machine before heading out the door.[ref]I know the camera was disabled at this point as there was no little blue light on the top of my laptop. The office was dark save the yellow lights on the router.[/ref] After spending some time downtown and dining out with my wife, I came home and turned the computer on to finish a few things before calling it a night.

The blue light on my laptop camera was on.

I pulled up a few systems diagnostic tools and was able to narrow down HipChat as the application responsible. A network trace showed the camera was actively streaming. To where? I have no idea, nor do I care.

I killed HipChat. Rather than pay $5 on Amazon and wait a few days for an eyebloc, I folded an old business card over the camera.

It will stay there until my next video call.

To be clear, no one hacked my network. I installed HipChat and, likely, the program has a bug that just randomly enabled the camera. I’ve noticed since the last update that HipChat randomly steals control of my audio and mutes other applications as well.

Nothing nefarious is going on – but it could be.

We install applications all the time that have deep access to our machines. Even some that explicitly call out what they do and do not have access to also feature automated update mechanisms that can pull down new “features” and wider access without our intervention.[ref]When is the last time you really looked at what was installed when Chrome last auto-updated?[/ref]

You can have the most secure network in the world, but once you let someone else in to that network, they have the ability to run amok without your oversight. Just think, this misuse of my camera was an accident triggered by a bug that will likely be fixed in a week or so – but what if it wasn’t a bug? What if it was intentional?

We exercise a high level of security when it comes to the sites we browse and the applications we install. Often, the applications running on our machines a week or so later bear little to no resemblance to the ones we installed in the first place. How much control are we really giving up to anonymous developers with access to an update hook?

How secure are our machines?