Webcam/microphone monitoring

[byte.bucket at 4a44.com (byte.bucket at 4a44.com)]

Hijacking webcams via Adobe Flash was featured as one of the attacks made
possible by "Clickjacking". You can view Jeramiah Grossman's Blackhat
presentation on clickjacking here:
http://www.blackhat.com/html/webinars/clickjacking.html (registration
required). The discussion of hijacking the webcam starts aprox. 48 minutes
into the presentation.  There is also a recorded demo of the attack here:
http://www.youtube.com/watch?v=gxyLbpldmuU

Note: the vulnerabilities in Flash that made this possible have been
addressed in Flash player 10.

Here are some additional links on the topic:
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4503
* http://blogs.adobe.com/psirt/2008/10/clickjacking_security_advisory.html
* http://www.adobe.com/support/security/bulletins/apsb08-18.html

--
byte_bucket

> While purchasing some new laptops a discussion came up about the trend
> towards built-in webcams and associated security concerns.  If I
> remember correctly, back in the day Back Orifice could discretely
> monitor the host's webcam and microphone.  Are there any more recent
> applications that do anything similar?  Has anyone seen recent research
> in this area?
>
> If possible I'd like to be able to show the potential danger & recommend
> that we disable any built-in webcams that aren't necessary, but I'm also
> interested in the ability for use during pen-tests.
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com