"Mijangos told me that he'd figured out how to turn off a camera's LED, cloaking himself completely."
Anyone know if this is actually possible? I don't know anything about laptop cameras, but it seems like you wouldn't want the LED to even be under software/firmware control - just put it in series with the camera circuit. An LED has to have a significantly lower failure rate than a camera, right?
I know that with my Logitech Pro 9000, the Logitech software that comes with it gives you the ability to turn off the LED. Their software also has remote viewing built in. I'm sure designs vary, but it is at least possible with this camera.
I can't find where I read this, but I believe the reset line of the camera module is typically tied to the LED, so it can't be in a powered-on state without the LED being active.
There would have to be a buffer overrun in the text message handling code plus a way to exploit it in 160 characters. That sounds difficult, unless I'm wrong about the fact that the carrier enforces the limit.
I could maybe see doing it with MMS or iMessage. The more I think about it, the more interesting this question is...
Has anyone heard of any exploitable flaws in a phone's SMS software?
It's not just buffer overruns that can cause issues. You can crash the font display system by sending characters that aren't handled properly. You may also be able to direct the phone to download a hacked firmware update via SMS (AIUI carriers sometimes use specially-coded SMS messages to tell phones to update their software, PRL, etc.).
On windows mobile 6.0, you could send wap pushes that linked to signed apps which would auto-execute/install.
right now, there aren't any vulns which are similar in danger that I am aware of. SMS isn't a super friendly medium for stack manipulation, and most modern mobile OS'es implement ASLR.
Georgia Weidman has a botnet C&C (Command and Control) network running via hidden SMS. But I don't think it can infect via text message.
http://georgiaweidman.com/wordpress/?cat=10
Doesn't take a hacker to watch through a webcam. Lets not forget the 2010 story of school spying on students at home: http://en.wikipedia.org/wiki/Robbins_v._Lower_Merion_School_... They even disciplined the student for breaking some school regulation while he was being observed...
I miss the old Apple iSight webcams that had a metal iris that would close when you turned it off. There was a time when Steve Jobs apparently didn't want to be Big Brother.
After years of thinking people were 'paranoid' for putting stickers/tape/etc. over their webcams, just yesterday I started doing the same thing.
Like most people, I also used to think the indicator light would always come on when the webcam was active (as in, it would be part of a hardware circuit or something similar), but I now know this is not the case (at least on my own laptops).
One example of this is the Prey anti-theft agent[1]. If your laptop is stolen, you can remotely take pictures using the laptop's webcam (similar to what happened in the many 'stolen laptop' stories we've seen on HN where images of the thief are then posted online). When I test out this feature of Prey on my own laptop, it successfully takes the pictures for me but the webcam's indicator light is never turned on. It's worth trying this for yourself.
Anyway, (IMHO) you're better safe than sorry since a tiny sticker isn't a big deal.
As an anecdote, I noticed in my tests of Prey that I just don't notice the light in that instant it's turned on. If someone wants to jut get quick pictures of who's using your computer, momentary blinks are probably going to be unnoticed while longer periods of activity are more likely to be noticed.
"Mijangos wasn't looking for trouble, not at first at least, but information on coding is just a few clicks from sites on criminal hacking."
WTF?!?
OK, literally, that /might/ be true, /if/ you had the right search terms to start with. But "just a few clicks from" is also a pretty obvious metaphor for "not far from" or "almost similar to". The author is basically implying "ZOMG most software developers are out to spy on you naked!"
What is this, part of the War On Things You Don't Understand?
Good, then I wasn't too paranoid when I put aluminum foil over the webcam on my laptop (which for some reason didn't have an LED attached to it).
Interestingly enough if the guy had used tor and an online hosting system brought with his stolen credit cards, he would properly never have been court.
It's certainly not unheard of for memory corruption issues to exist in SMS handling code - see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2204 . There's also a pretty wide remote exploit vector in MMS - you have an entire TCP + HTTP stack, image decoder, and render mechanism to exploit in that case. I don't know of any published MMS exploits in the wild for any recent phones, but that's not to say it's impossible.
I do agree that the article as a whole sounds like 90s/early-2000s paranoia combined with the standard glorification of "cyberpunks," though - it's just not the "iPhone via text" anecdote that's raising red flags.
Anyone know if this is actually possible? I don't know anything about laptop cameras, but it seems like you wouldn't want the LED to even be under software/firmware control - just put it in series with the camera circuit. An LED has to have a significantly lower failure rate than a camera, right?