Sunday, September 9, 2012

Google's Chrome browser has direct access to your web camera and mic. Will this lead to more webcam hacking?

Google's latest release of Chrome may allow for alot more webcam spying because of HTML 5 new features ie webRTC .

Below is an article published by Forbes Magazine.

The new release of Google‘s Chrome browser has a bit of a surprise in it for users who don’t follow the technical side of this stuff. I warn you, at first glance, the idea may seem scary.

Chrome 21, which updates automatically for (most) users who have auto-updates enabled, contains support for a JavaScript API (Application Programming Interface) that allows the browser to access the webcam and microphone built into (or attached) to your computer or device. What, you might say, my computer can spy on me? OK, take a breath, let’s talk this through.

First, you might not realize that this is already possible on your computer through plugins, namely Adobe Flash and Microsoft Silverlight. And, I won’t lie to you, there are examples of evil hackers creating malware that uses these plugins to gain access to the “live stream” from victim’s computers. ComputerWorld reported on just such an scheme a couple of months ago that was used to defraud online banking customers.

Second, as great a headline as it might be to say “Google is spying on you with your own webcam!” this sensationalism would be no more true than saying that Adobe or Microsoft have been spying on you for years. They haven’t been.

Once you get past the scary headlines that are bound to pop up, like, “Google Switches On Browser Spy Cam in Chrome” (on MSNBC), you will realize that (on a security level) not much has changed. Once you have a plugin like Flash enabled in your browser, it becomes a bolted-on part of your computing environment, no more or less secure than if the same functionality were native to your browser.

On the positive side of the equation, though, native support for webcams and microphones, what is know as WebRTC (for Web Real-Time Communication, an HTML5 standard being drafted by the World Wide Web Consortium (W3C)), creates whole new vistas for what can now be done on the web. I asked web standards advocate Jeffrey Zeldman what he thinks about this development. “Adding camera access via a web standard sounds pretty cool to me,” he writes. “I don’t think this means the end of native apps or a new era of malicious spying (although I suppose the latter is always a concern). I do think it opens new creative possibilities for designers and developers of desktop and mobile web apps.”

But what about that “malicious spying”? I asked mobile consultant Luke Wroblewski, and he replied, “Personally, I think a lot of smart people have thought real hard about this issue.” One of those smart people is Scott Jehl of Filament Group in Boston, the studio that recently helped The Boston Globe become the first major newspaper to switch to a responsive design for its website. “I don’t think users should be concerned about it,” says Jehl. “It’s a great feature.”

Jehl is a performance hacker who eats HTTP requests for breakfast. He is not part of the security task force for this project, but he has done his own testing of the getUserMedia API implementation in Chrome. He likes that the new features “go through the same security verifications that users already see in other existing Chrome APIs, like geo-location,” and that, “this feature was already available in the Opera browser’s desktop and mobile versions, so it has been in the wild for some time for a large number of people. Making this sort of functionality work natively in the browser, rather than having to rely on proprietary plugins, is a big win for users and developers alike.”

The comparison to geo-location permissions is apt, and users should apply the same degree of awareness and caution with real time communication streams as they do with location information or secure (https) connections. Google presents it this way in its official blogpost on the new Chrome release, “What if web apps could see? What if they could hear? In today’s Chrome Stable release, when you give them permission, they can.” [the bolding is mine]. The empahasis on explicit permissions is clearly built into Chrome’s implementation of this standard. Other browser makers are advised to follow suit.

The Internet Engineering Task Force (IETF) is holding one of their triannual meetings (this time in Vancouver) this week. This group has been pivotal in geeking out on the details to make those permissions be as bulletproof as possible. Have a look at this slide deck for a (highly encrypted!) breakdown of the technical security considerations discussed at a meeting last year.

What can you do now once you have Chrome 21? The image above shows me playing with the Magic Xylophone (by Romuald Quantin at Stinkdigital in London), a low-end augmented reality (AR) virtual instrument. Move your fingers near the top of your webcams “frame” and you can play the different notes on the scale. It’s no Leap Motion, but it is a fun way to get “input” into a game or app. Webcam Toy, by Paul Neave, lets you apply some fun real time effects to your video stream. Coolest perhaps are the kaleidoscope (self-explanatory) and the filmstrip, which shows you a grid of identical images of yourself offset just slightly in time so that a motion in the top right corner “ripples” through each row down the screen.

Before you are able to launch one of these apps, a standard dialog box will appear at the top of your screen (just like with geo-location apps) asking for specific (one-time) permission for this (and only this) site to access your camera that you can either allow or deny. There is an options button to access alternate camera or microphone sources (if applicable). Once you allow access, a light next to your webcam lens will go on and stay on until you leave the app, or, in some cases, once the required input has been received.

An example of this kind of low-impact scenario is Google’s Chrome Web Lab’s own Sketchbots experiment. The app asks you for permission to use your webcam to take a picture of your face. If you submit the picture, it is then “converted to a line drawing and sent to a robot in the Science Museum in London. The robot then draws out your portrait in a patch of sand, which you can watch live on YouTube and visitors can watch in person at the museum.” The webcam light only goes on for the time it takes to take the picture and then goes off. It asks you for permission each time it uses the camera if you want to retake your picture. Apps will probably be able to support the “always allow” option, but Google is here trying to set an example by making sure the user knows what is going on at all times.

Moving forward, these capabilities will enable live video conferencing and video calling through websites instead of through native apps or system level controls. Google may be more interested in pushing this through Google+ hangouts than Apple for whom it is a challenge to their proprietary FaceTime video calling technology. Ditto, perhaps, for Microsoft and Skype. Beyond the obvious applications, the improvement of backend processing in the cloud coupled with WebRTC will make all manner of real time video and audio effects possible. Instagram, SocialCam and Airtime are just the start.

Reassured and/or curious enough to want to try it out? Other than updating chrome to the latest and greatest stable version, you can also acces the getUserMedia API with Opera and Opera Mobile at the time of this post. To find out what’s next, you can check for the current status of its availability on the When Can I Use website. getUserMedia is supported in the current “nightly” (pre-release) versions of Firefox, so that could well be next. No indication on the status of Apple’s Safari, though the upcoming versions of Safari for iOS and Microsoft’s Internet Explorer are now listed as “support unknown” instead of the prior “not supported.”

If you’re still concerned about security in relation to your webcam and microphone, you can try these precautions:

1. Choose a browser that does not (yet) support WebRTC.

2. Place a piece of black tape over your webcam’s lens when not in use.

3. Disable or mute your computer’s built-in microphone.

All of these are, admittedly, stop gap measures. If users report a lot of problems, some browser makers will probably devolve WebRTC support to a preference, but I think that is unlikely. This train is leaving the station. Please be careful while boarding!

Obviously there is a better solution then black tape at provide webcam covers for laptops, computers, TV's and more.

No comments:

Post a Comment