- The Facts:Hackers have successfully been able to access the front facing cameras on Google and Samsung phones without permission from the user and regardless of whether or not the phone was unlocked. They were able to take pictures and record video.
- Reflect On:Why should you care? This is an outright invasion of our right to privacy. If we continue to willingly give up all our rights, soon we won't have any left.
The security research team from Checkmarx has uncovered a major vulnerability that is affecting Google and Samsung smartphones and has a potential to impact the hundreds of millions of android users across the globe. Apparently it’s now fixed, but the researchers discovered a way for a hack attacker to take control of the front facing camera and remotely take photos, record video, listen in on your conversations and more. All happening silently in the background without your awareness.
And, although it’s important to note that the following is merely speculation, if hackers have the ability to do this, then you better believe that the NSA and other high level government agencies are able to do the same thing. This isn’t something new, Edward Snowden, NSA whistleblower, and many others like him have talked about and have explained how our phones are actually used to spy on us.
What Did The Checkmarx Security Research Team Find?
Their research began on the Google camera app on the Pixel 2XL and Pixel3 smartphones, they found a few vulnerabilities which were initiated by allowing an attacker to remotely bypass user permissions. Apparently facial recognition, fingerprint and password security, are not as secure as we’ve been led to believe.
“Our team found a way of manipulating specific actions and intents,” Erez Yalon, director of security research at Checkmarx said, “making it possible for any application, without specific permissions, to control the Google Camera app. This same technique also applied to Samsung’s Camera app.”
Davey Winder, from Forbes.com explains how an attacker is able to exploit the Google Camera app vulnerabilities,
Checkmarx created a proof of concept (PoC) exploit by developing a malicious application, a weather app of the type that is perennially popular in the Google Play Store. This app didn’t require any special permissions other than basic storage access. By just requesting this single, commonplace permission, the app would be unlikely to set off user alarm bells. We are, after all, conditioned to question unnecessary and extensive permission requests rather than a single, common one. This app, however, was far from harmless. It came in two parts, the client app running on the smartphone and a command and control server that it connects to in order to do the bidding of the attacker. Once the app is installed and started, it would create a persistent connection to that command and control server and then sit and wait for instructions. Closing the app did not close that server connection. What instructions could be sent by the attacker, resulting in what actions?
I hope you are sitting down as it’s a lengthy and worrying list.
- Take a photo using the smartphone camera and upload it to the command server.
- Record video using the smartphone camera and upload it to the command server.
- Wait for a voice call to start, by monitoring the smartphone proximity sensor to determine when the phone is held to the ear and record the audio from both sides of the conversation.
- During those monitored calls, the attacker could also record video of the user at the same time as capturing audio.
- Capture GPS tags from all photos taken and use these to locate the owner on a global map.
- Access and copy stored photo and video information, as well as the images captured during an attack.
- Operate stealthily by silencing the smartphone while taking photos and recording videos, so no camera shutter sounds to alert the user.
- The photo and video recording activity could be initiated regardless of whether the smartphone was unlocked.”
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
Why Should You Care?
While it is great that they are enhancing their security, there is no doubt in my mind that hackers can find a way to get around the new security and in my opinion. What’s even more alarming than hackers is government agencies having the ability to turn on your camera and “check in” on you whenever they please without your permission, or your awareness.
This is literally Orwell’s 1984 coming to life! If you are unfamiliar with this book, firstly, I highly recommend it, secondly, it basically foreshadows a totalitarian government referred to as, “Big Brother” that is constantly watching and spying on the citizen’s ensuring they are following the rules set forth by the state. As Orwell writes,
“The telescreen received and transmitted simultaneously. Any sound Winston made, above the level of a very low whisper, would be picked up by it; moreover, so long as he remained within the field of vision which the metal plaque commanded, he could be seen as well as heard. There was of course no way of knowing whether you were being watched at any given moment. How often, or on what system, the Thought Police plugged in on any individual wire was guesswork. It was even conceivable that they watched everybody all the time. But at any rate they could plug in your wire whenever the wanted to. You had to live- did live, from habit that became instinct- in the assumption that every sound you made was overheard, and, except in darkness, every movement scrutinized.”
“He thought of the telescreen with its never-sleeping ear. They could spy upon you night and day, but if you kept your head you could still outwit them. With all their cleverness they had never mastered the secret of finding out what another human being was thinking. . . . Facts, at any rate, could not be kept hidden. They could be tracked down by inquiry, they could be squeezed out of you by torture. But if the object was not to stay alive but to stay human, what difference did it ultimately make? They could not alter your feelings; for that matter you could not alter them yourself, even if you wanted to.
They could lay bare in the utmost detail everything that you had done or said or thought; but the inner heart, whose workings were mysterious even to yourself, remained impregnable.”
So, What Can We Do?
I’m sure there are a great number of you out there who are thinking, I’ve got nothing to hide, so who cares? This is a very passive stance, and it’s not about whether or not you are participating in illegal activities, and/or are worried about being sentenced to jail or caught by authorities, it’s about our right to privacy. As whistle-blower Edward Snowden has said, arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”
But, to each there own. Some steps you can take to protect your privacy,
- Tape the front facing camera on your device while you’re not using it.
- You may want to put some sticky tac over the microphone when you’re not using it as well.
- Turn off your phone when not in use.
- Simply use your phone less, and when not on it, put it in a different room.
- You may want to be extra cautious when changing, or plotting to overthrow your government.
- You can actually buy nifty little sliding covers to block your camera for your phone and computer.
- Personally, I’ve been toying with the idea of going back to a good ol’ basic flip phone… not just for the security and privacy measures, but to avoid wasting so much time.