With the rapid rise in remote working, more of us than ever before are taking video calls from the privacy of our own homes. Sometimes these even take place in our bedrooms- the same rooms where we lounge around in our pyjamas, sleep and even change our clothes. But just how secure are our Mac and PC webcams? Are we being watched?

Computing Security has been liaising with the technology experts at Reincubate and they have been running us through the risks that await 'out there'. Here is their take on things…

REINCUBATE
The rapid growth of remote and home working has led to a lot of users getting webcams or setting up Zoom equipment in their own homes. Mark Zuckerberg inadvertently brought attention to the risks of users being covertly monitored through their computer's webcams or mics when he posted a now famous photo of his desk set-up, showing his laptop with a covered webcam and blocked mic. If even the creator of Facebook blocks his, who else does?

Apple's release of iOS 14 has done even more to safeguard users from unintentionally recording with its new orange and green dots. That said, user privacy can be violated by a simple accident and without malicious intent. Plenty of Zoom users haven't realised that their cameras were on or that, when joining a Zoom call, the host might have configured the call to start with user cameras on. Additionally, it's possible to join a Zoom call with your camera off, be placed in a waiting room before the call begins and then have the camera turn on once the host admits the user to the call.

Generally speaking, there are few video apps where the host can remotely enable video, if the participant has turned it off after the start of the call and Zoom is safe in this regard. It does, however, have a feature whereby the host can remotely unmute a participants' microphone. If you're in the habit of stepping away from your computer on long calls to get a cup of coffee while muted, beware that you might be unmuted without knowing about it. Similarly, if you're joining the call from a room with other people around, their unexpected presence in your background may cause them embarrassment, if they're not expecting to be broadcast.

These inadvertent risks can be handled with a few simple precautions: covering or physically disconnecting a webcam makes things more obvious and having a mic with a physical mute button helps.

SECURING YOUR CAMERA AND MIC ON AN IPHONE
iPhone and iPad users have the least to worry about. So long as the device has not been jailbroken, it is extremely unlikely that hackers can remotely monitor the device's camera or mic. As far as Apple's orange and green dots, referred to above, are concerned, yes, it's still possible for apps to access an iOS device's camera and mic, but in order for this to happen, users must first install an app and grant it permission to record video and audio. It's possible for apps to record audio - but not video - while backgrounded, but, again, permissions must first be given by the user. Of course, there's always the possibility of state-level cyber espionage, but this is unlikely to affect the average user and is almost impossible to mitigate for, short of not using technology.

Some of the settings available to a user hosting a Zoom call, including the ability to enable participant video at the start of the call.
Broadly speaking, your iPhone and iPad should be perfectly safe, so long as you don't let them out of your sight, and only install apps that you trust.

SECURING YOUR WEBCAM AND MIC ON A MAC
A Mac or a MacBook Pro is second only to an iPhone in its security. Recent Macs include something called a 'T2 chip', which includes a number of hardware-based security features. Most relevant of all, it uses hardware to physically disable a Mac laptop's microphone when the laptop is closed or suspended. From a practical perspective, it's impossible for Mac's webcam to be in use without the accompanying green light being turned on. In the past, there have been workarounds for this but the known exploits have been fixed on Macs.

However, the software on the Mac does not trigger any sort of system-level security prompt when accessing a webcam or mic, so users must be careful to only use apps they trust and not to disable any system-level protection that is enabled on all Macs by default. It's possible for any website that a user is on to request camera and microphone access, but the user's browser - Chrome, Safari etc - will have to prompt the user to give permission. Security-conscious Mac users may wish to try OverSight (free) or Micro Snitch (paid for), popular security tools that run in the background and alert users to any apps accessing their camera or mic.

STEPS FOR STAYING SECURE ON WINDOWS OR ANDROID
Unfortunately, Windows and Android users will have the hardest time of all staying secure. Often the software and hardware for these devices are made by different companies, meaning there's plenty of room for loopholes between the two. Google's Play Store is infamous for including malware apps on a regular basis, and many Android phones (over 1 billion!) suffer from not getting access to the latest security patches or Android updates.

Android and Windows are at serious risk of getting spied on through their webcams.
Theoretically, modern Android devices with the latest security patches will be close to an iPhone's security - at least each app must prompt for webcam or mic access, but a status light won't be shown. But the problem is it's hard to tell by looking at an Android device if it's secure or up to date. Simply because your phone says it has all of the latest security patches doesn't mean that the manufacturer of your Android phone has made all of the security patches available. From this perspective, Google Android devices (such as the Pixel) are more trustworthy, as Google makes both the software and hardware together and is ultimately responsible for issuing the most important security updates.

Staying secure on these platforms is hard. The problem on Windows is so endemic that both Lenovo and HP have started building physical switches and covers into their webcams to give users some peace of mind. Without hardware control of the mic, it's impossible to tell if a Windows laptop could be recording in the background when open or closed!

Blocking microphones isn't easy: you can't cover them with a piece of tape, like you can a camera, or at least, if you do, it won't be at all effective. Most Windows devices will disable their internal microphone when an external mic is plugged in and dedicated mic blockers exist for that purpose. However, it's very hard to tell whether your device really will fundamentally disable its internal microphone when this is done.

Aidan Fitzpatrick, Reincubate: users should keep devices closed or powered off when they are not in use.
Reincubate's advice, if running Android, would be to only use Google devices such as thePixel and to avoid installing third-party apps from the Google Play Store. The risk of malware or app impersonation is not small. Seriously, if you want apps, use an iPhone. A month doesn't pass without a news report of millions of Android users being infected by malware.

WHAT ABOUT ALEXA OR THE HOMEPOD?
Plenty of users have an Alexa or HomePod device in their home or other forms of smart devices, like thermostats or security cameras. These are all capable of broadcasting video or audio captured within the home. It's very hard to keep tabs on these and ultimately one must either trust the company making them or not. Both Amazon and Apple home devices may be listened to by the staff in some circumstances, though there are controls that can enable users to opt in or out of parts of this.

If someone has a smart device at home, it's sensible to behave as if their audio is being recorded. That is potentially quite a burden. It's very much not a good idea to buy smart devices from small, untrusted or unknown vendors. Who knows what their security is like?

TOP TIPS TO HELP YOU STAY SECURE
While there's less for modern iPhone and Mac users to worry about, there is still a set of best practices we'd recommend for all users.

Covering your webcam is important on a PC, but it's arguably helpful for all users, in that it will serve as a reminder to think about security while using the computer. Realistically, you're more likely to inadvertently broadcast yourself without knowing than you are to be remotely monitored by anyone else and a cover helps make that risk obvious.

Anything that makes you more security conscious is likely a good idea. You'll see no end of ads online trying to sell plastic webcam covers: these are junk and you don't need them. A piece of tape or a sticky note is good enough for Mark Zuckerberg and it'll work well enough for you. Any residue left behind will be easy to remove. And, besides, well-designed laptops won't leave enough room to be closed without damaging themselves when an additional plastic cover is stuck on.

Use external, physically connected cameras and audio devices. Relying on an external mic and camera makes it crystal clear whether they are physically connected to your computer or not. This has the advantage that you can then permanently block your device's internal camera and mic. Camo is a good example of a product like this and has the additional benefit of greatly increasing the quality that a user will get when they join calls. Beware of products that require installation of drivers, or which are from unknown or untrusted sources.

Closing your laptop or powering off your computer when not using it will make it harder or impossible for people to access it remotely.

If you step away from your Zoom call while it's muted, perhaps to make a coffee, beware that a host might remotely unmute you without your knowing. If your mic has a physical mute button, you'll be okay. But, if you're using AirPods or an internal mic, there's no mute that can override Zoom's settings. If you're on a call, always assume you might be overheard.

Keep your software up to date, especially the main software on your phone and computer, and any browsers you use.

Don't disable your computer's firewall or malware. Nowadays, these are enabled by default on just about every type of computer and phone, and there's little need to install additional software, beyond specific products for monitoring webcam use (see above).

Be aware of general security best practices and be sure to securely store any video, audio or photos that you've already taken.

Don't let anyone untrusted use - or repair - any of your devices. Who knows what they might install or change!

"There are real risks to not covering a webcam," warns Aidan Fitzpatrick, Reincubate," but, for users with Macs and iPhones, the greatest risk is most likely accidentally broadcasting themselves or unknowingly being unmuted by a meeting host, rather than being surveilled by a hacker. "Webcam covers and physical mute buttons on microphones act as fail-safes and helpful reminders to think about security, and a piece of tape really is the best solution for use with a MacBook. I recommend users keep devices closed or powered off when they are not on use."

And he adds "It's worth thinking about using an external webcam or, for better quality, a smartphone webcam [https://reincubate.com/ camo/], as it can be physically unplugged between calls. Being able to unplug one's camera is the best way to stay secure."