The corona pandemic has fundamentally changed communication in the working world: whether it’s a morning video conference or a meeting in the afternoon, video calls with activated cameras are normal for many employees. Working from home poses many risks for data security.
This is shown by research and technical tests by Bayerischer Rundfunk. The data journalist teams BR Data and BR AI and Automation Lab, together with PULS Reportage, were able to prove that notebook programs can activate the camera and microphone at any time to record videos and conversations.
In addition, computer apps can photograph or record all screen content at any time. This carries the risk of extensive espionage attacks, in which apps could covertly access internal documents, images and videos – basically anything that happens on the computer screen.
Vulnerabilities known for years
These problems have been known in IT security circles for years: Although the security gaps have repeatedly been used by malware for espionage attacks in the past, Microsoft and Apple have hardly made any improvements to their operating systems – this is shown by the BR tests. In addition, more and more companies have been using video telephony, and not just since the Corona pandemic: According to a survey by the IT industry association Bitkom from last year, adults communicated via video chat eight times a day on average.
Operating systems allow extensive espionage
For the tests, the BR programmed an app whose function is based on well-known communication apps. Similar to video chat programs such as Zoom, Microsoft Teams, Skype or WhatsApp, the test app not only allows for conversations with picture and sound, but also for sharing your own screen. The aim of the tests was to find out where the operating system protects or warns of privacy. The BR team installed the test app on two different devices: a Macbook running MacOS version 12.1 and a PC running Windows 11.
MacOS: Several apps can use the camera at the same time
The differences between the notebook operating systems were already apparent during the installation of the test app and during the first test call: While with MacOS, in addition to using the camera, access to the microphone and sharing the screen had to be explicitly permitted, the call worked with video image, sound and split screen on Windows without any consent from the user.
Although a signal light indicates that the camera is in use on both Windows and MacOS, the test app was able to partially bypass this security requirement on MacOS. In the test, the test app was able to secretly film whenever the notebook camera was being used by another app and the green signal point was visible.
Since the camera is running at this moment anyway, it remains unclear how many and which apps have access. When asked, Apple confirmed that if multiple apps were granted general camera access, this "simultaneous camera access" would be possible. In addition, the company writes: "Apps must be given permission to access the Mac's camera or microphone."
Windows: Double camera access not excluded
On Windows, however, it was not possible for the test app to use the camera at the same time as another app and covertly film people in this way. On request, however, Microsoft informed in writing that such camera access is technically possible and further: "Users [can] decide which apps they allow access to their camera." Microsoft admits: "In some cases, applications can work independently of the Windows settings." That means it cannot be ruled out that there are apps that access the camera without asking.
MacOS and Windows: Screen recordings possible at any time
In the second part of the experiment, the BR team examined whether apps can record screen content unnoticed. While secret camera access is only possible in certain situations, the test app on Windows was able to record all screen content, such as images, videos, chat messages or e-mails, without any consent. Technically, this form of espionage was possible with all visibly opened, maximized windows.
Even with MacOS, the app was able to secretly access all screen content. In contrast to Windows, however, this only worked after a one-time approval. When asked, both Microsoft and Apple again referred to the authorization concepts of the respective operating systems.
Close programs properly
In view of these test results, Miriam Föller-Nord, Professor of Cybersecurity at Mannheim University of Applied Sciences, demands that the manufacturers of the operating systems "should do as much as possible for cybersecurity". However: "There is no such thing as total security as long as you are connected to the Internet."
However, users have the option of protecting themselves: Apps cannot record the screen or secretly access the camera if they have been closed "properly" – in MacOS via the "Activity Monitor", in Windows via the "Task Manager". But not only switching off helps: With MacOS and Windows, you should always allow as few apps as possible and install software from well-known sources, such as the Windows or Apple Store.