7.2 iSight Camera Privacy and Confidentiality Concerns

Information

If the computer is present in an area where there are privacy concerns or sensitive images or actions are taking place the camera should be covered at those times. A permanent cover or alteration may be required when the computer is always located in a confidential area.

Malware is continuously discovered that circumvents the privacy controls of the built-in camera. No computer has perfect security and it seems likely that even if all the drivers are disabled or removed that working drivers can be re-introduced by a determined attacker.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

At this point video chatting and other uses of the built-in camera are standard uses for a computer. It is contrary to a standard use case to permanently remove the camera. In cases where the camera is not allowed to be used at all or when the computer is located in private areas additional precautions are warranted. The General rule should be that if the camera can capture images that could cause embarrassment or an adverse impact the camera should be covered until it is appropriate to use.

See Also

https://workbench.cisecurity.org/files/301