Can hackers enable the camera after the user disabled it? [closed]

A person I know got a spam email saying to pay a ransom of 1000$ for his personal information. The spammer sent him an old password he used in an old email as proof; the email is linked to his facebook account.

He is afraid the hacker had access to his camera and his personal information and info related to work. Is there a way the hacker could have enabled the camera and started recording after the user disabled it?

Note that the laptop doesn't have any real protection, just Windows Defender and firewall. He found the webcam was enabled after disabling it. Also, can windows enable the camera on its own after an update?


These emails are all scams. I get them and I don't even have a webcam on my desktop.


In theory a dedicated attacker could have done this, if they got in and used a privilege-escalation exploit to get kernel access.

But AFAIK typically randomly-targeted attacks for extortion purposes aren't going to be worth the risk of burning an unknown / unpatched 0-day exploit, so unless your computer doesn't get security updates, the chances of a casual attacker actually getting in are basically zero. And the amount of effort they'd have to put in (downloading watching videos of random people from the camera) to actually find people doing anything embarrassing is way higher than just making stuff up!

So the real risk is if you are a high-value target for some attacker, like maybe they want to read papers on your desk near your computer. Or the screen of another nearby device. They wouldn't be sending you blackmail emails about it.


There are no physical interlocks that would prevent the camera from being enabled without a physical keyboard press or physical mouse click. It's all software. AFAIK it's usually fairly secure software, behind multiple layers of protection (like it would require a kernel exploit to silently enable the camera without user interaction).

The only way to be sure is to physically cover the lens of your camera, and/or not point it at yourself when not using it. Just like the only way to be sure your computer isn't cracked is to keep it powered off (physically unplugged), and preferably encased in concrete, at the bottom of the ocean.


I think I've seen some laptops with a flap you can slide over the camera, possibly to protect the lens from dirt, or maybe privacy was one of the intended uses. Some stand-alone USB webcams have a physical lens-cover slider or iris.

Built-in microphones are more insidious because they're not directional.


This is a well-known scam. as uSlackr describes. But that doesn't mean it can't be done. People are always finding new exploits. Everything can't be done until someone figures out how to do it. With hacking, the safe assumption is to assume almost anything is, or will be, possible, so take precautions.

For example, no hacker can make the camera see through painter's or gaffer's tape if you leave a flap of it in place when you don't actually need the camera.

But taking precautions is different from reacting to a claim that somebody actually did it to you.

Some scams work because there actually is such an exploit, making it seem more credible even if it wasn't used on you. There are lots of things that can be done by a very proficient, motivated, hacker. Intelligence agencies, with the resources of a government behind them, can pull off some pretty fancy spy craft.

When you have been told that someone hacked your system, part of evaluating the potential truth of it is to weigh the scenarios. You can never completely rule out that someone might potentially have done it, but you can compare likelihoods. If you aren't a valuable target (foreign dignitary, owner of really valuable secrets, a terrorist, etc.), it isn't too likely that someone is going to invest serious time, money, and effort to hack your system. If you're going to be a "hacking" victim, it's much more likely that it will be some simple target of opportunity or just a scam, where there wasn't actually any hack.

The scam you mention relies on easily available information, the human nature of the victim, and requires no actual hacking. Why would anyone go to the trouble of hacking your system when they can fake out a lot of people without really doing anything?

When a well-known scam like this is going around, the odds heavily favor that you're a scam victim rather than an actual hacking victim. There's an old aphorism coined by a medical school professor about not jumping to an exotic medical diagnosis when a more commonplace explanation is more likely: "When you hear hoofbeats, think of horses not zebras."