I decided to investigate the system my work uses to manage my laptop.My camera is taped over and this story explains why. The pack of the cigarettes in the background are candy ones for anyone who is curious and yes I am addicted.
JAMF ENABLES REMOTE IMAGE CAPTURE WITH BUILT IN WEBCAM
The system my work uses to manage the macs there is called JAMF casper suite
The system seems pretty solid and allows easy management of macs in an enterprise environment. It basically allows a third party at work to control and monitor the client computer and its usage at all times, install software and to run scripts as root from afar. I frankly haven't trusted or loved my computer the same since it was installed but I realize I have no choice about this as I do not own the machine. The real point of this article is about the image capture part capability which is downright sketchy.Disclaimer: I am in no way suggesting this is being used inappropriately at my work nor am I suggesting that there was any tampering with the Jamf binary or that there is any malicious intent from anyone. I just thought this might be of interest to anyone else who has their laptop managed with JAMF.
I decided to go ahead and explore the JAMF binary on my computer with a hex editor to see if it had an mention of images.
I found a reference to sendImageCapture. It was also interesting to see they must also be using svn for development. When executed with /usr/sbin/jamf sendImageCapture it attempts to take a picture with the laptop webcam and send an image to the JSS (a server) which manages my computer. It does it pretty sneakily putting the file into /private/snapshot.jpg for a millisecond and then quickly removing it with no notice to the user.
I put a sniffer on the folder to trap the file upon creation and copy it somewhere else so I could examine it. It is indeed a snapshot from my webcam although the feature is either intentionally underexposed as some sort of encryption or slightly flawed in that the images are quite dark. Nevertheless, that can certainly be fixed with some simple image editing I was able to see the room around me in photoshop and possibly they are auto fixed when arriving at the JSS.
In defense of the current deployment I found a Jamf KB about it
which seems to mentioned you could not deploy the sendImageCapture.sh and that script is in fact not deployed by our JSS means they probably thought about this and decided not to. The problem is that that script is only one line which executes: /usr/sbin/jamf sendImageCapture
meaning it is essentially just an alias for something that is already deployed on every computer controlled by JAMF and it can be both locally and remotely executed by the casper user or any other admin user on the machine. Once again: I am in no way suggesting it is being used.
The strange part is that unlike all of the other Jamf functionality it reports nothing in either the system or jamf.log when fired but reports: Uploading /private/tmp/snapshot.jpg to the JSS_URL ... to stdout. Additionally, this feature is not listed when you use /usr/sbin/jamf help which lists all the other jamf commands.
I could not find anything referencing the microphone or sound but I am not assured that does not exist. I assume they would not have this as it would be totally illegal to record randomly without consent.
Holy shit! You could get posted to one of those "hidden camera" sites. But, seriously great sleuthing. I think metalpeter has a good point. Oh, and last link doesn't work.
Ok this is my question. What if the web cam was in use in a chat on line or maybe taking pictures by the user when it was used remotely. Would it not work or would there be something to tip of the user?