Can you monitor your webcam activity with Zabbix? Of course you can! By day, I work as a monitoring technical lead in a global cyber security company. By night, I monitor my home with Zabbix & Grafana and do some weird experiments with them. Welcome to my weekly blog about this project.
In a world where we work remote and have our web cameras on much of the time, you totally can forget to turn it off (or forget to toggle that physical webcam blindfold). Or, a Bad Hombre can lure something nasty to your computer and silently record your activities with it for any later evil consumption.
Scary, huh? Zabbix to the rescue!
Ssssshhhhh! Be very quiet, I am setting up a trap for uninvited visitors
Underneath, this thing works with a combination of zabbix_sender (spawned on my MacBook) and a Zabbix trapper item …
… with some preprocessing applied to it:
See, it works!
Easy bits first: See, this works!
Here’s latest data:
And here’s a graph:
In other words, my Zabbix can now tell if the web camera is on or not. I did not do any triggers for this yet, and for the most part this is just an inspirational post for y’all. Use Zabbix trigger conditions and create alerts such as:
- Webcam is on but no usual webcam needing software (Teams, Zoom…) is found
- Webcam is on even if the screen is locked
- Webcam is on even if user is not logged in
- Webcam is on in the middle of the night
- Webcam is on even if nobody is home (according to your IoT monitoring setup)
This easily could add another layer to your security and privacy, as any suspicious usage of web camera (or, with similar technique, a microphone) can be detected in real time.
Headbang time
So, since I mostly use Mac for any webcam needs, I needed to get this working with a Mac. Unfortunately, as a Mac admin, I wear a yellow belt. For what it’s worth, I have an ancient MacBook Pro Retina mid-2012, running macOS Catalina.
First I thought this would be somehow easy, as I am already forwarding all the macOS syslog entries to my home syslog server (which is just the Raspberry Pi that also runs Zabbix & Grafana). Naive me thought that I could just look for kCameraStreamStart/Stop events via that log.
Little did I know, and this is where I request your help to make this sensible. I can see the log entries on my macOS in real-time with
log stream | grep “kCameraStream”
… but that does not want to save the thing in a log file if I try standard redirection with > or piping to tee or any other command, at least not without specifying a timeout value and then restarting the command.
Then there seems to be /etc/asl.conf and /etc/asl/ directory with many files, but my asl-fu is weak and I have no idea how to make it forward logs to remote syslog. I found out that in theory there’s a file parameter and I could store messages to file, which the standard syslog could then forward to my syslog server…. but I did not try out that route yet.
I know I could get the webcam status by using lsof but the trouble is that if the camera was on just for a very short time, it is possible to miss that with lsof.
For now, I have this terrible, terrible thing running background to see if the concept works, and I would like to get rid of this.
while true; do log show –last 2m | grep kCamera | tail -n1 | xargs -I ‘{}’ zabbix_sender -z my.zabbix.server -s “Personal MacBook Pro” -k webcam.power -o ‘{}’ ; sleep 30; done
So, how to make this as smooth as possible with Mac? Basically I just would need to forward more logs to my central log server, but did not yet figure out, how to do that.
I think that with Linux I could detect the use of /dev/video0 via audit log or setup an incron hook to trigger if /dev/video0 get accessed, but not totally sure as these are some murky waters for me, I am not usually spying my webcam.
I have been working at Forcepoint since 2014 and my co-workers have to stand the pain that is my stupid t-shirts.
This post was originally published on the author’s LinkedIn account