Mac Camera Exploit Shows Spy Potential of All Peripherals

Screenshot shows iSight camera recording covertly without the LED warning light.

Researchers at Johns Hopkins University have posted an exploit showing how to turn on the video camera on MacBook and iMac computers and record without flipping on an LED to warn the machine’s owner.

Using a system’s built-in web-cam to spy on its owner is a significant privacy and security problem that hit the news most recently when a 19-year-old Californian, Jared James Abrahams, plead guilty Nov. 12 to hacking webcams to photograph Miss Teen USA Cassidy Wolf and a dozen other women as part of an extortion scheme. He faces a possible 11-year prison sentence and fines of up to $1 million.

The hack is common enough that hundreds of videos infest YouTube and torrent sites from “RATters” who learned a now-fairly standardized process described in e-books and on hacker forums, according to a March 10 story in Ars Technica.

The technique described by researchers Matthew Brocker and Stephen Checkoway in a paper published on the Johns Hopkins site focuses on a different problem than the malware-and-remote-control technique of ratters.

Their approach – which highlights a persistent weakness in Apple hardware security – uses apps and functions built into two models of pre-2008 Mac and the programmability of a board designed to keep Macintosh webcams from being activated without also flipping on a warning light.

The camera and LED are hard-wired together to ensure both activate simultaneously, but both can be controlled via programming using a combination of the iSight webcam, OS X application iSeeYou, and a virtual-machine escape that launches a terminal emulator. It allows remote users to launch shell commands and install firmware, giving them control over the LED that overrides Apple’s built-in controls.

Apple had denied that ratters were able to activate cameras without also turning on the warning light – an issue that came up in the Cassidy Wolf investigation.

The ability to bypass the hardware lock between the LED and camera raises privacy concerns, even though the current study includes only two types of aging Macs and the first-generation version of the iSight camera that has since been renamed FaceTime, according to grad student Brocker and Checkoway, an assistant research professor of computer science at Johns Hopkins.

The frequency of ratted video demonstrates that taking over components of someone else’s system is simple enough to be used by spies far, far less sophisticated than the NSA and, by extension, illuminates the potential privacy risk in the expanding number of remotely-controlled, semi-intelligent sensors making up the nascent Internet of Things, the two warn in their paper.

“Unlike active input devices like keyboards and mice that require user actions to provide input, a passive sensor requires no action on the part of the user to capture input. Indeed, a user is typically unaware that input is being captured at all unless specific mechanisms are built into the technology to indicate that the sensor is in use,” according to the report.

Brocker and Checkoway developed an anti-malware app called iSightDefender to prevent such takeovers, but the overall threat is far wider than the scope of this particular analysis, according to the paper.

It is likely, the two warn, that not only other webcams, but other peripherals of all types are similarly vulnerable, despite even hardwired measures to secure them.

“Our results in this paper demonstrate that, at least in some cases, people have been correct to worry about malware covertly capturing images and video,” the two wrote in the paper’s introduction.


Image: Matthew Brocker /Stephen Checkoway