MacBook webcams can spy on users without the warning light turning on.
Apple computers have a “hardware interlock” between the camera and the light that should ensure the camera can’t end up activated without alerting the user by lighting the LED above the screen, researchers said.
Stephen Checkoway, a computer science professor at Johns Hopkins University and graduate student Matthew Brocker were able to circumvent this security feature by reprogramming the micro-controller chip inside the camera.
Normally, any program running on a MacBook’s central processing unit that takes images through Apple’s iSight camera would turn on the light. Brocker and Checkoway’s reprogramming tactic allows the camera and the light to activate separately, which means the camera can operate while the light is off.
The researchers have released proof-of-concept software to demonstrate the trick, including a paper, entitled “iSeeYou: Disabling the MacBook Webcam Indicator LED.”
“The same technique that allows us to disable the LED, namely reprogramming the firmware that runs on the iSight, enables a virtual machine escape whereby malware running inside a virtual machine reprograms the camera to act as a USB Human Interface Device (HID) keyboard which executes code in the host operating system,” the researchers said. “We build two proofs-of-concept: (1) an OS X application, iSeeYou, which demonstrates capturing video with the LED disabled; and (2) a virtual machine escape that launches Terminal.app and runs shell commands. To defend against these and related threats, we build an OS X kernel extension, iSightDefender, which prohibits the modification of the iSight’s firmware from user space.”
The research focused on MacBook and iMac computers released before 2008 (iMac G5 and early Intel-based iMacs, MacBooks, and MacBook Pros) but other security researchers said the same tactics would work on more recent models from multiple vendors, not just Apple.