NSA spy details how to tap into webcam on Mac without user noticing

News by Rene Millman

An ex NSA spook has shown how to tap into a Mac's webcam without the user even knowing

A former NSA employee has demonstrated how malware on a Mac can tap into the computer's built-in webcam and microphone to spy on unsuspecting users.

While a green LED light usually switches on by the side of the webcam to show that it is being used and is difficult to bypass, Patrick Wardle demonstrated that malware can covertly record these, all in an essentially undetectable manner, during a call when the light is already on and the user is unaware.

In a paper, titled Getting Duped: Piggybacking on Webcam Streams for Surreptitious Recordings, Wardle said that he had examined g various ‘webcam-aware' OS X malware samples, the research and showed that a new ‘attack' that would allow such malware to stealthily monitor the system for legitimate user-initiated video sessions, then surreptitious piggyback into this in order to covertly record the session. 

“As there are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection,” he said.

Wardle, director of research at a security firm Synack, presented his findings at the Virus Bulletin conference. He has previously found ways for Mac malware to bypass Apple's Gatekeeper protections to run unsigned apps as well as uncovering a flaw in Apple's fix for the Rootpipe vulnerability.

He said he has developed a tool, dubbed Oversight, to block these rogue webcam connections that attempt to piggyback off legitimate apps. The tool sends users an alert whenever a process accesses the webcam or when the internal mic is activated, allowing the user to block the session. The free app can be found here.

There is no indication that Apple will block this exploit in an update to its operating system. SCMagazineUK.com emailed Apple for a comment but none was forthcoming at the time of writing.

Matt Walmsley, EMEA director, Vectra Networks, told SC that these gadgets have limited storage and memory in comparison to computers - so it's rarely viable to embed defenses like anti–virus technology into the devices themselves.

“Also, these types of devices very rarely get patches and updates. This means their weak spots can be left unaddressed for months or even years. So if the software and firmware of these gadgets are not regularly updated to address vulnerabilities, then they are left open to exploitation. There's now a lot of pressure on the manufacturers to raise their game and support the embedded software side of things as long and as vigorously as, say, a PC operating system vendor does.”

“In the context of a webcam, these devices get more interesting to pesky cybercriminals when they can be used to establish a point of access in a network. Putting a backdoor into a webcam, for example, gives a hacker full-time access to the network without having to rely on infecting a laptop with malware. With this unauthorised access, hackers are able to spy on unsuspecting individuals,” he said.

Javvad Malik, security advocate at AlienVault, told SC that he once worked for a company that, for sensitive projects, would resort to physically opening up laptops and disconnecting the webcam.

“In reality, there doesn't seem to be any viable – scalable solution available for enterprises beyond what is currently in place to prevent malware getting onto machines, and detecting and trying to block outbound connections,” he said.

“At least from a video perspective, webcam covers or sticky tape seems to be a viable workaround.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews