MacBook webcam light can be disabled to spy without notice, researchers find

Share this article:

Researchers have found that, contrary to popular belief, online snoops with enough technical savvy can disable the indicator light on Apple webcams to spy on people without notice.

In a report, aptly called “iSeeYou: Disabling the MacBook Webcam Indicator LED,” two Johns Hopkins University researchers, Matthew Brocker and Stephen Checkoway, describe how the hack works in older MacBook laptops and iMac desktops.

The 13-page report was published last Wednesday, and first reported on by The Washington Post a week later.

The duo built an OS X application, dubbed “iSeeYou,” which demonstrates how they were able to capture video with the LED [light-emitting diode] disabled. The hack allowed them to bypass the hardware interlock used by first-generation internal iSight webcams installed on older MacBook laptops and iMac desktops released prior to 2008 (including the iMac G5 and early Intel-based iMacs, MacBooks and MacBook Pros).

“Coupled with the hardware design flaw that allows the indicator LED hardware interlocks to be bypassed, malware is able to covertly capture video, either for spying purposes or as part of a broader scheme to break facial recognition authentication,” the report said.

The report also made mention of the fact that, while some webcams, like Logitech QuickCam Pro 9000, allow LED control, where the warning light can be disabled, that “such controls are not the norm and, in fact, are a very bad idea from both a security and privacy standpoint.”

Brocker and Checkoway disclosed the LED-disabling vulnerability to Apple's product security team on July 16. While Apple employees “followed up several times,” the researchers said that Apple did not let them know of any mitigation plans.

The duo also plans to test their research on newer Apple webcams, including the company's FaceTime cameras, and on webcams installed in other popular laptops, the report said.

The ability to remotely activate users' webcams, without their LED coming on, can be seen as even more concerning, given the prevalence of “sextortion” scams being carried out by ill-intentioned individuals with technical prowess.

Last month, 19-year-old Jared James Abrahams pleaded guilty to hacking young girls' webcams in an extortion campaign, which victimized Miss Teen USA, Cassidy Wolf.

The pageant winner was a high school classmate of Abrahams, who now faces the possibility of prison time of 27 to 33 months for extortion and computer crimes.

Share this article:

Sign up to our newsletters

More in News

Research shows vulnerabilities go unfixed longer in ASP

Research shows vulnerabilities go unfixed longer in ASP

A new report finds little difference in the number of vulnerabilities among programming languages, but remediation times vary widely.

Bill would restrict Calif. retailers from storing certain payment data

The bill would ban businesses from storing sensitive payment data, for any long than required, even if it is encrypted.

Amplification, reflection DDoS attacks increase 35 percent in Q1 2014

Amplification, reflection DDoS attacks increase 35 percent in ...

The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise.