Compliance Management, Privacy, Vulnerability Management

MacBook webcam light can be disabled to spy without notice, researchers find

Researchers have found that, contrary to popular belief, online snoops with enough technical savvy can disable the indicator light on Apple webcams to spy on people without notice.

In a report, aptly called “iSeeYou: Disabling the MacBook Webcam Indicator LED,” two Johns Hopkins University researchers, Matthew Brocker and Stephen Checkoway, describe how the hack works in older MacBook laptops and iMac desktops.

The 13-page report was published last Wednesday, and first reported on by The Washington Post a week later.

The duo built an OS X application, dubbed “iSeeYou,” which demonstrates how they were able to capture video with the LED [light-emitting diode] disabled. The hack allowed them to bypass the hardware interlock used by first-generation internal iSight webcams installed on older MacBook laptops and iMac desktops released prior to 2008 (including the iMac G5 and early Intel-based iMacs, MacBooks and MacBook Pros).

“Coupled with the hardware design flaw that allows the indicator LED hardware interlocks to be bypassed, malware is able to covertly capture video, either for spying purposes or as part of a broader scheme to break facial recognition authentication,” the report said.

The report also made mention of the fact that, while some webcams, like Logitech QuickCam Pro 9000, allow LED control, where the warning light can be disabled, that “such controls are not the norm and, in fact, are a very bad idea from both a security and privacy standpoint.”

Brocker and Checkoway disclosed the LED-disabling vulnerability to Apple's product security team on July 16. While Apple employees “followed up several times,” the researchers said that Apple did not let them know of any mitigation plans.

The duo also plans to test their research on newer Apple webcams, including the company's FaceTime cameras, and on webcams installed in other popular laptops, the report said.

The ability to remotely activate users' webcams, without their LED coming on, can be seen as even more concerning, given the prevalence of “sextortion” scams being carried out by ill-intentioned individuals with technical prowess.

Last month, 19-year-old Jared James Abrahams pleaded guilty to hacking young girls' webcams in an extortion campaign, which victimized Miss Teen USA, Cassidy Wolf.

The pageant winner was a high school classmate of Abrahams, who now faces the possibility of prison time of 27 to 33 months for extortion and computer crimes.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.