December 20, 2013
Your Webcam May Be Spying On You With No Warning
[ Watch the Video: Worried About Your Webcam? Use Duct Tape For Privacy ]
redOrbit Staff & Wire Reports - Your Universe Online
Researchers at Johns Hopkins University (JHU) have demonstrated a unique type of malware that forces iSight cameras in older MacBook and iMac models to capture images – without ever turning on the camera's warning light.
While most webcams have an LED indicator light that turns on when the camera is active, it’s possible for malware to disable this privacy feature on legacy Mac computers, the researchers said.
JHU Assistant Research Professor Stephen Checkoway and graduate student Matthew Brocker investigated the hardware design of the first-generation iSight webcam model installed in Apple iMac and MacBook computers released prior to 2008, and found that its firmware could easily be modified to disable the LED indicator.
The researchers describe the attack, which targets the firmware in the camera's controller chip, in a report entitled "iSeeYou: Disabling the MacBook Webcam Indicator LED."
According to the paper, first reported by the Washington Post, the iSight’s LED is directly attached through hardware to the webcam’s image sensor, particularly its ‘standby’ pin. The LED turns on when the ‘standby’ signal is off, and turns on when the ‘standby’ signal is active. To disable the LED, the researchers had to find a way to not only activate the ‘standby’ pin, but also configure the image sensor to ignore it so it would not become disabled, which would prevent images from being captured.
To accomplish this, Brocker and Checkoway reprogrammed the camera with a modified version of the iSight firmware using a method that involved sending vendor-specific USB device requests from the host operating system. That operation did not require root privileges, so it could be achieved from a process started by a regular user account, the researchers said.
The team created a proof-of-concept application they dubbed ‘iSeeYou,’ which detects whether an iSight webcam is installed, and if so reprograms it with the modified firmware. This allows the user to start the camera and disable the LED. When the ‘iSeeYou’ is stopped, the camera is then reprogrammed with the original, unaltered firmware.
In their report, the researchers proposed several defenses to this type of attack. One approach involves building a Mac OS X kernel extension called iSightDefender, which blocks specific USB device requests that could be used to load malicious firmware. This kernel extension makes it difficult for hackers to alter the camera because they would need root access.
But the most complete defense would be to alter the camera’s hardware design so that the LED could not be disabled by software, the researchers said.
Several proposals for accomplishing this are described in the paper, along with recommendations on how to secure the firmware update process.
The JHU researchers said they’ve sent their paper to Apple, along with their proof-of-concept code.
Checkoway and Brocker cautioned that hackers in online forums have shown interest in attacks that disable webcam LEDs, but do not believe such a thing is currently possible with newer computer cams.
But the current work shows that it is indeed possible, at least on some older computers, the researchers said.
“We have shown that being able to reprogram the iSight from user space is a powerful capability. Coupled with the hardware design flaw that allows the indicator LED hardware interlocks to be bypassed, malware is able to covertly capture video, either for spying purposes or as part of a broader scheme to break facial recognition authentication,” they wrote in their report.
”In this paper, we have examined only a single generation of webcams produced by a single manufacturer.”
“In future work, we plan to expand the scope of our investigation to include newer Apple webcams (such as their most recent high-definition FaceTime cameras) as well as webcams installed in other popular laptop brands.”