For more than a decade, every MacBook that Apple has shipped has come equipped with a built-in camera and microphone. According to Synack’s Director of Research Patrick Wardle, it’s possible for an attacker to gain access to a macOS device’s webcam and microphone by hiding alongside, or “piggybacking,” a legitimate application that is accessing the video and audio hardware.
Wardle isn’t an average security researcher; he spent nearly three years working for the National Security Agency, which taught him to think about security risks in a specific way.
“I used to work for the NSA, so my mind is full of ideas, and I wanted to figure out if it was possible to record video from a macOS user in a way that wouldn’t be detected,” Wardle told eWEEK.
On a MacBook, there is an LED light that indicates when the device’s camera is active. According to Wardle’s analysis, the hardware security for disabling the LED indicator is very strong. That said, there are legitimate applications that can access a webcam, when a user would expect the LED light to come on.
Wardle wanted to see if it was possible to piggyback on the legitimate use of the camera, using an unauthorized application to track and record a macOS user without his or her knowledge. It turns out that the webcam is a shared resource in macOS, meaning users could potentially use both Skype and FaceTime video applications at the same time, if they wanted.
“Basically all the malware does is it monitors a macOS system looking for a legitimate webcam session,” Wardle said. “The malware can then access the webcam and start recording the local user.”
There are a few caveats to Wardle’s attack scenario. For one, the unauthorized use of the camera can only happen if the macOS user is already infected with malware from some source. Wardle noted that there have been examples of legitimate macOS apps that have been compromised in some way to become malware. That said, if a user only downloaded signed applications from the Apple macOS app store, the chances of a malware infection are relatively slim.
“There has been a recent uptick in macOS malware that is webcam aware,” he said.
Wardle noted that in July the OS.X Eleanor malware that attempted to record Apple users was first publicly detected. The Eleanor malware, however, recorded users arbitrarily, with a MacBook LED camera indicator coming on by itself, without another application first starting the camera, he said. In Wardle’s view, it should be easy for users to notice their devices’ camera LED indicator coming on by itself, alerting them that something is wrong.
“If instead they had used this technique and waited for legitimate use and then recorded the user, the Eleanor malware could have easily avoided detection,” Wardle said.
The ability to piggyback on an existing application isn’t necessarily a vulnerability that Apple could or should fix, Wardle said. Having the camera as a shared resource can make sense, he added.
However, there are some things that Apple can do to help macOS users. In fact, Apple already provides its mobile iOS users with an additional measure of control over the camera that isn’t present in macOS. On iOS, whenever an application first attempts to access to the camera, a pop-up dialogue box asks the user if they he or she wants to grant access.
“I would like macOS to be more like iOS where there is an alert when the camera is accessed,” Wardle said. “That would allow the system to still share the webcam, but if malware somehow attempts to access your system, you’d see a pop-up request for access.”
While Apple doesn’t yet have an indicator for camera activity for macOS, Wardle has built a freely available tool called OverSight that will monitor the microphone and webcam on a macOS device and alert the user whenever it is accessed.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.