Security experts in the United States have figured out how hackers can remotely access without being detected the built-in webcams installed in millions of Apple computers, but law enforcement agencies already have that exploit in their toolbox of tricks.
Researchers at John Hopkins University revealed their findings in a paper published by the school this month, iSeeYou: Disabling the MacBook Webcam Indicator LED, and in it they warn that the internal cameras shipped with older versions of certain Apple laptops and desktops can be turned on by hackers anywhere in the world without ever triggering the warning lights that are meant to alert a computer user that they’re being recorded.
“The ubiquitous webcam indicator LED is an important privacy feature which provides a visual cue that the camera is turned on,” John Hopkins computer science professor Stephen Checkoway and grad student Matthew Brocker write in the abstract of their report.
In the MacBook and iMac computers they tooled with, however, they were able to disable that light in a way that could let a camera be remotely controlled by a hacker and then used to take pictures or record video on a victim’s machine without them ever becoming aware. By using a Remote Administration Tool, or RAT, the researchers were able to take control of a target’s internet-connected computer and then reprogram the factory-installed iSight camera’s micro-controller to let the camera and light to be activated independently of one another.
“Apple went to some amount of effort to make sure that the LED would turn on whenever the camera was taking images,” Checkoway told the Washington Post for an article published on Wednesday. In just a 13-page report, however, they’ve outlined a way to bypass that feature and, combined with the right know-how, let a hacker, investigator or anyone willing to try it secretly access and then control a stranger’s computer.
“This enables video to be captured without any visual indication to the user,” the researchers write.
As early as July 2012, the US Federal Bureau of Investigation was warning computer users about the possibility of an exploit just like that.
“With the webcam comes the opportunity for people to use malicious software to control that webcam,” FBI Cyber Unit agent Justin Vellese told ABC News reporters last year.
At the time, Vellesse cautioned that that particular type of exploit stood to soon become exponentially more prevalent. As it turns out, however, the FBI has been engaging for years in hacking operations precisely like what the John Hopkins researchers wrote about in this month’s report.
“The FBI has been able to covertly activate a computer’s camera — without triggering the light that lets users know it is recording — for several years, and has used that technique mainly in terrorism cases or the most serious criminal investigations,” the Post’s Crain Timberg and Ellen Nakashima reported earlier this month in a separate article published after speaking with Marcus Thomas, a former assistant director for the FBI’s Operational Technology Division in Quantico, Virginia.
Four months before that, the Wall Street Journal quoted an unnamed former agent with the FBI’s cyber division who admitted the bureau “hires people who have hacking skill, and they purchase tools that are capable of doing these things,” such a covert surveillance.
It’s unclear exactly how often these types of tricks are used by federal agents, but in April a Texas magistrate rejected a search warrant request filed by FBI officers who wanted the court’s permission to take control of the built-in camera on a computer believed to be used by someone accused of violating federal bank fraud, identify theft and computer security laws.
Checkoway and Brocker did their tinkering with Apple models released before 2008, but say they expect the hack would work with at least some newer computers that contain webcams too.