By End The Lie: Researchers have demonstrated the ability to remotely hack into a MacBook webcam without triggering the indicator light, a capability which the FBI has reportedly had for several years.
In August, it was revealed that the National Security Agency (NSA) calls on its employees to physically remove the built-in webcam from Apple laptops for security reasons.
The findings of the researchers, first reported on by The Washington Post, are especially interesting because Apple laptops have the indicator LED hardwired to the camera.
This hardwiring is designed to activate the light whenever the camera is activated, a feature that should prevent the remote activation of the webcam without the user’s knowledge.
The researchers looked at 2008 MacBooks and MacBook Pros, so it is unclear if the results also apply to today’s Apple laptops.
The researchers from Johns Hopkins University told the Post that “similar techniques could work on more recent computers from a wide variety of vendors.”
“In other words, if a laptop has a built-in camera, it’s possible someone — whether the federal government or a malicious 19 year old — could access it to spy on the user at any time,” the Post reports.
Stephen Checkoway, a computer scientist at Johns Hopkins who co-authored the study, found a way to remotely reprogram the iSight camera’s micro-controller chip that is supposed to establish a hardware-level interlock between the camera and the indicator light, according to The Verge.
The researchers provided the Post with a copy of their proof-of-concept software, demonstrating how the camera can be remotely activated without turning on the indicator light.
“People are starting to think about what happens when you can reprogram each of those,” said Charlie Miller, a security expert working for Twitter, referring to micro-controllers like the one attached to the iSight camera.
Miller cited an attack that could rapidly discharge Apple batteries via the micro-controller, which could potentially lead to a fire or even an explosion.
Using a similar method, another researcher demonstrated how the built-in Apple keyboard could be turned into spyware.
While the paper only cites the earlier generation of Apple products, Miller contends that similar attacks could apply to new Apple systems.
“There’s no reason you can’t do it — it’s just a lot of work and resources but it depends on how well [Apple] secured the hardware,” Miller said to the Post.
Apple did not reply to the Post’s requests for comment, but what is more troubling is the response the researchers received from company representatives.
“Apple employees followed up several times but did not inform us of any possible mitigation plans,” the researchers wrote in the study.
While Apple supposedly has the indicator light hardwired to the camera, many others do not offer such a feature.
“Logitech cameras, for example, have a software-controlled LED,” Ars Technica reports. However, this is designed to work with a software feature that allows them to be used as motion-activated security cameras.
“Whether this design makes sense for most users, given the apparent abundance of surreptitious webcam-based spying, is less clear,” notes Peter Bright for Ars Technica.
On a positive note, secure designs for the indicator light are indeed possible but software-mediated hardware interlocks for indicator lights remain vulnerable.
Ars sums it up quite rightly in saying, “When it comes to protecting against webcam spying, you should ignore the technology and simply tape over the camera.”
In August, it was revealed that the National Security Agency (NSA) calls on its employees to physically remove the built-in webcam from Apple laptops for security reasons.
The findings of the researchers, first reported on by The Washington Post, are especially interesting because Apple laptops have the indicator LED hardwired to the camera.
This hardwiring is designed to activate the light whenever the camera is activated, a feature that should prevent the remote activation of the webcam without the user’s knowledge.
The researchers looked at 2008 MacBooks and MacBook Pros, so it is unclear if the results also apply to today’s Apple laptops.
The researchers from Johns Hopkins University told the Post that “similar techniques could work on more recent computers from a wide variety of vendors.”
“In other words, if a laptop has a built-in camera, it’s possible someone — whether the federal government or a malicious 19 year old — could access it to spy on the user at any time,” the Post reports.
Stephen Checkoway, a computer scientist at Johns Hopkins who co-authored the study, found a way to remotely reprogram the iSight camera’s micro-controller chip that is supposed to establish a hardware-level interlock between the camera and the indicator light, according to The Verge.
The researchers provided the Post with a copy of their proof-of-concept software, demonstrating how the camera can be remotely activated without turning on the indicator light.
“People are starting to think about what happens when you can reprogram each of those,” said Charlie Miller, a security expert working for Twitter, referring to micro-controllers like the one attached to the iSight camera.
Miller cited an attack that could rapidly discharge Apple batteries via the micro-controller, which could potentially lead to a fire or even an explosion.
Using a similar method, another researcher demonstrated how the built-in Apple keyboard could be turned into spyware.
While the paper only cites the earlier generation of Apple products, Miller contends that similar attacks could apply to new Apple systems.
“There’s no reason you can’t do it — it’s just a lot of work and resources but it depends on how well [Apple] secured the hardware,” Miller said to the Post.
Apple did not reply to the Post’s requests for comment, but what is more troubling is the response the researchers received from company representatives.
“Apple employees followed up several times but did not inform us of any possible mitigation plans,” the researchers wrote in the study.
While Apple supposedly has the indicator light hardwired to the camera, many others do not offer such a feature.
“Logitech cameras, for example, have a software-controlled LED,” Ars Technica reports. However, this is designed to work with a software feature that allows them to be used as motion-activated security cameras.
“Whether this design makes sense for most users, given the apparent abundance of surreptitious webcam-based spying, is less clear,” notes Peter Bright for Ars Technica.
On a positive note, secure designs for the indicator light are indeed possible but software-mediated hardware interlocks for indicator lights remain vulnerable.
Ars sums it up quite rightly in saying, “When it comes to protecting against webcam spying, you should ignore the technology and simply tape over the camera.”
I was wondering if they would mention the tape over my camera, and it did in the last line. The issues with NSA and Outlook Express are equally scary. Hoover said he wanted a spy in every wardrobe, they got more than he ever dreamed......
ReplyDeleteForty
Absolutely. The NWO is a new phase all inclusive ultra invasive bar-coding of humanity. I don't believe in gods, but it seems to me to be the very essence of the christian book of revelations '666' plot. I refer to it as bankocracy or faux democratic fascism. There is no shortage of other advanced and effective co-operative systems that are fairer.
DeleteHoover was looking at a massively enlarged military industrial complex after the second world war that he recognized had taken on a self perpetuating life of it's own and warned us about the dangers. Do the maths and you will see that this monster has grown considerably more powerful since then, point being it is now virtually unstoppable and a route cause of the greatest trouble around the planet.
From our mobile phones location to your every keystroke connected to the net, databanks the size of Wales record and store and the data is recalled when required to destroy those with opinions that are contrary to the continued funding of such activities.
Disband the western political class and move to open democracy and direct government by the people. Let the community decide for it's self if it would rather wage unnecessary wars or heat the homes of the elderly.
I have seen from the inside that UK political parties are all a joke. Never ever vote for any but the totally independent who recognize the above or our goose is cooked.
When rules that are being planned become effective at censoring the net there will be much less chance of a velvet revolution. ;-)
I really like your writing style. Such a nice Post, Can’t wait for the next one.
ReplyDeleteApple® - MacBook Air® - 13.3" Display - 4GB Memory - 128GB Flash Storage (MD760LL/A)
Apple® - MacBook Air® - 11.6" Display - 4GB Memory - 128GB Flash Storage