JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

Researchers activate Apple iSight webcams without warning light


Ashkan Soltani, Timothy B. Lee

Video settings

Please Log in to update your video settings

Video will begin in 5 seconds.

Video settings

Please Log in to update your video settings

Covering webcam a 'bandaid solution'

Cautious users are covering their webcams for fear of computer hackers invading their privacy, but the real issue is the threat of malware says security expert Matthew Tett.

PT0M0S 620 349

The woman was shocked when she received two nude photos of herself by email. The photos had been taken over a period of several months – without her knowledge – by the built-in camera on her laptop.

Fortunately, the FBI was able to identify a suspect: her high school classmate, a man named Jared Abrahams. The FBI says it found software on Abrahams's computer that allowed him to spy remotely on her and numerous other women.

Apple's iSight camera now features on most of the company's gadgets.

Apple's iSight camera now features on most of the company's gadgets.

Abrahams pleaded guilty to extortion in October. The woman, identified in court papers only as C.W., later identified herself on Twitter as Miss Teen USA Cassidy Wolf. While her case was instant fodder for celebrity gossip sites, it left a serious issue unresolved:

Most laptops with built-in cameras have an important privacy feature – a light that is supposed to turn on any time the camera is in use. But Wolf said she never saw the light on her laptop. As a result, she had no idea she was under surveillance.

That wasn't supposed to be possible. While controlling a laptop camera remotely has long been a source of concern to privacy advocates, conventional wisdom said there was no way to deactivate the warning light.

Cassidy Wolf celebrates being crowned Miss Teen USA 2013.

Cassidy Wolf celebrates being crowned Miss Teen USA 2013. Photo: AFP

But evidence is mounting that this creepiest of intrusions is real.

There have been warnings. Marcus Thomas, former assistant director of the FBI's Operational Technology Division in Quantico, Virginia, said recently that the FBI has been able to covertly activate a computer's camera – without triggering the light – for several years.

Now research from Johns Hopkins University provides the first public confirmation that it's possible to do just that, and demonstrates how. While the research focused on MacBook and iMac models released before 2008, the authors say similar techniques would probably work on more recent computers from a wide variety of vendors.

In other words, if a laptop has a built-in camera, it's possible someone – whether the federal government or a malicious 19-year-old – could access it to spy on the user at any time, and the user would never know.

The iSight camera was designed to prevent this, said Stephen Checkoway, a computer science professor at Johns Hopkins and a co-author of the study. "Apple went to some amount of effort to make sure that the LED would turn on whenever the camera was taking images," Checkoway said. The 2008-era Apple products they studied had a "hardware interlock" between the camera and the light to ensure the camera couldn't turn on without alerting its owner.

But Checkoway and his co-author, Johns Hopkins University graduate student Matthew Brocker, were able to get around this security feature. That's because a modern laptop is actually several different computers in one package. "There's more than one chip on your computer," said Charlie Miller, a security expert at Twitter. "There's a chip in the battery, a chip in the keyboard, a chip in the camera."

MacBooks are designed to prevent software running on the MacBook's central processing unit (CPU) from activating the iSight camera without turning on the light. But researchers figured out how to reprogram the chip inside the camera, known as a micro-controller, to defeat this feature.

In a paper called "iSeeYou: Disabling the MacBook Webcam Indicator LED", Brocker and Checkoway describe how to reprogram the iSight camera's micro-controller to allow the camera to be turned on while the light stays off. Their research is under consideration for an upcoming academic security conference.

Attacks that exploit microcontrollers are becoming more common. "People are starting to think about what happens when you can reprogram each of those," Miller said. For example, he demonstrated an attack last year on the software that controls Apple batteries, which causes the battery to discharge rapidly, potentially leading to a fire or explosion. Another researcher was able to convert the built-in Apple keyboard into spyware using a similar method.

According to the researchers, the vulnerability they discovered affects "Apple internal iSight webcams found in earlier-generation Apple products, including the iMac G5 and early Intel-based iMacs, MacBooks and MacBook Pros until roughly 2008." While the attack outlined in the paper is limited to those devices, researchers like Charlie Miller suggest that the attack could be applicable to newer systems as well.

"There's no reason you can't do it – it's just a lot of work and resources, but it depends on how well [Apple] secured the hardware," Miller said.

Apple did not reply to requests for comment for this article. Brocker and Checkoway write in their report that they contacted the company on July 16. "Apple employees followed up several times but did not inform us of any possible mitigation plans," the researchers wrote.

The software used by Abrahams in the Wolf case is known as a Remote Administration Tool, or RAT. This software, which allows someone to control a computer from across the internet, has legitimate uses. For example, it can make it easier for a school's IT staff to administer a classroom full of computers.

Indeed, the devices the researchers studied were similar to MacBooks involved in a notorious case in Pennsylvania in 2008. Administrators at Lower Merion High School outside Philadelphia reportedly captured 56,000 images of students using the RAT installed on school-issued laptops. Students reported seeing a "creepy" green flicker that indicated that the camera was in use. That eventually led to a lawsuit.

But more sophisticated remote monitoring tools may already be able to suppress the warning light, said Morgan Marquis-Boire, a security researcher at the University of Toronto.

He points to commercial surveillance products such as Hacking Team and FinFisher that are marketed for use by governments. FinFisher is a suite of tools sold by a European firm called the Gamma Group. A company marketing document released by Wikileaks indicated that Finfisher could be "covertly deployed on the Target Systems" and enable, among other things, "Live Surveillance through Webcam and Microphone."

The Chinese government has also been accused of using RATs for surveillance purposes. A 2009 report from the University of Toronto described a surveillance program called Ghostnet that the Chinese government allegedly used to spy on prominent Tibetans, including the Dalai Llama. The authors reported that "web cameras are being silently triggered, and audio inputs surreptitiously activated," though it's not clear whether the Ghostnet software is capable of disabling camera warning lights.

But there is an easy way for users to protect themselves. Many security experts have used sticky tape, with the latest research perhaps proving why they shouldn't be considered paranoid.

"The safest thing to do is to put a piece of tape on your camera," Miller said.

Ashkan Soltani is an independent security researcher and consultant.

Washington Post and Fairfax Media


  • But Macs are impervious to all malware and viruses, all good fanbois know this!!!! The cited information simply cannot be correct.

    Date and time
    December 19, 2013, 3:30PM
    • FFS: "Actually it don't say anywhere in the article that the laptop was an Apple one."

      Exactly, and in fact a US Today show story about the arrest of the hacker in the Cassidy Wolf case shows Cassidy using a laptop at home and it's *not* Apple. This could happen to anyone, whether they use a Mac or not. (around the 50-second mark)

      Date and time
      December 20, 2013, 7:46AM
    • Ironic that the FBI tracked down the hacker. In a recent SMH article it was revealed that the FBI can, with a warrant, hack into a webcam without switching on the light.

      Date and time
      December 20, 2013, 7:54AM
  • "AGE" Another rubbish and misinformed article for people to read. There are 1000x more rubbish Laptops on the market that this happen's to all the time that come with bloatware and run MS that just loves malware and trojans. Yet, you singe out an Apple product from 2008 that you CANT BUY RETAIL. Any body who reads this would then want to go and get a Pc for MS for fear of spycams yet you are directing them in to a pitfall (spycam plus MORE rubbish!).

    The "Age" really is an Apple bashing place. By far and large a MacBook or Imac is the most secure product compared to anything MS release.

    I suppose, the Age really only bad mouth Apple products because they know people will read the article and the site will get more hits. MS just don't have that traction.

    Date and time
    December 19, 2013, 4:04PM
    • This is an article about Apple computers, not computers running Windows. The research paper discussed is called "iSeeYou: Disabling the MacBook Webcam Indicator LED". I think it's time for your tablet, dear.

      Date and time
      December 19, 2013, 5:11PM
    • oh no another apple fanboi upset.
      I suppose the fact that it was actually an apple computer used in this court case is not relevant ?

      Date and time
      December 19, 2013, 5:29PM
    • Actually it don't say anywhere in the article that the laptop was an Apple one, moreover in the article when they referred to MacBooks being used to spy on students using a Remote access tool legitimately installed by the school who owned the laptop, the 'green flicker' referred to indicates the warning light worked as it supposed to.

      While the prospect of being spied on is worrying the information as presented is incomplete, does the software referred in the study require physical access to the computer to install the software? It's all very well to talk about a potential vulnerability but getting it to work is a bit harder, besides if you were a criminal wouldn't it be more profitable to capture keystrokes.

      The text entered after, login and password, would be far more profitable, wouldn't you think?

      Date and time
      December 19, 2013, 9:27PM
  • Not ME!!! I don't buy Apple rubbish.
    Sucked in, Kents.

    Date and time
    December 19, 2013, 4:17PM
    • Unfortunately similar hacks can be done on laptops/PCs running windows, unix, etc.
      you're stuffed too...

      Date and time
      December 19, 2013, 6:55PM
    • The moderators must hate Apple products, because they let Really?'s comments (a simple troll) slide...

      If someone wants to see me in my underwear, I cannot be held responsible for the irreparable damage such a sight will cause the viewer :D

      Gold Coast
      Date and time
      December 20, 2013, 6:07AM

More comments

Comments are now closed

Related Coverage

How hackers can switch on your webcam and control your computer

A NSW teenager is among a community of hackers spying on unwitting victims.

Taping over prying eyes of web spies

IT experts are resorting to some simple techniques to secure their webcams.

FBI investigating 'sextortion' hacking case targeting Miss Teen USA

The FBI is investigating an alleged "sextortion" case involving newly crowned Miss Teen USA Cassidy Wolf and a hacked webcam.

Why I cover my iPhone and laptop camera and why you should too

Ever feel like you're being watched through the web cameras of your multiple devices? I did and found plenty of comfort in sticky tape.

Apple patents touch and hover display, heart rate monitor and desk-free computer

Apple has acquired patents for a "touch and hover" display, a heart rate monitor and a "desk-free computer".

Covering webcam a 'bandaid solution' (Thumbnail) Covering webcam a 'bandaid solution'

Cautious users are covering their webcams for fear of computer hackers invading their privacy, but the real issue is the threat of malware says security expert Matthew Tett.

Related Coverage

HuffPost Australia

Follow Us

Featured advertisers