Mac malware uses built-in camera, mic to secretly spy on you
Patrick Wardle, Director of Research at Synack demonstrated how malware could easily “piggyback” on legitimate user-initiated video and audio sessions by gaining access to a macOS device’s webcam and microphone while keeping its spying activity hidden.
Malware with this skill has to be able to detect a user-initiated webcam session, start its own recording, and end it as soon as the legitimate session is over, so that the camera and the hardware-based LED indicator can switch off.
Every MacBook that Apple has shipped for more than a decade has come equipped with a built-in camera and microphone. There is an LED light on a MacBook that indicates when the device’s camera is active. According to Wardle’s analysis, the hardware security for disabling the LED indicator is very strong. However, there are legitimate applications that can access a webcam when a user would expect the LED light to come on.
Wardle wanted to determine by using an unauthorized application to track and record a macOS user without his or her knowledge, whether it was possible to piggyback on the legitimate use of the camera. It turns out that the webcam is a shared resource in macOS, which means that the users could possibly use both FaceTime and Skype video applications simultaneously, if they wish to.
“Basically all the malware does is it monitors a macOS system looking for a legitimate webcam session,” Wardle said. “The malware can then access the webcam and start recording the local user.”
However, there are a few limitations to Wardle’s attack scenario. Firstly, the macOS user is required to be infected with malware from some source to allow the unauthorized use of the camera. There have been examples of legitimate macOS apps that have been compromised in some way to become malware, Wardle noted. Having said that, the chances of a malware infection are relatively slim, only if a user downloaded signed applications from the Apple macOS app store.
“There has been a recent uptick in macOS malware that is webcam aware,” he said.
The OS.X Eleanor malware was first publicly detected in July, which tried to record Apple users, Wardle noted. However, the users randomly recorded by the Eleanor malware with a MacBook LED camera indicator that came on by itself, without another application first starting the camera, he said.
In Wardle’s view, it should be easier for users to notice their devices’ camera LED indicator coming on by itself, notifying them that something is wrong.
“If instead they had used this technique and waited for legitimate use and then recorded the user, the Eleanor malware could have easily avoided detection,” Wardle said.
The ability to piggyback on an existing application isn’t necessarily a vulnerability that Apple could or should fix, Wardle said. He added that having the camera as a shared resource can make sense.
Wardle wants a tool for macOS similar to the one provided to its mobile iOS users wherein when an application first tries to access to the camera, a pop-up dialogue box appears asking the user if they he or she wants to grant access.
“I would like macOS to be more like iOS where there is an alert when the camera is accessed,” Wardle said. “That would allow the system to still share the webcam, but if malware somehow attempts to access your system, you’d see a pop-up request for access.”
While Apple doesn’t yet have an indicator for camera activity for macOS, Wardle has built a free tool called OverSight that will monitor the microphone and webcam and would notify user each time their Mac’s camera and microphone are switched on.
OverSight is able to identify any and all processes that access and use the built-in camera, recognizes them, and allows users to block them:
Currently, when it comes to audio, the software is able to identify that the microphone is activated and alert users to that fact.
While it is always easy to cover your camera to block secret recording, it is more difficult to do the same with the microphone.
Even though Wardle is aware about the tool’s limitations, he says he will continue to improve it.
“As with any security tool, direct or proactive attempts to specifically bypass OverSight’s protections will likely succeed,” he noted.
“Moreover, the current version over OverSight utilizes user-mode APIs in order to monitor for audio and video events. Thus any malware that has a kernel-mode or rootkit component may be able to access the webcam and mic in an undetected manner.”