MacBook Webcams Vulnerable to 'Peek' Hacking

The National Security Agency may not be the only ones peeking into our activities. A recent research project at Johns Hopkins University has proven that unauthorized users can hack into internal webcams on certain classes of Apple computers to disable the green light that informs us when the webcam is in use.

In the paper, "iSee You: Disabling the MacBook Webcam Indicator LED," graduate student Matthew Brocker and Computer Science Professor Stephen Checkoway described their efforts to disable the LED on the webcam in a previous generation of Apple products, including the iMac G5 and MacBook laptops. The laptops, in particular, gained a certain level of notoriety when, in 2009, Lower Merion School District in Pennsylvania made headlines for capturing images of its students through the webcams in their school-issued MacBooks without their knowledge or permission.

According to the researchers, the source of the vulnerability lies with the iSight webcam. The indicator LED, which generates the little green light, sits between a microprocessor and an image sensor. When the image sensor is sending images to the microcontroller — when the camera is turned on — a hardware "interlock" turns the LED light on. But the microcontroller can be hacked and reprogrammed to bypass the interlock and disable the LED. To demonstrate the technique, Brocker and Checkoway developed iSeeYou, a simple, native OS X application that checks for the presence of the iSight camera and then initiates the reprogramming process.

"The ability to bypass the interlock raises serious privacy concerns and the technical means by which we accomplish it raises additional security concerns," the researchers wrote. One of those "additional" concerns involves the use of facial recognition by the webcam to grant the right user access to a secure service. Malware could conceivably capture video of a victim then replay that video to get around the authentication measure.

One way to counteract the vulnerability, the report said, would be for the indicator light to "be controlled completely by hardware." Another approach would be to modify the operating system to prevent certain types of device requests from being sent to the camera. To that end, the researchers developed iSightDefender, which blocks reprogramming efforts that don't require access to root privileges. That utility is publicly available.

The two reported that they've shared their source code for iSeeYou and iSightDefender with Apple. And although the company followed up "several times," they were never notified about possible fixes.

Next, Brocker and Checkoway said they hope to expand the scope of their work to examine newer Apple webcams, such as the most recent FaceTime cameras as well the webcams installed in non-Apple devices.

Until the problem is addressed more systematically, the researchers suggested, users can always tape over the webcam or install the iPatch, a $4.99 device intended, as its company Web site declares, "to keep time spent at your computer private."

About the Author

Dian Schaffhauser is a former senior contributing editor for 1105 Media's education publications THE Journal, Campus Technology and Spaces4Learning.

Featured

  • three silhouetted education technology leaders with thought bubbles containing AI-related icons

    Ed Tech Leaders Rank Generative AI as Top Tech Priority

    In a recent CoSN survey, an overwhelming majority of ed tech leaders (94%) said they see AI as having a positive impact on education. Respondents ranked generative AI as their top tech priority, with 80% reporting their districts have gen AI initiatives underway, or plan to in the current school year.

  • computer monitor with a bold AI search bar on the screen

    Google Rolls Out AI Mode in Search

    About a year after introducing AI Overviews for its flagship search offering, Google has announced broad availability of AI Mode in Search.

  • glowing shield hovers above a digital cloud platform with abstract data streams and cloud icons in the background

    Google to Acquire Cloud Security Firm Wiz in $32 Billion Deal

    Google has announced it will acquire cloud security startup Wiz for $32 billion. If completed, the acquisition — an all-cash deal — would mark the largest in Google's history.

  • students using digital devices, surrounded by abstract AI motifs and soft geometric design

    Ed Tech Startup Kira Launches AI-Native Learning Platform

    A new K-12 learning platform aims to bring personalized education to every student. Kira, one of the latest ed tech ventures from Andrew Ng, former director of Stanford's AI Lab and co-founder of Coursera and DeepLearning.AI, "integrates artificial intelligence directly into every educational workflow — from lesson planning and instruction to grading, intervention, and reporting," according to a news announcement.