Scary New Mac Attack Can Secretly Tap into Live Webcam Feeds to Spy on Users

Rafia Shaikh
Posted Oct 6, 2016
20Shares
Share Tweet Submit

Mac malware could silently spy on users by remotely switching a person’s webcam. While there are several malware families that target webcams and microphones, Apple hard-wired light indicator that goes off whenever the webcam is being used. But, what if attackers could hijack your Skype and FaceTime sessions to listen to your video and audio calls?

Mac malware could piggyback user-initiated webcam sessions

Security researcher and a former NSA employee Patrick Wardle is now demonstrating a way that Mac malware could use to silently record through webcam and microphone on Macs. By piggybacking on webcam sessions initiated by legitimate applications like FaceTime and Skype, attackers could silently watch and record your conversations.

Presenting his demonstration at the Virus Bulletin conference today, Wardle suggested that attackers can easily take over your legitimate recording sessions. Thanks to the firmware-level protection, the LED lights up every time webcam is used. But, since LED would already be switched on when you are in the middle of a Skype or FaceTime call, this Mac malware can tap into the outgoing feed of an existing “user-initiated” webcam session to record your conversations without you knowing about it.

After examining various ‘webcam-aware’ OS X malware samples, the research will show a new ‘attack’ that would allow such malware to stealthily monitor the system for legitimate user-initiated video sessions, then surreptitious piggyback into this in order to covertly record the session. As there are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection.

Wardle, who is director of research at a security firm Synack, had previously discovered ways for Mac malware to bypass Apple’s Gatekeeper protections to run unsigned apps. He is also responsible for uncovering a flaw in Apple’s fix for the Rootpipe vulnerability. Wardle has shared his latest discovery in a paper titled “Getting Duped: Piggybacking on Webcam Streams for Surreptitious Recordings.”

How to fix the problem?

Wardle has designed a new tool called Oversight to block these rogue webcam connections that attempt to piggyback off legitimate apps. If a malware tries to piggyback a legitimate webcam session, Oversight will alert you, allowing you to block the connection. “It’s just a few lines [of code], and it doesn’t require any special privileges,” he said.

Wardle confirmed that he is not aware of any Mac malware that is using this flaw. However, malware families like Eleanor, Crisis and Mokes could easily implement this capability.

Oversight is available as a free download from Wardle’s website.

 

 

Share Tweet Submit