Mac Webcam Hack Proves the LED Indicator Light Isn't Always Trustworthy

By Wesley Fenlon

A pair of researchers write their own software to fool the Mac iSight camera's light into staying off, even when the webcam is enabled.

Webcam hacking is typically the domain of cable TV, where NSA-like cyberwizards slap a few keys to tap into any camera in the world. In reality, we figure, it isn't anything like that at all--hackers probably need physical access to the computer to easily install spy software, and what are the chances of our webcam getting hacked, anyway? In fiction and in reality, we still expect a warning sign. On Macs, it's that little green light next to the webcam that proclaims "I'm on." But what if that gets hacked, too?

That's exactly what's happened with a range of old Macs, making the concept of webcam happening a little bit creepier. Researchers from John Hopkins University published their findings in a paper simply titled "iSeeYou: Disabling the MacBook Webcam Indicator LED." The opening abstract states "This enables video to be captured without any visual indication to the user and can be accomplished entirely in user space by an unprivileged (non-root) application." If you have a new-ish Mac, don't panic--this hack is for older iSight cameras, although it's possible that newer Mac cameras have their own vulnerabilities.

Photo credit: Flickr user reticulating via Creative Commons

Many assumed that the LED "on" lights on Mac and MacBook webcams were hardwired to the camera, meaning there's a cut-and-dry on-off relationship between the two. When the camera's imaging chip is on, the LED gets power. When it's set to standby, it doesn't. And that is how it works--except there's a layer of software controlling the whole thing.

Image credit: Matthew Brocker and Stephen Checkoway

Ars Technica explains: "When the driver for the webcam is loaded, the host PC uploads a small program to the USB controller (it has no permanent firmware storage of its own, so it has to be uploaded each time the camera driver is loaded). This small program in turn configures the imaging chip. The imaging chip doesn't have too many configurable properties, but one thing that it does have is whether it pays any attention to the standby input.

"Apple's own drivers set a configuration where standby is respected. But other configurations are possible—such as one where the chip ignores standby entirely and always produces image data."

The researchers wrote software that told the webcam something different. It told the software to ignore the standby input, while making sure the standby line in the circuitry was always active. That way, the LED was permanently disabled--the proper connection was made to keep it powered off--and the camera still functioned normally.

iMac G5s, early Intel Macs, and MacBook Pros used the iSight camera until about 2008. If you're using one of those computers, there is a silver lining: the researchers also made a kernel extension to prevent their hack. It's called iSightDefender, and you can download it from github for free. You can also use a sticker.