As first reported by the Washington Post, two researchers at Johns Hopkins University have found a way to activate and use the front-facing camera on certain MacBook models without causing their indicator light to turn on.
Stephen Checkoway, a professor at the school’s computer science department, and graduate student Matthew Brocker published a paper last week in which they illustrated a relatively unsophisticated way to trick a MacBook’s camera into believing that it’s in standby even when it’s actually being used. That prevents the indicator LED next to it from turning on, even though the camera itself is actively taking pictures or recording video.
This is significant because the indicator light was previously thought to be controlled directly by the hardware, making a software exploit impossible.
Computer with an eye
The hack works, as is often the case, because the researchers were able to take advantage of two characteristics of the camera’s design that are normally unrelated to each other. The first is that the camera is actually a separate device from the computer itself, and talks to to the main board through a USB connection—not unlike any third-party camera that you would be able to connect to one of the USB ports of your computer.
As a separate device, the camera actually needs its own software to run, but, in order to keep its design simple and efficient, it doesn’t include any built-in storage; as a result, the firmware that runs the camera is loaded by its driver every time the Mac runs.
Checkoway and Brocker discovered that they could easily replace the built-in firmware with their own just by uploading it to the device—an operation that didn’t even require administrator privileges on the host computer. In itself, this is not a significant problem—after all, the device does need firmware, and, at least in theory, it shouldn’t be possible to manipulate the indicator light from software anyway.
Stand by for a hack
However, it seems that the camera’s hardware design presents an additional flaw, and that’s where the second part of the researcher’s exploit comes into play. The small green LED light that illuminates when the camera is in use is connected in parallel with the peripheral’s standby indicator line. During normal operation, the firmware keeps this line in a high state, indicating to the camera that it should stay in standby and not record anything, and thus keeping the light off.
At record time, the computer drops the line to a low state, causing the sensor on the camera to begin recording video and sending it across the USB connection. As a result, the LED indicator automatically turns on, letting the user know that data is being captured.
Thus, under normal conditions, there is no way for the firmware to affect the indicator light directly, and, since the standby line is connected directly to the sensor, there is no way to prevent the light from going on without effectively shutting down video capture. In engineering terms, this is called a hardware interlock; it’s a technology used in any scenario where software alone cannot be trusted to properly determine the physical configuration of a device it’s controlling.
However, it’s important to note that the indicator light is, in fact, an indirect interlock: Rather than revealing whether the camera is capturing, which is what we’re really after, it shows whether the camera is on standby.
As it turns out, the Johns Hopkins experts determined that there was a way to make the sensor ignore the standby line completely; this enabled them to rewrite the firmware so that it would keep the standby enabled, and still cause video to be captured and sent back to the Mac. In this scenario, therefore, the hardware interlock continues to work—except, of course, that it’s measuring the wrong thing and causing the entire protection mechanism to fail.
Don’t put on your tinfoil hats yet
So, should users worry?
It’s hard to say, but probably not. For one thing, the researchers were only able to investigate and reproduce the issue on a relatively old plastic MacBook; it’s unknown, at this stage, whether this problem affects newer models of Apple’s computers.
In any case, Checkoway and his partner also developed a small piece of software that prevents modifications to the camera’s firmware without root privileges, which makes it impossible to implement the hack in the first place. They also responsibly disclosed their findings to Apple several months ago, giving the company’s engineers plenty of time to figure things out. And, of course, there’s no indication that such an exploit currently exists in the wild.
Regardless, there are a few simple steps you can take to help minimize the chances that someone will be able to spy on you. If you’re running OS X Mountain Lion or Mavericks, it’s a good idea to crank up your operating system’s security so that it will only automatically run apps that you have downloaded from the App Store or from an identified developer. At the very least, this will give you an opportunity to take a second look at anything else that might run on your computer unbeknownst to you.
If you’re an infrequent user of your Mac’s camera, it’s probably also not a bad idea to place a small piece of tape on it to completely occlude the camera’s opening—a dead-simple way to protect yourself that no amount of software hackery will be able to circumvent. Just be careful—especially on more recent MacBooks, which are built to very tight tolerances—to pick a thin kind of tape that won’t leave any residue if you ever need to remove it. Also, it should go without saying that you’ll need to use a tape that is opaque in order for this trick to work.
Finally, don’t forget that Apple hasn’t yet responded to this report at all. It would be hard to believe that the company has been caught with its corporate pants down after it’s had several months to discuss the problem with the Johns Hopkins folks. On the other hand, it’s entirely possible that a fix for this problem has already made its way into recent OS X releases, and that more recent hardware that the company uses isn’t affected by this type of issue at all.
Author: Marco Tabini
Marco Tabini is based in Toronto, Canada, where he focuses on software development for mobile devices and for the Web.