Malware on the Mac is becoming something to worry about, as demonstrated by security researcher and former NSA staffer Patrick Wardle. During a presentation at Virus Bulletin, Wardle yesterday showed how Mac malware to tap into live feeds from the built-in webcam and microphone on a MacBook Pro. His presentation is being delivered at the Virus Bulletin conference in Denver later today.
Although any unauthorized access to the webcam will light the green LED – a firmware-level protection that is exceedingly difficult to bypass – Wardle’s presentation shows how a malicious app can tap into the outgoing feed of an existing webcam session, like a FaceTime or Skype call, where the light would already be on.
Wardle, whose credits include having uncovered a way for malware to bypass OS X’s Gatekeeper protection to run unsigned apps and pointing out a flaw in Apple’s fix for the Rootpipe vulnerability that allowed an attacker with local access to a Mac to escalate their privileges to root, released a paper entitled “Getting Duped: Piggybacking on Webcam Streams for Surreptitious Recordings” at the conference.
The paper shows how “webcam-aware” OS X malware can stealthily monitor the system for legitimate user-initiated video sessions, then surreptitiously piggyback into this in order to covertly record the session. There are no visible indications of the activity, as the LED light is already on, and the malware can record both audio and video with impunity.
Wardle has created an app called Oversight that monitors webcam and microphone activity, and will alert you when a new process accesses either. A pop-up will alert you, advise the name of the process and ask whether you want to allow or block access.
As always stay tuned for additional details as they become available.
Via 9to5Mac and Objective-See