In recent years we’ve seen malware that targets webcams and microphones in an effort to secretly record what a person says and does.
Even the NSA has developed code that remotely switches on a person’s webcam.
But things are different when it comes to Mac malware, because each Apple laptop has a hard-wired light indicator that tells the user when it’s in use. At least you know you’re being watched.
That could change with a new kind of webcam piggyback attack, according to research by Synack’s Patrick Wardle, which he will present Thursday at the Virus Bulletin conference.
After examining a number of malware samples, Wardle believes that attackers can easily take advantage of the light indicator in most modern Macs to mask the malware from secretly recording your phone calls and video chats.
The “attack” works like this. The malware quietly monitor the system for user-initiated video sessions — like FaceTime or Skype video calls — then piggybacks the webcam or microphone to covertly record the session. Because the light is already on, there’s no visible indications of this malicious activity, which lets the malware record both the audio and video without risk of detection.
After all, it’s the phone and video calls that hackers and nation states want to hear, not the regular ramblings of a person sitting at their desk throughout the day.
Wardle told me in an email that when a person legitimately uses their webcam or microphone, it’s typically for more sensitive things, such as a journalist talking to a source, or an important business meeting with an executive, or even a person’s private FaceTime conversation with their partner — all of which could be invaluable for surveillance.
Enter his new tool, Oversight, which aims to block rogue webcam connections that piggyback off legitimate video calling apps, and alerts you when your microphone is in use.
If malware tries to piggyback off a webcam session, the app will alert the user — allowing them to block it. Wardle said that the tool will log the process, allowing security experts or system administrators to take a closer look.
The good news is that Wardle said he’s not aware of any Mac malware that exists to do this, but he noted it isn’t difficult to implement.
“It’s just a few lines [of code], and it doesn’t require any special privileges,” he said. “Currently, Mac malware such as Eleanor could easily implement this capability with this code.”
Wardle has put the app up for free on his website.