DENVER—Hijacking a user’s webcam is one of the more dastardly tactics used for surveillance. In most cases the attacker can use a number of different webcam-aware malware samples to quietly turn on and record audio and video from the target’s machine.
Doing so, however, also turns on the embedded LED light that signals the webcam has been activated, a clear hint to the user that something could be amiss if this behavior is unexpected.
Mac security expert and Synack director of research Patrick Wardle presented a new capability on Thursday at Virus Bulletin 2016 that can be abused in legitimate macOS processes that could allow an attacker to piggyback onto the webcam when legitimate sessions are initiated by the user over Skype, FaceTime or Google Hangouts. By hitching a ride on the webcam, not only is the attacker spying on, for example, a sensitive conversation between business partners or friends, but is doing so without the need for stealth—or raising concerns with a mysteriously activated LED indicator.
In response, Wardle yesterday released a tool called OverSight that monitors for the internal macOS processes that manage the webcam and microphone, and alerts a user when one of these processes accesses these services. The user can then make a choice to either allow or block the session to continue. “It can detect when the internal microphone and camera are activated, but more importantly, it can identify who is using the camera process and tell if any secondary process is piggybacking along,” Wardle said. “When it detects this, it generates an alert that allows the user to block, and it also logs it to Syslog so that in a corporate environment, an admin can pull and analyze the logs.”
Wardle, who has released a bevy of free Mac security tools in the last two years, said the emergence of Mac-related malware samples such as Eleanor, Crisis and Mokes, all of which are spy programs for the Mac platform, prompted him to devote time to research in this area. Eleanor and Mokes were the latest samples to be disclosed this summer by researchers at Bitdefender and Kaspersky Lab, respectively. Eleanor is a nasty backdoor that creates a Tor hidden service and allows an attacker to remotely control a compromised machine—and this includes audio and video monitoring. Wardle said it also shipped with the Wacaw open source command-line utility that allows for the capture of pictures and video. Mokes, meanwhile, is also a backdoor designed to steal data, images, audio and video from compromised Apple, Windows and Linux machines. “We’ve seen the recent trends of Mac malware interested in recording what users are doing,” Wardle said.