DENVER—Hijacking a user’s webcam is one of the more dastardly tactics used for surveillance. In most cases the attacker can use a number of different webcam-aware malware samples to quietly turn on and record audio and video from the target’s machine.
Doing so, however, also turns on the embedded LED light that signals the webcam has been activated, a clear hint to the user that something could be amiss if this behavior is unexpected.
Mac security expert and Synack director of research Patrick Wardle presented a new capability on Thursday at Virus Bulletin 2016 that can be abused in legitimate macOS processes that could allow an attacker to piggyback onto the webcam when legitimate sessions are initiated by the user over Skype, FaceTime or Google Hangouts. By hitching a ride on the webcam, not only is the attacker spying on, for example, a sensitive conversation between business partners or friends, but is doing so without the need for stealth—or raising concerns with a mysteriously activated LED indicator.
In response, Wardle yesterday released a tool called OverSight that monitors for the internal macOS processes that manage the webcam and microphone, and alerts a user when one of these processes accesses these services. The user can then make a choice to either allow or block the session to continue.
“It can detect when the internal microphone and camera are activated, but more importantly, it can identify who is using the camera process and tell if any secondary process is piggybacking along,” Wardle said. “When it detects this, it generates an alert that allows the user to block, and it also logs it to Syslog so that in a corporate environment, an admin can pull and analyze the logs.”
Wardle, who has released a bevy of free Mac security tools in the last two years, said the emergence of Mac-related malware samples such as Eleanor, Crisis and Mokes, all of which are spy programs for the Mac platform, prompted him to devote time to research in this area.
Eleanor and Mokes were the latest samples to be disclosed this summer by researchers at Bitdefender and Kaspersky Lab, respectively. Eleanor is a nasty backdoor that creates a Tor hidden service and allows an attacker to remotely control a compromised machine—and this includes audio and video monitoring. Wardle said it also shipped with the Wacaw open source command-line utility that allows for the capture of pictures and video. Mokes, meanwhile, is also a backdoor designed to steal data, images, audio and video from compromised Apple, Windows and Linux machines.
“We’ve seen the recent trends of Mac malware interested in recording what users are doing,” Wardle said.
The key, he said, is the legitimate activation of the LED light, which in some extreme cases can be disabled by an attacker with physical access who can reprogram the firmware managing these processes. Apple, Wardle said, has taken steps to reduce this risk by isolating these processes making it much more difficult to hack.
The key for newer malware is to know when the user has initiated a webcam session, for example. Malware examined by Wardle from the Hacking Team leak in July 2015 showed how the malicious code was finding and enumerating camera-related processes through the use of the AV Foundation framework from Apple. Through this framework, the attacker can enumerate these processes and register for notifications through the Apple CoreMediaIO Device Abstraction Layer as to when webcam sessions begin and end, so as to know when to start and stop recordings.
“These sessions are the most interesting things malware should be recording, rather than recording all day long,” Wardle said. “It waits until the user initiates a legitimate session that involves the webcam. When the malware detects it, it begins recording and exfiltrates the data. It doesn’t require root to pull this off, and the LED is on, so there’s no indication that the malware has piggybacked into the stream.”
Wardle said that Oversight can detect the initial and subsequent processes. Alerts presented to the user contain the name of the process, i.e., OSX/Mokes, and presents the user with the option to block it.
This article was updated Oct. 7 with clarifications.