Older Mac webcams can spy on you, but don't tape yours over until you read this

Two researchers at Johns Hopkins University published a paper that has recently been widely reported throughout the Mac blogosphere. They claim to have been able to hack the webcam on older MacBook and iMac computers so the camera worked without activating the green LED. Don't tape over your webcam yet, though. I've had a look over the paper, and it's not as bad as you might think.

First some background: Normally the indicator LED and the camera are mated together using a hardware interlock, so whenever the camera is on, the LED is activated. Matthew Brocker and Stephen Checkoway say they figured out a way to circumvent that interlock by reprogramming a microcontroller built into the iSight camera's circuitry. What's more, they've also developed an OS X kernel extension which fixes the exploit.

It's important to understand, first of all, that the exploit as described is specific to the circuitry of older Macs. According to the researchers, it can be found in "previous generation Apple products including the iMac G5 and early Intel-based iMacs, MacBooks, and MacBook Pros until roughly 2008."

The researchers have developed a proof of concept that shows how it can work, but they're quick to admit that it's not easy to get an unsuspecting user to install it. And Apple's decision to "sandbox" applications in recent versions of OS X provides an additional layer of security. Checkoway has published the source code for a fix.

Brocker and Checkoway say they contacted Apple about the exploit in mid-July; they've heard back from Apple employees but haven't been told of any specific plans to fix it.

In reporting on Brocker and Checkoway's exploit, the Washington Post quotes security researcher Charlie Miller who suggests that later Macs may be subject to an exploit as well. But Miller offered no proof whatsoever that any newer Macs have been compromised, just a vague suggestion that it could be done depending on "how well [Apple] secured the hardware."

If you don't know where an app is from or what it does, for goodness' sake, don't install it.

To that end, Apple's Gatekeeper software, built into recent versions of OS X, offers some level of protection for you - ordinarily it'll only allow software that's been downloaded from the Mac App Store or from a developer who's registered a certificate with Apple. You'd have to change your Security & Privacy system preference settings to "Allow apps downloaded from anywhere" to install it. And if you've installed software on your Mac before, you're probably familiar with the dialog box that requires you to enter an administrator password to make changes - another stumbling block against casual installation.

If you're using an older machine and you are worried that someone is spying on you, well, a piece of masking or electrical tape over the iSight camera will work too.

Bottom line: Use common sense when installing software you've downloaded from the Internet and you should be okay.

Peter Cohen