A word of warning to MacBook owners: Beware of what you do in front of your laptop camera, for you never know who could be watching.
Two Johns Hopkins University researchers uncovered a loophole in Apple's iSight system that allowed them to hack into some versions of MacBook laptops and iMac desktops and disable the webcam indicator LED.
It sounds harmless, but the discovery essentially turns your computer into a peephole for hackers — like the one who spied on 19-year-old Miss Teen USA, Cassidy Wolf.
In a paper titled "iSeeYou: Disabling the MacBook Webcam Indicator LED," Matthew Brocker and Stephen Checkoway described the process of reprogramming an iSight camera's microcontroller to disable the LED activation light, and eavesdrop on an unsuspecting user.
"Our results in this paper demonstrate that, at least in some cases, people have been correct to worry about malware covertly capturing images and video," Checkoway and Brocker wrote. "We show a vulnerability in the iSight webcam that affects a particular range of Apple computers … that can be exploited to turn on the camera and capture images and video without the indicator illuminating."
By doing so, the team was able to capture video and photos unbeknownst to the person in front of the computer's camera.
Brocker and Checkoway focused their testing on older machines, like the iMac G5 and Intel-based iMacs, MacBooks, and MacBook Pros from 2008 and earlier, so it's unclear if newer machines are also vulnerable.
The duo were inspired to tackle this topic after a webcam controversy within Pennsylvania's Lower Merion School District. About 2,300 students at Harriton High School were given Mac laptops, but unbeknownst to those students and their parents, the laptops were equipped with tracking software that could remotely activate the computer's webcam to take photos of the user, as well as capture screen shots. It was intended as a means to locate lost or stolen laptops, but was apparently activated in more questionable circumstances as well.
The researchers informed Apple about the LED disabling vulnerability in July 2013 and the virtual machine escape in August. "Apple employees followed up several times but did not inform us of any possible mitigation plans. The iSightDefender code was also provided to Apple and is now publicly available," they said.
"In the past few years, the ever-expanding set of sensors present in commodity laptops and smartphones has prompted the security and privacy community to begin searching ways to detect and limit the undesired use of sensors," the "iSeeYou" paper said. "At the same time, researchers have demonstrated attacks exploiting the presence of sensors."
Checkoway and Brocker offers some suggestions for how Apple can defend its iSight camera against attacks, but there is no word what Cupertino will do to patch the problem.
Apple did not immediately respond to a request for comment.