Friday, 8 February 2019
Light diffusers help decrease lighting strength or can reflect light for better fill and balance; Test your setup. Once you have your webcam lighting setup ready, be sure to test it before you go live! Open up a tool like Photo Booth on Macbook and adjust your light setup until you look your best.
- However, researchers have now proven that it’s possible to commandeer a computer’s webcam.without. the LED light coming on, making it much harder to tell if you are being secretly recorded. Here, for instance, is a photograph of a white MacBook Core 2 Duo.
- Cover your webcam. If you have a laptop that has a built-in webcam, then you won't be able to unplug it. In this case, covering your webcam will do the trick. Covering your webcam won't stop a hacker from accessing it, but it will stop them from being able to see anything out of it.
I’m a big fan of Joanna Stern — she was in fact just on my podcast and it was one of my favorite episodes in a while. At the end of the episode, she mentioned that she was working on a piece about webcam security for her Personal Tech column at The Wall Street Journal. That column dropped yesterday, and I found it half enlightening, half maddening.
How secure are these tiny eyes into our private lives? The badnews is, it was possible for Mr. Heid to get into my Windows 10laptop’s webcam and, from there, my entire home network. He alsoeventually cracked my MacBook Air. The good news is that bothoperating systems were initially able to thwart the hacker. Ittook me performing some intentionally careless things for him to“succeed.”
Key words there: intentionally careless.
Here’s how he got into her Windows 10 laptop — admittedly using only “off-the-shelf hacking tools”:
When I opened the attached Word doc, Microsoft ’s built-in, freeanti-virus software, Windows Defender, immediately flagged it.When I clicked the link to the “reel,” the file that begandownloading was identified as a virus and deleted. The systemworked, but I wanted to see what would happen if I were someonewho didn’t have anti-virus turned on in the first place, or whoturned it off because it got annoying.
Here’s how the security expert got into her MacBook (again, using only “off-the-shelf hacking tools”):
Hacking a 2015 MacBook Air running the latest MacOS version,Mojave, also required a multistep process (and some missteps bythe “victim”). This time the malware was embedded in an .odtdocument, an open-source file format.
To open it, I downloaded LibreOffice. The free version of thepopular open-source office suite isn’t in the Mac App Store,however, so I had to disable the Mac security setting thatprevents unverified developer software installation. […]
Once I installed LibreOffice, I turned off its macro securitysetting, per the hacker’s instructions. There are scenarios whereyou might do this — say, for instance, because your company useda specially designed inventory spreadsheet or sales form — butfor most people, it’s a bad idea. […]
Mac Webcam Hack Light Platinum
I did get a pop-up asking for camera access, and I clicked OK,like we might do when we’re in a rush. Because Mr. Heid was onlysnapping stills, the webcam LED only lit up for a second.
So she had to download LibreOffice (weird), disable LibreOffice’s macro security (really weird), and then still had to grant explicit permission for LibreOffice to access the camera. If you open a document that prompts you for access to the camera, aren’t you expecting it to be able to access your camera?
Stern’s advice to Mac users:
Installing those nagging security and OS updates are a must —on your phone, laptop, router, thermostat, really anythingthat connects to the internet. They include the latestattempts to patch the holes that hackers use to get in. Macusers should install Malwarebytes or other malware-fightingsoftware — and don’t turn off any security features justbecause someone asks you to.
I’ve long argued that third-party anti-malware software on the Mac causes more problems than it solves. If someone is willing to ignore the warning from MacOS that an app isn’t from a verified developer, and is willing to disable the security settings in that app at the behest of a social engineering hacker, why wouldn’t that same person be gullible enough to also disable their anti-malware software?
Mac Webcam Hack Light Novel
Stern also claims she’s now using a physical stick-on camera cover. But why? In both cases — Mac and PC — the built-in system software did its job and issued clear warnings that she had to ignore for the attack to proceed. And even then — on both Mac and PC — the light next to the camera went on when it was in use.
There’s nothing in Stern’s story that makes me worry in the least bit about the security of my Mac webcams, and I don’t see anything that should worry someone running Windows 10 with Windows Defender (Microsoft’s built-in security software). The path to compromising Stern’s cameras was like a test of your home security that starts with a request that you leave your door unlocked and turn off your alarm system.
I have never understood the mass paranoia over laptop webcams — which have in-use indicator lights, which I’ve seen no evidence can be circumvented on Macs from the last decade — and the complete lack of similar paranoia over microphones, which cannot be blocked by a piece of tape and which have no in-use indicator lights. And I don’t see anyone taping over the cameras on their phones. This story is only going to feed that paranoia, because the takeaway is going to be “The Wall Street Journal says you should cover up your webcam.”
Security researchers at Johns Hopkins released a paper in 2013 revealing that the indicator lights on Macs released prior to 2008 could be circumvented by software. I linked to this in 2016, wondering if the same exploit was possible on more recent Macs. Here’s an answer I received from a former engineer at Apple who was intimately familiar with the software drivers for Mac webcams:
The original cameras had the problem that the JHU researchersdetailed in the article that your linked to. Problem was that thefirmware was downloaded on every boot and there was nosecurity/encryption mechanism for verifying it. The part used wasfairly common and the firmware was just in RAM (hence the loadingafter a cold boot), as oppose to flashed.
All cameras after that one were different: The hardware teamtied the LED to a hardware signal from the sensor: If the (Ibelieve) vertical sync was active, the LED would light up. Thereis NO firmware control to disable/enable the LED. The actualfirmware is indeed flashable, but the part is not a generic partand there are mechanisms in place to verify the image beingflashed. […]
So, no, I don’t believe that malware could be installed to enablethe camera without lighting the LED. My concern would be asituation where a frame is captured so the LED is lit only for avery brief period of time.
Mac Webcam Hack
The still photo problem — where the light only turns on for the instant the image is being captured — is interesting. But I would wager real money that the camera indicator light cannot be circumvented by software on any Mac released this decade.
As I wrote back in 2016 about taping over your webcam:
I think this is nonsense. Malware that can surreptitiously engageyour camera can do all sort of other nefarious things. If youcan’t trust your camera, you can’t trust your keyboard either.Follow best practices to avoid malware in the first place — don’tinstall Flash Player, and don’t install software from sketchysources — and you’ll almost certainly be fine.
Mac Webcam Hack Light Table
The problem isn’t your camera, it’s malware. Don’t install any software from unknown or sketchy sources, keep your OS up to date1, and you should be fine. And if you do have malware on your Mac, the webcam is likely the least of your problems.
MacOS 10.14 Mojave, in particular, has made some significant improvements to identifying and disabling malware automatically. I got a fascinating email from a Genius Bar tech recently, who said that his time the last few years had been consumed more and more by Mac malware problems. Then Mojave shipped, and malware problems dropped noticeably, and when he does see a malware problem these days, it’s almost always on a Mac that isn’t running Mojave. Weaponget big games free. ↩︎
Previous: | 25 Years Ago: RAM Doubler |
Next: | My 2018 Apple Report Card |