Security researcher and former NSA staffer Patrick Wardle is this afternoon demonstrating a way for Mac malware to tap into live feeds from the built-in webcam and microphone. His presentation is being delivered at the Virus Bulletin conference in Denver later today.

Although any unauthorized access to the webcam will light the green LED – a firmware-level protection that is exceedingly difficult to bypass – Wardle’s presentation shows how a malicious app can tap into the outgoing feed of an existing webcam session, like a FaceTime or Skype call, where the light would already be on …


Wardle was the researcher who previously uncovered a way for malware to bypass Gatekeeper protection to run unsigned apps, as well as pointing out a flaw in Apple’s fix for the Rootpipe vulnerability that allowed an attacker with local access to a Mac to escalate their privileges to root.

The paper is entitled Getting Duped: Piggybacking on Webcam Streams for Surreptitious Recordings.

After examining various ‘webcam-aware’ OS X malware samples, the research will show a new ‘attack’ that would allow such malware to stealthily monitor the system for legitimate user-initiated video sessions, then surreptitious piggyback into this in order to covertly record the session. As there are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection. 

Wardle has created an app that monitors webcam and microphone activity, and will alert you when a new process accesses either. A pop-up will alert you, advise the name of the process and ask whether you want to allow or block access.


The app, called Oversight, is a free download from Wardle’s website, objective-see.com.

About the Author

Ben Lovejoy's favorite gear