iSeeYou is a security bug affecting iSight cameras in some Apple laptops.
Discovery
The researchers' decision to study webcam indicator lights resulted from the widely reported WebcamGate case, in which a remote access tool installed on school-issued laptops took photographs of unconsenting students. The study demonstrated that the webcam indicator light could be turned off while the camera itself was turned on by bypassing the standby state of the signal. This was performed by changing the RESET register in the device's firmware to a value of 0x00c8.
Impact
The security flaw was reported internationally.
This vulnerability was used in the extortion of Miss Teen USA, Cassidy Wolf, when she received emails containing nude photos of herself, taken without her knowledge, from an unknown man. Wolf claimed she never knew she was being recorded and that her webcam light never turned on. The FBI arrested Jared Abrahams in relation to this crime as well as the sextortion of other female victims. Abrahams admitted he had infected victims' computers with malware and was able to record victims undress without the webcam light alerting them.
Journalists observed that Apple had sold their laptops as having a "hardware interlock" that was supposed to prevent such an attack, and called on Apple to implement hardware switches or other strong privacy protections.
Mitigation
The laptops affected are capable of running a variety of operating systems, and mitigations against the vulnerability vary by operating system. The researchers who found the bug released a macOS kernel extension named iSightDefender to reduce the attack surface under macOS.
References
- ^ Checkoway, Stephen; Brocker, Matthew (2013-12-11). "iSeeYou: Disabling the MacBook Webcam Indicator LED". Jscholarship.library.jhu.edu. Retrieved 2017-05-05.
- Mlot, Stephanie (2013-12-20). "Is Your MacBook Webcam Watching You? | News & Opinion". PCMag.com. Retrieved 2017-05-05.
- Dickey, Megan Rose (December 18, 2013). "Yes, Someone Can Spy On You Using Your Own MacBook Webcam". Business Insider. Retrieved 2017-05-05.
- Brocker, Mattew; Checkoway, Stephen (August 20, 2014). "iıSeeYou: Disabling the MacBook Webcam Indicator LED" (PDF). Usenix: 17.
- Soltani, Ashkan (2013-12-18). "Research shows how MacBook Webcams can spy on their users without warning". The Washington Post. Retrieved 2017-05-05.
- ^ "Macbook webcams CAN spy on you - and you simply CAN'T TELL". Theregister.co.uk. Retrieved 2017-05-05.
- "Apple: Sicherheitslücke erlaubt Zugriff auf iSight-Kamera - COMPUTER BILD". Computerbild.de. 2013-12-19. Archived from the original on 2014-04-06. Retrieved 2017-05-05.
- Hilton, Nick (2013-12-19). "Researchers Hack Webcam While Disabling Warning Lights". New York Times. Retrieved 2017-05-05.
- Schaffhauser, Dian (2014-01-08). "MacBook Webcams Vulnerable to 'Peek' Hacking". The Journal. Retrieved 2017-05-05.
- Charles Arthur. "Boot up: mobile scale, Titan's work, webcam spying, Bitcoin woes and more | Technology". The Guardian. Retrieved 2017-05-05.
- "Cassidy Wolf, Miss Teen USA, claims she was extorted by an online hacker, report says". www.cbsnews.com. 14 August 2013. Retrieved 2022-08-28.
- "Temecula Student Arrested in Sextortion Case Involving Multiple Victims". FBI. Retrieved 2022-08-28.
- Cole, Shane (2013-12-18). "Researchers find way to activate iSight cameras without alerting users". AppleInsider. Retrieved 2017-05-05.
- ^ Peckham, Matt (2013-12-20). "Miss Teen USA's Webcam Hacked". Time. Retrieved 2017-05-05.