Security researchers at Johns Hopkins University recently demonstrated a unique new attack that can force the iSight cameras in legacy MacBook and iMac models to capture images without turning on the camera’s accompanying LED. Matthew Brocker and Stephen Checkoway were the researchers who outline the attack, which targets firmware inside the iSight camera’s controller chip, in a paper entitled “iSeeYou: Disabling the MacBook Webcam Indicator LED.”

As many of you probably already know, Apple designed the iSight camera system with a “hardware interlock” between the camera sensor and the indicator LED that was intended to make it electrically impossible for one to be activated without the other. According to the paper, the LED is connected directly to the standby pin on the camera sensor, when the camera comes out of standby mode, the LED automatically turns out.

What Brocker and Checkoway figured out was that they were able to bypass the hardware interlock by reprogramming the firmware on the camera’s microcontroller to ignore standby signals sent by the USB interface that the camera uses to communicate with the rest of the computer. By doing this, the LED remains off, because it is still obeying the USB standby signal, even though the camera sensor is active.

The thing that makes this attack something to worry about is that it doesn’t require administrator-level privileges or physical access to the laptop, though at this time it only affects MacBooks and iMacs manufactured prior to 2008 with built-in iSight cameras. The researchers indicated that there are at least two methods of mitigating the vulnerability that can be rolled out to existing hardware.

The two strategies include:


  1. Taking advantage of Apple’s Gatekeeper application sandbox which was introduced with OS X Mountain Lion and can be updated to deny untrusted applications access to the camera and its USB controller.
  2. Extending the OS X’s kernel to disallow specific instructions from being sent to the camera in the first place.


This hack was disclosed to Apple’s security team earlier this summer according to the paper. The researchers wrote the following about the matter:

Apple employees followed up several times but did not inform us of any possible mitigation plans.
Source: John Hopkins University (Paper) via The Washington Post