This entry was posted on Thursday, July 6th, 2006 at 15:47 and is filed under Security, Software. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.
Site Search:
Thursday, July 6, 2006
What you’re looking at, if you’re running OS X Tiger with an iSight camera (or any other connected webcam) is a live image of yourself. A simple little plug-in for QuickTime and a single line of code in a web page and there you have it. Freaky. Yes. Security hole? Not really. But maybe some hacker can dig and find a hole to exploit in QuickTime and send images of you, unsuspecting, back to hacker headquarters.
Apple generally does a great job in protecting its users, but I must admit, when I saw the built-in iSight on the MacBook Pro at Macworld, the first thing I thought of was how this would be a great tool for hackers to exploit at some point. Other companies have already thought of using iSight to its advantage such as Orbicule’s Undercover. Snapping pictures every six minutes of the user is a great idea. While we couldn’t find a stitch of information as to if the green light comes on or not during these candid pictures on Undercover’s FAQ page, or any of the many forums we read, it must be pretty inconspicuous enough to have such a high interval on the recover program for Orbicule to implement it.
With this little “trick” here on SvenOnTech’s site and Orbicule’s use of iSight for notebook recovery, one has to wonder if iSight really is a neat invention as many find it. Knowing there might be an exploit sitting in your laptop that could take pictures of you…or your office full of top secret information makes the endless amount of posts, such as MacInTouch’s, about security more understandable.
Until Apple can assure Mac users that iSights are safe from unauthorized use, you may want to keep that lens cover closed for you external iSight users and keep an eye on that green light for you MacBook and MacBook Pro users. You’ve been warned. 
[Via O'Reilly]
UPDATE:We have confirmed with Orbicule that the green light does in fact activate when a picture is taken. It stays lit for “a few seconds” and then turns off. Orbicule is currently working with Apple to over ride the green light and have it go into a “stealth” mode so thieves will not be aware of their picture being snapped. We’ll keep you informed on this as more details become available.
Orbicule has issued SvenOnTech a license for review and we’ll have a full review of Undercover soon in our Reviews section. Stay tuned!
July 6th, 2006 at 18:43
That is a bit freaky.
July 6th, 2006 at 21:22
July 20, 2005: http://www.oreillynet.com/lpt/wlg/7409
July 6th, 2006 at 22:46
I’d suggest just putting up a little post-it note to cover the lens until you want actually want to use it.
July 7th, 2006 at 0:28
Maybe this sounds stupid, but what prevented the same kind of unsafe usage of the built-in microphone that is present on our macs for so many years? It could record all kind of conversations and broadcast it on the net right?
July 7th, 2006 at 0:35
The built-in camera has already been existed long time in PC notebooks. I suppose the world would gone crazy by now as there are lots of malwares exist in Windows to do such act.
July 7th, 2006 at 5:08
I would imagine that the LED light and camera run in a series circuit so that the light is automatically on whenever the camera is.
July 7th, 2006 at 22:48
Wow, this is classic yellow journalism. Scare the reader, make some wild guesses as to possible news items (all mildly plausible) and then predict doom. When, in reality, you found out that Quicktime can talk to the iSight, and you can embed that command in a webpage. There’s no hole, no problem, and won’t be, but everyone needs traffic to appease the advertisers, eh?
Put some masking tape over the camera if you’re paranoid. Everyone else move along, there’s nothing here.
July 8th, 2006 at 0:02
Sven, did you get the story from here?… http://digg.com/apple/iSight_…_(do_you_have_OSX_iSight_)
I digg it.
But, there is one problem.
All PC users told me that theirs browsers crash.
So (is a good idea, someone to embed a JavaScript that detects OSX or XP).
Anyway… is not a security issue at all. Is just Quartz Composer script (only for Mac OSX users).
July 8th, 2006 at 8:48
Adam, did you not read the opening of the article? We stated that Apple has a good security record and this probably isn’t a hole. However, exploits run deep and it’s only time before a hacker figures out how to tap into this much like the old Internet Explorer vulnerability that was much the same as this by placing a line of code in a web page to show the contents of a Windows hard drive. Soon after, a hacker figured out how to grab those files. Harmless trick at first…deathly exploit later. That’s all we were trying to point out. Further, follow the forum links and see the posts on the camera alone. No scare tactics, no, “yellow journalism,” just trying to make people aware of what could be.
You’re right, cover the lens with some tape and you’re set. Good suggestiong. Now it’s Apple’s turn to put a built-in slide cover like the external iSight has, though. Then problem is gone.
Videoeye, we have a link to our source above in the article. We did not get this from digg.
July 8th, 2006 at 9:23
Sven, Is OK. I’m not trying to make an argument here.
The problem is that I Digg this story, I publish the O’Reilly link (http://www.oreillynet.com/lpt/wlg/7409), and now everybody is taking the same O’Reilly link on diferent articles.
Actually, I found O’Reilly page trying to find Quartz Composers projects. (And I found this).
My only concern at this point is his website being.
I don’t know. Whatever. Is the Digg effect.
July 8th, 2006 at 14:42
Videoeye, I’m not sure what you’re trying to communicate, but I discovered the O’Reilly page searching “iSight” and “Security” for another article and that link came up. I followed it and thought it would be great to share with you all. If you’re looking for resource kudos to your link, and you’re not getting it, I’m sorry to hear that as we do put in links to those that found stories of interest.