AMITIAE - Thursday 19 December 2013
Cassandra: Apple's Older iSight Cameras and Questions of Security - Some Solid Research
By Graham K. Rogers
As a result of the interest this case produced and a general interest these days in security questions, two researchers at Johns Hopkins University - Matthew Brocker and Stephen Checkoway - had a look at the iSight camera in the type of Macs in the school. Although the LED light operated when the Lower Merion Macs were used, a question arose about whether this could be done without this being shown.
Brocker and Checkoway decided to find out if and how this could be done. As we now know with revelations about the NSA, they have been doing it for some time.
As is correct and responsible when the research was complete, they sent the information they discovered about iSight security to Apple in July this year, followed (in August) by details of a Virtual Machine Escape that could be used to control USB devices on Macs, like the older iSight camera. Apple did make further inquiries, but (not a surprise) did not tell them about any fixes.
Outlining the many problems with cameras in other types of computers, the researchers picked up on the point that it might be possible to actuate the iSight camera with no LED indication. The same insecurity could apply to USB devices using the same Cypress chip.
The construction of the early iSight units is such that, when a camera operates, an electric signal passes and the green LED - installed between the image sensor and the microcontroller - lights up. They set out to reprogram the iSight microcontroller with "arbitrary, new firmware." Their description outlines the five points that they were concerned with technically:
Some assumptions were made concerning installation of malware that I am not as sure about as the researchers. Users who do not click on everything and only install apps from the MacApp Store (or from trusted sources) should not be affected.
The technical description of the iSight camera and its related components, plus software and firmware, show how carefully the research has been carried out. The image sensor can be "influenced" by its interface and by several hardware signals.
Particularly important are RESET and STANDBY signals. The LED is linked to the STANDBY input, but this signal can be bypassed by resetting certain pins on the image sensor. By modifying the firmware, the LED light will display in normal use, but iSight can be signalled to operate without the LED.
When installed, their proof-of-concept, iSeeYou, can be used to reprogram the iSight camera and the LED light does not operate. However when the app quits, the behaviour returns to normal. However the behaviour might also be created by using a Virtual Machine approach via malware. As well as reprogramming iSight, it is pointed out that any EZ-USB device could be so used.
As a way of creating another defense, Matthew Brocker and Stephen Checkoway examined Apple's own protections, and developed iSightDefender to prevent "particular USB device requests from being sent to the camera." Its use means that an attacker would need root privileges to reprogram iSight. The application and its source code are available for download. There are no suggestions or recommendations from me on this, but I am not going to install it, even though I still have a 2007 MacBook Pro that could be liable to such an exploit.
The first pair look at the way camera weaknesses can be exploited with firmware. The second pair deal with increased security when it comes to installing any necessary firmware updates. This might be accomplished by including any such changed firmware in an update to OS X (or other operating system, depending on the computer)
They note that the widely used EZ-USB is "inappropriate for use in any system where security is a consideration." The Discussion has a number of other interesting exploit possibilities (and realities) that are known to be risks for all platforms.
Graham K. Rogers teaches at the Faculty of Engineering, Mahidol University in Thailand where he is also Assistant Dean. He wrote in the Bangkok Post, Database supplement on IT subjects. For the last seven years of Database he wrote a column on Apple and Macs.
For further information, e-mail to