OverSight detects when Mac malware uses built-in camera, mic

Users who want to be warned each time their Mac’s camera and microphone are switched on – either by a legitimate process or, more importantly, by malware – can try out OverSight, a free tool created by Patrick Wardle.


Wardle, who’s Director of Research at Synack but also likes to write OS X tools in his free time, is scheduled to present the tool today at the Virus Bulletin conference in Denver, along with his research demonstrating how malware could easily piggyback on legitimate user-initiated video and audio sessions to keep its spying activity hidden.

Malware with this capability has to be able to detect a user-initiated webcam session, initiate its own recording, and terminating it as soon as the legitimate session is over, so that the camera and the hardware-based LED indicator can switch off.

This new approach does not have to rely on exploiting a vulnerability, nor find a way to hack the built-in camera’s hardware-based LED indicator. Users know the camera is on because they are performing an action that requires it to be on, but won’t be able to notice if malware is simultaneously using it to spy on them.

Wardle says that there are is no evidence that malware that is capable of this currently exists, but it’s possible it does, only it hasn’t yet been detected and analyzed by malware analysts.

OverSight is able to detect any and all processes that access and use the built-in camera, identifies them, and allows users to block them:

OverSight detects processes using the built-in camera

When it comes to audio, the software is currently only able to identify that the microphone is activated and alert users to that fact.

Of course, you can always cover your camera to prevent surreptitious recording, but it’s more difficult to do the same with the microphone.

Wardle will continue to improve the tool, but he is realistic about its limitations.

“As with any security tool, direct or proactive attempts to specifically bypass OverSight’s protections will likely succeed,” he noted.

“Moreover, the current version over OverSight utilizes user-mode APIs in order to monitor for audio and video events. Thus any malware that has a kernel-mode or rootkit component may be able to access the webcam and mic in an undetected manner.”

Don't miss