[Mizza]

Are video captures actually possible? I could imagine video capture as part of a RAT, but what scares me is the idea of video capture that doesn't turn on the camera activity light. Are there any examples of that?

[jobu]

It was definitely possible a couple years back - https://jscholarship.library.jhu.edu/handle/1774.2/36569

We describe how to disable the LED on a class of Apple internal iSight webcams used in some versions of MacBook laptops and iMac desktops. This enables video to be captured without any visual indication to the user and can be accomplished entirely in user space by an unprivileged (non- root) application.

[landr0id]

> It was definitely possible a couple years back

Yeah, a few years back studying MacBooks from 2008.

[strictnein]

Have they been updated since then?

[landr0id]

Assuming this is a serious question, yes, the camera and MacBooks both have changed a lot since 2008. This is probably why they did the study on 2008 MacBooks as opposed to later models. They wouldn't get the results they wanted otherwise.

[stephenr]

I don't know that it's possible on recent Apple hardware. I remember reading somewhere that the green LED is triggered by the camera power line, or something along those lines.

[cptskippy]

That's how it should be however that's not how it is for all web cameras. I don't know specifics about Apple.

[nitrogen]

Note to anyone developing a new webcam: if you want to be able to flash your LED to indicate something to the user, add another color, and keep the main LED tied to the power line (ideally with a hardware-implemented delayed shutoff on the power so a single-frame grab lights the LED for a long time).

[semi-extrinsic]

IDK about current gen Apple hardware, but it was possible to do so on a 2008 MacBook, at least (academic paper and PoC app):

https://jscholarship.library.jhu.edu/bitstream/handle/1774.2...

Interestingly, on my battered, el cheapo Asus 12" netbook (2011 Intel Atom), this problem is solved very well: the on/off webcam switch physically blocks the webcam lens in the off state.

[stephenr]

The article only includes the word "Video" once in the summary, but then mentioned screen captures every 30 seconds.

I'm guessing that is what the summary is referring to when it says "video capture", because there is no other reference to video or camera.

[initram]

The list of source files include avfsession.mm which is likely a C++ wrapper around AVCaptureSession[0], Cocoa's audio and video capture class.

[0]https://developer.apple.com/library/ios/documentation/AVFoun...

[stephenr]

The article itself makes no other mention to capturing video from the camera. Is it possible that they use that class purely to capture audio?

[wepple]

I'm going to dig into this and find out, I've wanted to know for ages.

If the LED == LED_TORCH, then it looks like it may be possible:

https://github.com/patjak/bcwc_pcie/blob/8cc44d67f3c924f30a8...

Either way, I'm planning on buying some spare parts to actually test and possibly PoC this.

[rurban]

Apparently this malware doesn't take webcam screenshots (as law inforcement illegally does). It just takes screenshots, possibly to match keystrokes to the window, to be able to match password entries to the application or url. And then exploit that furtheron. I wonder why it takes audio captures though? Just for the thrill? Or is it the government?

[njloof]

Be safe and do as Mark Zuckerberg does -- stick a Post-It™ over the camera lens.