[troubledwine]

There's quite a bit of alarm here and in the wording of the article. But no mention of HOW this exploit is applied. I mean surely they're not saying you send someone an e-mail and if they open it their webcam firmware is changed? Or visit a web page or have a flash banner ad run?

You'd have to get the user to download and run a package installer that prompts for an admin password RIGHT?

In other words; this isn't just something that can happen without end user interaction.

[enneff]

To do this you need code execution privileges on the target machine, but there are many ways to do this (social engineering, browser exploit, etc). The research is specifically about disabling the camera light.

[evan_]

> You'd have to get the user to download and run a package installer that prompts for an admin password RIGHT?

In theory; but a motivated party with sufficient resources could simply ("simply") author a fake OS update and deliver it to you over a compromised ISP and you'd never know the difference.

[joshfraser]

You would just chain multiple exploits. For the right price you can buy a zero-day exploit for anything you want -- for the browser, OS & root access. If you have the money, installing the camera exploit in place is trivial.

[joshfraser]

No, it can run in user space by an unprivileged (non-root) application:

https://jscholarship.library.jhu.edu/handle/1774.2/36569

[asciimo]

I agree, and I remain skeptical that this is a trivial or common hack:

> But researchers figured out how to reprogram the chip inside the camera, known as a micro-controller, to defeat this security feature.

Aren't Mac firmware updates always a big deal with special boot modes and audio tones?

[jdiez17]

Nope. The paper explicitly states their assumptions. Asking for admin password (root) is not one of them. If you can get them to run a game (for example), you can pwn them.