9to5Mac Security Alert is provided solely by Mosyle, the only Apple Unified Platform. Our job is to prepare Apple devices and ensure corporate security. Our unique integrated approach to management and security combines the latest Apple-specific security solutions with fully automated Hardening and Compliance, Next-Gen EDR, AI-powered Zero Trust, and the most powerful and modern Apple MDM for specialized Privilege Management. The result is a fully automated Apple Unified Platform trusted by over 45,000 organizations, effortlessly and cost-effectively enabling millions of Apple devices. Request your ENHANCED TRIAL today and understand that Mosyle has everything you need to work with Apple.
The built-in green LED privacy indicator on the Mac—along with what is displayed on macOS—does a pretty good job of alerting users in real-time when the webcam or microphone is active. When you are actively working with your Mac, it's hard to miss them. However, this protection assumes you are there to see the privacy indicators light up.
So, what happens if malware triggers the camera or microphone while you are away from your Mac and silently records and listens? How will you know this is happening when you are not there?
There is an app for that.
In a previous Security Alert corner, I had forced myself to tear apart why plastic webcam covers are no longer necessary on modern MacBooks. Apple’s decision in 2008 to fix the camera module and LED indicator to the same circuit made it impossible for the camera to draw power without that green light being on. This design change effectively eliminated all covert webcam attacks but created others.
An Apple security researcher who commented on that post, Patrick Wardle, founder of Objective-See and a friend of Security Alert, suggested his organization’s free open-source tool OverSight as an additional layer of defense.
OverSight can do many things, but at its core, it has the ability to send notifications when your webcam or microphone is active. So when you return to your Mac, you will have a record of the events triggered while you were away, including the name of the responsible process.
Historically, threats like Fruitfly, Mokes, and Crisis have been observed to linger in systems and activate the camera when users stepped away from their desks. If you are out getting coffee or maybe sleeping, that green LED could be on without your knowledge. OverSight doesn’t prevent this from happening directly, but it logs every activation event and clearly shows you what happened.
OverSight can also detect piggybacking attacks.
There have been documented cases where macOS malware waits for you to join a legitimate video call, silently connects to the same camera stream, and records your conversation. Since Zoom, FaceTime, or Skype (just kidding, RIP) already activate the camera, there is no new LED trigger to raise suspicion. macOS does not differentiate between multiple processes accessing the camera— but OverSight does and alerts you as soon as another process is triggered.
After running OverSight on my personal Mac for the past few weeks, I have really fallen in love with it. It’s one of the rare security tools I recommend everyone set up for a little more peace of mind. If you are like me, knowing exactly when your hardware is accessed is a blessing without having to do special logging or digging into the system's internal structure.
For more information about OverSight, you can visit the Objective-See Foundation's website here.
Security Alert is 9to5Mac's weekly deep dive into the world of Apple security. Each week, Arin Waichulis shapes an ecosystem of over 2 billion devices by addressing new threats, privacy concerns, vulnerabilities, and more.
Follow Arin: Twitter/X, LinkedIn, Threads
Comments
(3 Comments)