On our Dell laptop, we find the DLL that comes with the RealTek drivers for our webcam. We quickly zero in on the exported function “TurnOnOffLED()”. We can quickly make a binary edit to this routine, causing it to return immediately without turning on the light.
Almost all webcams, even those inside your laptop’s screen, are USB devices. There is a standard for USB video cameras, the UVC standard. According to this standard, the LED indicator light is controlled by the host software. To hack this on Windows appears to require a filter driver. We are too lazy to write one, which is why we just hacked the DLLs in the demonstration. We believe this is what the FBI has done: a filter driver for the UVC standard would get most webcam products from different vendors, without the FBI having to write a custom hack for each one.
We describe how to disable the LED on a class of Apple internal iSight webcams used in some versions of MacBook laptops and iMac desktops. This enables video to be captured without any visual indication to the user and can be accomplished entirely in user space by an unprivileged (non-root) application. The same technique that allows us to disable the LED, namely reprogramming the ﬁrmware that runs on the iSight, enables a virtual machine escape whereby malware running inside a virtual machine reprograms the camera to act as a USB HumanInterface Device (HID) keyboard which executes code in the host operating system.
To defend against these and related threats, we build an OS X kernel extension, iSightDefender, which prohibits the modiﬁcation of the iSight’s ﬁrmware from user space.