Thursday 6 October 14:30 - 15:00, Red room
Patrick Wardle (Synack)
One of the most insidious actions of malware is abusing the video capabilities of an infected host to record an unknowing user. Macs, of course, are not immune; malware such as OSX/Eleanor, OSX/Crisis, and others, all attempt to spy on OS X users.
Luckily, modern Macs contain a hardware-based LED indicator that can alert users when the camera is in use. And physically covering the built-in camera also provides a low-tech, albeit highly effective solution.
Still, Mac users often legitimately make use of their built-in webcams. For example, a CEO joining in on an important business meeting, a journalist Skyping with a private source, or the everyday Mac user having an intimate FaceTime session with their partner. Unfortunately, malware can covertly record these, all in an essentially undetectable manner.
After examining various ‘webcam-aware’ OS X malware samples, the research will show a new ‘attack’ that would allow such malware to stealthily monitor the system for legitimate user-initiated video sessions, then surreptitious piggyback into this in order to covertly record the session. As there are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection.
In order to combat this, we'll discuss techniques that aim to detect 'secondary' processes that attempt to access an existing video session on OS X. Moreover, a (free) tool will be released that implements such detection mechanisms in order to alert users of this treacherous attack.
Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA and the NSA, and presented at many security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick's focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes free OS X security tools. Both can be found on his personal website, www.Objective-See.com.