One of the most insidious actions of malware, is abusing the audio and video capabilities of an infected host to record an unknowing user. Macs, of course, are not immune; malware such as OSX/FruitFly, OSX/Crisis, OSX/Mokes, and others, all attempt to spy on Mac users. OverSight constantly monitors a system, alerting a user whenever the internal microphone is activated, or the built-in webcam is accessed. And yes, while the webcam's LED will turn on whenever a session is initially started, new research has shown that malware can surreptitious piggyback into such existing sessions (FaceTime, Skype, Google Hangouts, etc.) and record both audio and video - without fear of detection.

As with any security tool, direct or proactive attempts to specifically bypass OverSight's protections will likely succeed. Moreover, the current version over OverSight utilizes user-mode APIs in order to monitor for audio and video events. Thus any malware that has a kernel-mode or rootkit component may be able to access the webcam and mic in an undetected manner.

'OverSight_Installer.app'

-install

To install OverSight, first download the zip archive containing the application. Depending on your browser, you may need to manually unzip the application by double-clicking on the zipped archive:Then, simply double-click on. Click 'Install' to install the tool:OverSight can also be installed via the command-line. Just execute the installer application with theflag:

//install

$ sudo OverSight_Installer.app/Contents/MacOS/OverSight_Installer -install

OVERSIGHT: install ok!



OverSight.app

/Applications

'Log activity'

This preference specifies whether or not OverSight should log start/stop and audio/video events.

OverSight's log file is located at: ~/Library/Application Support/Objective-See/OverSight/OverSight.log .



Click the 'view' link just to the right of the 'Log Activity' label to open the log file. When this preference is enabled, OverSight will also log to the system log via syslog() .

This preference specifies whether or not OverSight should log start/stop and audio/video events. OverSight's log file is located at: . Click the 'view' link just to the right of the 'Log Activity' label to open the log file. When this preference is enabled, OverSight will also log to the system log via .

'Start at login'

This preference specifies whether OverSight should be started automatically at login, or not. This preferences is on by default meaning OverSight will provide continual protection.

This preference specifies whether OverSight should be started automatically at login, or not. This preferences is on by default meaning OverSight will provide continual protection.

'Run in 'headless' mode'

By default, OverSight will create an ( ) in the status menu. Enabling this preferences will remove this icon, though OverSight will still be running, providing protection. If you wish to re-enable the status bar menu icon, run OverSight.app from the /Applications , and uncheck this preference.

By default, OverSight will create an ( ) in the status menu. Enabling this preferences will remove this icon, though OverSight will still be running, providing protection. If you wish to re-enable the status bar menu icon, run from the , and uncheck this preference.

'Disable 'inactive' alerts'

When this preference is checked, OverSight will not display an alert when the mic or camera is deactivated.

When this preference is checked, OverSight will not display an alert when the mic or camera is deactivated.

'Automatically check for updates'

This preference controls whether or not OverSight will automatically check for new versions at startup. If there is a new version, OverSight will display a popup prompting you to upgrade.

'OverSight_Installer.app'

-uninstall

Once OverSight is installed, it will be running and is set to automatically start each time you log in.By default, when running OverSight adds an icon () to the status menu. Clicking on this icon will display a menu with various information and configuration options:While OverSight is running, anytime the internal microphone is activated, or a process accesses the built-in webcam, OverSight will alert you of this fact.Below is an example of an OverSight mic alert, generated when an application (Shazam.app) has activated the internal microphone:Besides alerting that the mic has been activated, the alert contains the name and process identifier of the process responsible for the alert (i.e. 'Shazam'). Moreover, the notification allows one to either 'allow' the process, or terminate it via the 'block' option.If the 'allow' option is selected, a popup will be displayed asking if the process should be allowed always, or just this once:Clicking the 'Yes, Always' will 'white-list' the application - meaning that in the future no OverSight alert will be displayed; the application will be automatically allowed. White-listed applications can be viewed via OverSight's preferences pane (discussed below):When OverSight detects that the webcam has been activated, or, that a secondary process has accessed the camera (while it's already in use) it will display an alert:The webcam notifications will contain the name of the process (i.e. Facetime) and its process identifier. Just like with the mic notification, it will also contain the 'allow' or 'block' options.Note, in some cases OverSight cannot identify the process responsible for activating the mic or webcam. When this (rarely?) occurs, a more generic alert will be shown. For example, a mic activation alert:In order to configure OverSight, simply click on its icon () in the status menu. Then click on 'Preferences':This preferences window will also be shown if you runfrom thefolder.As previously mentioned, clicking on the 'Manage Rules' button will open a window that displays all white-listed applications. To remove any application, simply click the 'x' button in it's row.To uninstall OverSight, re-run(you can re-download it if needed). Clicking the 'Uninstall' button will both stop and remove OverSight from your Mac:OverSight can also be uninstalled via the command-line. Just execute the installer application with theflag:

//uninstall

$ sudo OverSight_Installer.app/Contents/MacOS/OverSight_Installer -uninstall

OVERSIGHT: uninstall ok!



'Oversight.app'

/Applications

System Preferences, Groups & Users -> Current User -> Login Items)

~/Library/Application Support/Objective-See/OverSight/

Components/Capabilities/Footprints

Executable Component Capability OverSight_Installer.app Installs or uninstalls OverSight Install:

a) copies OverSight.app to /Applications

b) starts OverSight_Helper.app

c) creates ~/Library/Application Support/Objective-See/OverSight/OverSight.log



Uninstall:

a) stops OverSight_Helper.app

b) removes OverSight.app (+ all sub-components)

c) removes ~/Library/Application Support/Objective-See/OverSight/ OverSight.app Located in /Applications .



Displays OverSight's preferences pane Contains OverSight_Helper.app OverSight_Helper.app Located in /Applications/OverSight.app/

Contents/Library/LoginItems/



Monitors for audio and video events

Automatically started by the OS when the user logs in Contains OverSightXPC.xpc OverSightXPC.xpc Located in /

OverSight_Helper.app/Contents

/XPCServices



Performs high-privileged actions, such as

determining what process is using the webcam When user white-lists an application, creates ~/Library/Application Support/Objective-See/OverSight/whitelist.plist

https://objective-see.com/products/versions/oversight.json

FAQs

Q:

A:

Q:

A:

Activity Monitor.app

View->All Processes

OverSight_Helper

Q:

A:

Q:

A:

Q:

A:

OverSight is 100% free (no demo mode, limited functionality, etc).



OverSight is able to identify the process that is accessing the webcam.

When your webcam's LED light randomly comes on, you'd want to know what process triggered that, right?

When your webcam's LED light randomly comes on, you'd want to know what process triggered that, right?

OverSight provides the means to either 'allow' or 'block' a process that is accessing the mic/webcam



OverSight allows one to whitelist process, allowing access to either the mic or webcam without any subsequent alerts



OverSight can detect secondary 'consumer' processes that may be piggy-backing off a legitimate webcam session in order to stealthily record the user without detection. (See: "Getting Duped: Piggybacking on Webcam Streams for Surreptitious Recordings" for details on this novel attack).

Q:

A:

To manually uninstall OverSight, first stop it (via the 'Quit' menu option), then delete thefrom thefolder. Then delete the login item (. Finally delete thedirectory.The following table briefly summarizes OverSight's components, capabilities, and system footprint:In terms of networking code, each time OverSight starts, it queriesto see if there is a new version of the tool. This can be disabled via the 'Automatically check for updates' option in OverSight's preferences pane. Other than this simple version check, it contains no other networking capabilities.Why does the OverSight Installer need my password?In order to determine what process(es) is/are using the webcam, OverSight interfaces with Apple's 'camera daemon.' This requires elevated privileges. Also if the user clicks, 'block' when a process is detected using the camera, OverSight will terminate the process. Again, this action (may) require elevated privileges.How can I tell if OverSight is installed and running?When started, OverSight adds an icon () to the status menu. The presence of this icon, indicates that the process is running (unless you've told it to run in 'headless' mode). One can also check if it's running, via the. Select, and look for a running process namedWhy does it take OverSight, a few seconds to display the webcam/mic usage notification?There is not easy way to determine what process is using the webcam or mic, when either is activated. Worse, there is no direct indication that a new process is accessing an existing a webcam session. Thus OverSight has to perform various tests and has to poll the system (only when the camera/mic is active) in order to determine what process(es) is/are accessing the device. This takes a few seconds...mahalo for your patience!Why can't OverSight detect what process is using the mic/webcam?While there is no direct way to determine what process is using the webcam or mic, OverSight can almost always figure this via indirect means. If it fails to identify any process (but can still detect that the webcam/mic was activated), Oversight will still generate a notification stating the device was activated. However, this notification will not contain any process information, nor of course, the ability to 'allow'/'block' the process.How is OverSight different than other tools (such as MicroSnitch)?OverSight is unique in a variety of ways:Any other questions?Feel free to shoot me an email at patrick@objective-see.com