Over the last couple of days there have been a plethora of posts about web pages with embedded QuickTime movies accessing a Mac’s iSight camera. Surrounding these posts have been many comments from people worried about the security implications of this functionality. And of course once the story hit digg.com all the idiots came out of the woodwork and acted as if the sky was falling.
Needless to say this isn’t a security flaw and isn’t even new; see the O’Reilly Mac DevCenter Blog from over a year ago.
This isn’t a security problem because the video from the iSight camera never leaves your local machine. In fact the data is just display inside the web page and discarded. For proof of this you can use the network bandwidth monitor feature of Mac OS X’s Activity Monitor. Open a page with a “trick” iSight movie and watch the “Data Sent/sec” field: it should not increase due to the iSight video. Take a look at this video of mine: QuartzComposer.mp4, the data sent varies between 0 and 180 bytes per second. For contrast take a look at a similar video but this time using Flash webcam software to transmit video to stickam.com (you know, the shoes on head place): Stickam.mp4. This video shows that stickam.com is receiving around 30KB a second. Yes, I need a shave.
While this isn’t absolute proof that the iSight trick isn’t up to no good it is a good indicator that things are fine. There are other methods, for example using a healthily paranoid outgoing firewall like Little Snitch.
To put your mind at rest, here’s a quick screencast tutorial (iSightTrickScreencast.mp4, 3.3MB MP4) on how to create a QuickTime movie that will embed video from your iSight using Quartz Composer. Note at no point do I add any Quartz Composer nodes to transmit this video data anywhere. Try it yourself.
Here are the files created during the screencast: My Composition.qtz and My Composition.mov
You can use the following snippet of HTML to embed the video into a web page (code stolen from the O’Reilly Mac DevCenter Blog):
One interesting thing about this is that WebKit based browsers (e.g. Safari and OmniWeb amongst others) used to be able to display these kinds of Quartz Composer movies directly. Now when trying to load a iSight using Quartz Composer file in a browser you’ll see this error message: UnsafeComposition.png. You can try it yourself by opening the Quartz Composer file created for the webcast. Quartz Composer files that don’t use the iSight will load as seen here: BasicComposition.mp4. So what’s going on here? Well I think Apple is rightfully being extremely cautious. Quartz Composer files and specifically Quartz Composer based QuickTime movies have had security advisories issues against them: http://www.frsirt.com/english/advisories/2005/0531, http://docs.info.apple.com/article.html?artnum=301714 with more detailed information: http://remahl.se/david/vuln/018/ (currently Google cached due to problems with their server). However the information that could have been leaked is limited to small textual information (produced by other Quartz Composer nodes) and not the video data itself.
Update From crazy to ridiculous. Make is publishing a hopefully humorous article explaining how to build a shield for your iSight.