OverSight
Mac malware can spy on users through the microphone or webcam, sometimes without being detected.
OverSight keeps an eye on your Mac's mic and webcam, alerting you whenever either is activated.
Supported OS: macOS 12+
Current version: 2.4.0 (change log)
Zip's SHA-1: EBBD36EE98A821A677AE32F16A7097ACC64DE9F9
Source Code: OverSight
One of the most insidious actions of malware, is abusing the audio and video capabilities of an infected host to record an unknowing user. Macs, of course, are not immune; malware such as FruitFly, Crisis, Mokes, and others, all attempt to spy on Mac users. OverSight constantly monitors a system, alerting a user whenever the microphone is activated, or the webcam is accessed (even if the system is already infected). And yes, while the webcam's LED may turn on whenever a session is initially started, research has shown that malware can surreptitious piggyback into such existing sessions (FaceTime, Skype, Google Hangouts, etc.) and record both audio and video - without fear of detection ...until now!
Note:
Frequently Asked Questions, and their answers, can be found here.
Installing OverSight
Note:
Due to the mechanism used by OverSight to monitor for mic and webcam access, it can only be installed for, and run on accounts with administrative privileges (which is the default for accounts on macOS).
To install OverSight, first download the zip archive containing the application. Depending on your browser, you may need to manually unzip the application by double-clicking on the zipped archive:
Then, simply double-click on 'OverSight_Installer.app'. Click "Install" to install the tool (or "Upgrade" if you have an older version already installed).
As part of the installation process, you might be prompted by macOS to allow OverSight to show notifications and alerts. OverSight should be allowed, this is the mechanism that it used to notify you whenever something accesses the mic or webcam!
Moreover, one recent versions of macOS, you will have to manually set OverSight's notification style to "Alerts" via the System Preference application:
Finally, if macOS "Do Not Disturb" mode is enabled, no notifications, including OverSight's, will be displayed.
Using OverSight (Alerts)
Once OverSight is installed, it will be running and is set to automatically start each time you log in. By default, when running OverSight adds an icon (
) to the status menu. Clicking on this icon will display a menu with various information and configuration options:
While OverSight is running, anytime a microphone or webcam is activated (or deactivated) OverSight will alert you of this fact.
Below is an example of an OverSight camera alert, generated when an application (Zoom) has activated the webcam:
Note:
In some cases OverSight cannot identify the process responsible for activating the mic or webcam. When this (rarely?) occurs, a more generic alert will be shown.
The alert will contain the name of the device (mic or camera that triggered the event), as well as the name and process identifier of the process responsible for the alert (i.e. 'Zoom'). Clicking on "Options" in the notification allows one to either allow the process once, allow it always, or terminate it via the 'Block' option.
Clicking "Allow (Always)" ensure instruct OverSight to ignore future device access (e.g. the camera) for that specific application.
Using OverSight (Rules)
Any approved applications can be viewed via OverSight's "Allowed Device" menu option:
To remove any approved application, simply click the 'x' button in its row.
Using OverSight (Settings)
In order to configure OverSight, simply click on its icon () in the status menu. Then click on 'Settings...':
This settings window will also be shown if you run OverSight.app from the /Applications folder.
- Start at Login:
This setting specifies whether OverSight should be started automatically at login, or not. This preferences is on by default meaning OverSight will provide continual protection. - No Icon Mode:
By default, OverSight will create an () in the status menu. Enabling this setting will remove this icon, though OverSight will still be running, providing protection. If you wish to re-enable the status bar menu icon, run OverSight.app from the /Applications, and uncheck this setting.
- Ignore External Devices:
This setting specifies whether or not OverSight will alert you when external mics or cameras are activate/deactivated. - Disable 'Inactive' Alerts:
When this setting is checked, OverSight will not display an alert when a mic or camera is deactivated.
The "Action" tab of the OverSight's preferences window allow you to specify an script or binary that will be automatically executed when a mic or camera event occurs:
By specifying an external program to run, users can extend OverSight's functionality. For instance, some users have employed a simple script with OverSight to control an 'on air' light in their home office, automatically turning it on when the microphone is active and off when it's not.
Note:
The specified binary or script is executed via macOS' built-in shell. This means you should specify the full path, and also ensure the item is executable.
Moreover if it's a script, make sure it starts with the appropriate interpreter (e.g.
Moreover if it's a script, make sure it starts with the appropriate interpreter (e.g.
#!/bin/bash).
If you enable the "Pass Arguments" option, OverSight will pass various parameters (such as device and process that triggered the event). This can be useful if your script/binary needs to different actions based on type of event.
Finally, the "Update" tab allow you to disable the check for new versions of OverSight.
Uninstalling OverSight
To uninstall OverSight, select the "Uninstall OverSight..." from its Status Bar menu:
...this will launch the uninstaller:
Clicking the 'Uninstall' button will both stop and remove OverSight from your Mac.
FAQs
Q: Are there versions of OverSight compatible with older versions of macOS?
Q: OverSight tells me there's an update, but the update isn't compatible with my version of macOS?
Q: How can I tell if OverSight is installed and running?
Q: Why can't OverSight detect what process is using the mic/webcam?
Q: How is OverSight different than other tools (such as MicroSnitch)?
A: While the currently version requires macOS 12+ (due to changes by Apple), older versions of OverSight work on previous versions of macOS. Please note, they however are not officially (still) supported:
- macOS 10.15 - 11.*: Version 2.0.2
- pre-macOS 10.15: Version 1.2.0
Q: OverSight tells me there's an update, but the update isn't compatible with my version of macOS?
A: Due to changes in macOS, the current version of OverSight requires macOS 12+. And while newer versions of OverSight will take your version of macOS into account when checking for an update, older versions do not.
If possible it is (from a security point of view), recommended to upgrade to the latest versions of macOS - which OverSight is compatible with. If this is not an option, you can turn off automatic updates checks via OverSight's preferences.
If possible it is (from a security point of view), recommended to upgrade to the latest versions of macOS - which OverSight is compatible with. If this is not an option, you can turn off automatic updates checks via OverSight's preferences.
Q: How can I tell if OverSight is installed and running?
A: When started, OverSight adds an icon () to the status menu. The presence of this icon, indicates that the process is running (unless you've told it to run in 'No Icon' mode). One can also check if it's running, via the Activity Monitor.app, just look for a running process named OverSight.app.
) to the status menu. The presence of this icon, indicates that the process is running (unless you've told it to run in 'No Icon' mode). One can also check if it's running, via the Activity Monitor.app, just look for a running process named OverSight.app.
Q: Why can't OverSight detect what process is using the mic/webcam?
A: While there is no direct way to determine what process is using the webcam or mic, OverSight can almost always figure this via indirect means. If it fails to identify any process (but can still detect that the webcam/mic was activated), Oversight will still generate a notification stating the device was activated. However, this notification will not contain any process information, nor of course, the ability to 'allow'/'block' the process.
Q: How is OverSight different than other tools (such as MicroSnitch)?
A: OverSight is unique in a variety of ways:
Q: Any other questions?
- OverSight is 100% free and open-source.
- OverSight is able to identify the process that is accessing the webcam.
When your webcam's LED light randomly comes on, you'd want to know what process triggered that, correct? - OverSight provides the means to either 'allow' or 'block' a process that is accessing the mic/webcam
- OverSight allows one to "approve a" process, allowing access to either the mic or webcam without any subsequent alerts
- OverSight can detect secondary 'consumer' processes that may be piggy-backing off a legitimate webcam session in order to stealthily record the user without detection. (See: "Getting Duped: Piggybacking on Webcam Streams for Surreptitious Recordings" for details on this novel attack).
A:
Feel free to shoot us an email at contact@objective-see.com.