Thank you for pointing that out. I read through the entire paper except the citations. Amazing work though it is at best a Trojan in that they do have to get the user to install and run the malicious App so that part of it is activated in a VirtualBox in a virtual OS that is not OSX. One other caveat seems to be, reading between the lines, is that user had to have administrator privileges. . . and the attacker had to have it too because they mentioned the necessity to use SUDO. Had the victim user been operating as a Standard User as is the recommended practice, this would not have worked. Couple of other points. . . G5 computers cannot access the App Store, which they mention is a prerequisite for this to work, although there are other modalities to get the iSeeYou app on target G5. Biggest is the VirtualBox necessity to be running. . . That is a killer and sort of takes us back to the preparing the machine in advance to be invaded before it can be. How many Mac users are going to be running the appropriate guest OS under VirtualBox which has full root privileges (that's actually how the hardware reprogramming of the iSight camera EPROM is accomplished)?
I agree that, as presented, it’s a Trojan. Also, this specific exploit doesn’t work in current models anyway.
I’m not sure about the other things you mentioned:
- The only AppStore reference I recall was that the attacker should *not* use the AppStore since Apple’s Sandbox needed to be avoided.
- They claim that everything runs as an unprivileged user. I didn’t notice any use of sudo — if I missed it, maybe it’s just being used to start a new login session for some reason?
- I don’t see any reason this exploit wouldn’t run on a G5. That doesn’t affect the microcontroller code, and the supervising CPU code could be recompiled for the PowerPC (if iSeeYou isn’t already a fat binary with both PowerPC and Intel code).
Anyway, none of this is really the point. As you said, it’s a proof of concept, showing that it’s possible to get around even straightforward hardware limitations to do seemingly impossible things in software. But it’s really more than a proof of concept, it’s an incredibly clever tour de force.
This exact exploit is out of date, but it should remind everybody to be wary in general. This has nothing to do with Apple, and applies equally to Windows, etc.; it’s the microcontroller hack that’s the key here.
By the way, I think Stuxnet was also a USB microcontroller attack.