How to Tell If Your Mac Camera Is Hacked (and What to Do)

Quick answer: If your Mac's green camera light turns on when you aren't using the camera, that's the clearest sign something is accessing it. Check System Settings > Privacy & Security > Camera to see which apps have permission, revoke anything you don't recognize, and use Activity Monitor plus lsof to spot processes using the camera right now.

The green dot next to your camera flickered on for a second, even though you weren't on a call. Now you can't stop thinking about it. I get it — there's something uniquely unsettling about the idea that someone might be watching through your own webcam.

Here's the good news first: on a Mac, your camera is genuinely hard to access secretly. Apple wired a hardware indicator light directly to the camera's power, so the light physically cannot stay off while the camera is on. That's a real protection, not marketing. But "hard to access secretly" isn't "impossible to abuse," and there are good reasons to check. Let's walk through how to actually tell whether your Mac camera is hacked — calmly, with real steps.

> Prefer not to check manually? Run a free CoreLock Security Score to see every app with screen, mic, camera, or full-disk access in about 60 seconds.

Understand the Camera Indicator Light First

The single most important thing to know about Mac webcam security is the green light. On every Mac with a built-in camera, a small green LED sits next to the lens. When the camera is active, that light is on. When the camera is off, the light is off. There's no software toggle for it — it's tied to the camera's power circuit at the hardware level.

So the real question usually isn't "is my camera hacked?" It's "why did the green light turn on when I wasn't expecting it?"

Most of the time, the answer is innocent. FaceTime, Photo Booth, Zoom, Teams, or your browser on a video call can wake the camera, and some apps briefly check it at launch. But if the light comes on while you're just reading email or the screen is locked, that's worth investigating.

One honest caveat: external USB webcams don't always have a reliable light, and the light only tells you the camera is on — not who's looking. So we still check permissions and running processes.

Check Which Apps Have Camera Permission

This is the most useful step, and it takes about thirty seconds. Go to System Settings > Privacy & Security > Camera.

You'll see a list of every app that has requested camera access, each with a toggle. Look through it slowly. The questions to ask yourself:

• Do I recognize every app here?
• Does each one have an obvious reason to need the camera?
• Do I remember granting this?

A video calling app needing the camera makes sense. A PDF reader, a "system cleaner," or some random utility you installed once and forgot about does not. When I was building CoreLock's scanner, what surprised me most was how many apps quietly request permissions they have no business holding.

If you see something you don't trust, flip its toggle off. The app loses camera access immediately. It might prompt you again next time it genuinely needs the camera, which is fine. For a deeper look at what tends to accumulate here, I wrote a separate guide on apps with camera access.

While you're in this screen, glance at the Microphone and Screen Recording sections too. Spyware that wants your camera usually wants your mic and screen as well, and seeing the same unfamiliar app across all three is a strong signal.

See What's Using the Camera Right Now

Permissions tell you what *could* use the camera. To see what's using it *this second*, open Terminal and run:

lsof | grep -i "AppleCamera\|VDC\|iSight"

This lists processes that currently have the camera device open. On modern Macs you can also check for the camera assistant and any process holding the relevant device handles. If you run this while nothing should be using the camera and a process you don't recognize shows up, write down its name.

You can cross-check with the process list:

ps aux | grep -v grep | sort

Look for anything running from an odd location — a hidden folder in your home directory, /tmp/, or a random path instead of /Applications/ or /usr/bin/. Legitimate camera-using apps live in normal places and have recognizable names.

Activity Monitor gives you the same information with less squinting. Open it, click the CPU tab, and sort by process name. Double-click anything unfamiliar to see its full path and parent process. A camera-hijacking process often spikes briefly when it captures, then goes quiet — but combining this with the permission list usually tells the story.

Watch for the Night-Time and "Idle" Pattern

The most concerning pattern isn't a one-off flicker — it's the camera waking up when *you* aren't there. Spyware tends to capture when it thinks no one is watching: while the screen is locked, late at night, or when the Mac is idle.

If you've noticed the green light during those moments, take it seriously and note roughly when it happens. A consistent time points to a scheduled background task rather than a random app. CoreLock specifically flags camera access that happens at night or while you're away, because that timing is one of the clearest behavioral tells. You can replicate the manual version by keeping Activity Monitor open and watching whether any camera-touching process runs on a schedule.

Hunt for Persistent Background Processes

If something is accessing your camera on a schedule, it has to start itself somehow. On macOS, that usually means a Launch Agent or Launch Daemon. Check the common locations:

ls -la ~/Library/LaunchAgents/
ls -la /Library/LaunchAgents/
ls -la /Library/LaunchDaemons/

Each .plist file is a background task that can launch automatically. Skip the /System/Library/ folders — those are Apple's. Focus on the three above, and especially /Library/LaunchDaemons/, which runs with root privileges.

To see exactly what one of these launches, read it:

cat ~/Library/LaunchAgents/suspicious.file.plist

Look at the ProgramArguments section. If it points to a hidden file, a vague binary name, or something in a temp directory, that's a red flag worth researching. A more thorough walkthrough of finding these lives in my post on hidden processes running on your Mac.

Check for Outbound Network Connections

A camera hijacker that wants your footage has to send it somewhere. You can watch active network connections with:

lsof -i | grep ESTABLISHED

This shows which processes are talking to the internet right now. Plenty of legitimate apps make connections — but if an unfamiliar process is both touching the camera *and* maintaining an outbound connection, that combination is far more suspicious than either alone. Note the process name and look it up before assuming the worst.

How to Revoke Access and Shut It Down

If you've found something you don't trust, here's the cleanup order:

1. Revoke the permission. In System Settings > Privacy & Security > Camera (and Microphone, and Screen Recording), toggle off the offending app. This cuts off access immediately.
2. Quit the process. In Activity Monitor, select it and click the stop (X) button, or use kill with its PID in Terminal.
3. Remove the launch item. Delete the related .plist from ~/Library/LaunchAgents/ or /Library/LaunchDaemons/ so it can't relaunch at login.
4. Delete the app itself. Drag it to the Trash and check for leftover files it scattered around, since many don't clean up after themselves.
5. Update and restart. Install pending macOS updates and reboot to clear lingering processes and apply Apple's latest protections.

Afterward, watch the green light and Activity Monitor for a few days. Some spyware has multiple components and tries to reinstall itself, so confirm it stays gone.

When It's Probably Not a Hack

Let's keep this grounded, because anxiety loves to fill in the worst-case blanks. Far more often than an actual breach, the green light has a boring explanation:

• A video app or browser tab quietly kept the camera "warm."
• A meeting app like Zoom or Teams is running in the background and pre-checking the camera.
• A widget or accessory (like a Continuity Camera handoff with your iPhone) triggered it.
• A buggy app re-opens the camera on its own.

Genuine remote camera hijacking on an up-to-date Mac is uncommon, precisely because of the hardware light and macOS's permission system. So if your checks come back clean — recognized apps only, no strange processes, no odd launch items — it's reasonable to relax. For a broader sense of what real compromise looks like, the 5 signs your Mac is compromised guide pairs well with this, and if you're worried about other sensors, here's how to check which apps are recording you.

A Simple Habit That Helps

You don't need to audit your Mac every week. Two small habits go a long way: notice the green light, and glance at your camera permission list once in a while. Most webcam scares end the moment you realize the light only ever comes on when *you* start a call.

If you'd rather not run Terminal commands every time you get that uneasy feeling, that's the gap CoreLock fills — it surfaces every app with camera, mic, screen, or full-disk access in one view and flags suspicious timing automatically. Either way, the manual steps above are real, checkable, and enough to answer the question that's actually keeping you up: is someone watching? Almost always, the honest answer is no — and now you know how to confirm it yourself.