This page contains affiliate links. As an Amazon Associate, we earn a commission on qualifying purchases at no additional cost to you.
It's one of the worst feelings.
You're using your Mac computer and you start to notice that some things are wrong. Files you've never seen before appear. You may notice apps that you never installed. Or maybe the mouse even moves on its own.
Has your Mac been hacked?
I'm Andrew, a former Mac administrator with fifteen years of experience in information technology, and I'm going to show you what to check if you suspect your MacBook, iMac, or other device running macOS has been compromised.
In this article, we'll look at three different scenarios. We'll look at how to tell if someone is actively monitoring your Mac, how to tell if your Mac has been compromised in the past, and how to secure your operating system to prevent unauthorized remote access in the future.
- How do I know if someone is accessing my Mac remotely?
- How to Tell If Your Mac Has Been Hacked
- How to Prevent Someone from Remotely Accessing Your Mac
- common questions
- Take control of your Mac
How do I know if someone is accessing my Mac remotely?
If you suspect someone is remotely accessing your Mac while you're using it, there are a few telltale signs.
1. Check the camera light
You've probably heard nightmare stories of hackers turning on webcams without the owner's knowledge and watching, or worse, recording everything the camera can see.
Fortunately, Macs with a built-in camera, such as iMacs and MacBooks, have an indicator light that glows green when the camera is in use.
Is light an infallible indicator?
Apple claims that the cameras are connected in-line with the camera, which means that the camera would also turn off if the lights went out. At thecompany's own words,
“The camera is designed in such a way that it cannot be activated without also turning on the camera indicator. This is how you can tell if your camera is on.”
Despite this, the webcam lights were previously disabled and it is not impossible for hackers to find a way to activate your camera while the LED indicator remains off.
Don't rely 100% on the LED, but if you notice that it's lighting up and you're not running any program accessing the camera, someone else might be accessing it.
2. Look for the Apple Remote Desktop or Screen Sharing icon
Called Apple Remote Control SoftwareApple Remote Desktop(ARD for short) allows teachers, IT professionals, or anyone with permission to monitor, manipulate, and even control other Macintosh computers.
split screenis another method of giving someone or another device access to your computer.
However, when someone connects to your Mac through ARD or screen sharing, macOS displays a screen sharing icon in the upper-right corner of the screen.
When your Mac is on the lock screen (or login screen), you'll also see a message that says "Your screen is being watched.“
Depending on your operating system version, it's in the upper-right corner next to the screen sharing icon in macOS 12 Monterey, or near the center above User Accounts in earlier versions.
This is how it looks in macOS Monterey:
If you see this icon, your Mac might be under surveillance.
There are two cases where this icon does not mean that someone is remotely monitoring your screen.
The first is when you use AirPlay to mirror your Mac's screen wirelessly. 🇧🇷
Of course, if you didn't start the Screen Mirroring session, it's still possible that someone else started AirPlay remotely. But if someone had access to your Mac, it's unlikely they would have any reason to use AirPlay.
The second scenario occurs when you record your screen. Did you know that screen recording is possible on macOS? IT'S.
The easiest way to start a screen recording session is to use the keyboard shortcut,capa+domain+5and then click the "Burn" button.
If you enter the house, you will notice that a circle with a square stop button will appear in the upper right corner. You will only see the screen sharing icon if your screen is locked during screen recording.
3. Check for mouse movement or other erratic GUI behavior
Does the mouse move by itself?
Do programs open or close by themselves? Do you see keystrokes on your computer?
These and other strange or erratic behaviors could indicate that someone is remotely controlling your Mac.
Check that peripheral input devices such as Magic Mouse, wireless keyboard or trackpad are not misbehaving as they can cause some of the same symptoms.
4. Use the who command
If remote login is enabled on your Mac, someone can access your Mac using Secure Shell (SSH).
An easy way to check is to run the "who" command in the macOS terminal. Search for "terminal" in Launchpad and click on the application to open it.
When prompted, type "who" (without the quotes) and press Enter.
Terminal displays all users who are connected to your computer.
Remote users are listed along with their IP addresses. In the screenshot above, a user named "jeremiah" is logged in via IP 192.168.1.22.
How to Tell If Your Mac Has Been Hacked
If you don't suspect someone is actively accessing your Mac, but you want to know if someone has remotely accessed your Mac in the past, there are several places to check.
1. Check the log files
In the terminal type the following command:
log show –last 7d –predicate 'processImagePath CONTAINS "screensharingd" AND eventMessage CONTAINS "authentication"'
This command displays all screen sharing log items from the last seven days with authentication related messages.
You can see in the example above that the user "jeremiah" tried to establish a screen sharing session from the IP address 192.168.1.22.
2. Search for new or changed files
Do you notice new files that you didn't create? Have some of your files changed, but you haven't?
These are signs that someone may have accessed and tampered with your computer.
Note that the system generates its own files throughout the operating system, so don't jump to conclusions if you see files you don't recognize.
Still, external files can be a symptom of unauthorized remote access.
3. Search for new user accounts
Open the terminal again and type:
dskl. List / Users
You can ignore all users that start with an underscore, and you can also ignoredevil,nobody, yousource🇧🇷 These are regular users and are built into macOS.
If you see users you don't recognize, someone with remote access may have created those users and is using the accounts to access your Mac.
4. Check for malware
Another point to check is malware.
Malware comes in many forms, but one of its roles is to gain remote access to your computer for a variety of purposes, including identity theft, botnets, and extortion.
Bitdefender-Antivirusconsequentis among the bestOne of the best when it comes to macOS virus detection and protection. The software isn't free, so be prepared to shell out a few dollars a year to use the program.
Another good option isMalwarebytes🇧🇷 Malwarebytes isn't free either, but the program comes with a 14-day trial. So if you just need a one-time check, this might be a good option.
5. Look for newly installed apps
No Finder menu, click emwalkand then moreForms🇧🇷 In the list view, clickdate changedto sort apps.
Are you seeing current programs that look suspicious or that you don't recognize?
In that case, enter the app names into an internet search engine to verify that they are legitimate. If not, delete them.
6. Check your login items
Rogue startup programs can indicate the presence of spyware, adware, or other malware on your computer.
This could be as simple (and complicated) as a script that re-enables screen sharing every time you log into your computer.
To see what programs are running when you sign in, go to System Preferences (System Preferences in macOS Ventura and later) and click theUsers and groupsSymbol. Then click onLogin-Elementoguide on the right.
This area lists the programs you run when you log in. Select the items you don't recognize or need and click the minus button to remove them.
How to Prevent Someone from Remotely Accessing Your Mac
Even if you don't suspect anyone has accessed your Mac in the past, it's always a good idea to tweak your operating system settings to make it more secure. This is called hardening and it doesn't take long. Here are some settings to check:
1. Check camera and microphone access
NoSystem Preferences (System Preferences in macOS Ventura and later), Click insafetyand then select theprivacyEyelash.
Click on the lock icon in the lower left corner and authenticate to change settings in this area.
scroll toCameraon the left and select the item. Any app that has access to it will be listed on the right side with a checkmark in the box next to it.
Disable any programs you don't want accessing your camera.
Follow the same steps for the microphone.
2. Instalar software antimalware
A good, if complicated, antivirus is another line of defense against nefarious activity on your Mac. See recommendations above.
3. Disable SSH, screen sharing and remote admin access
again inSystem Preferences (System Preferences in macOS Ventura and later), navigate toPull apartCampo.
Clear the following checkboxes: Screen Sharing, Remote Login, and Remote Management.
This will restrict remote access to your Mac. You can always manually reset them if you need to allow temporary access to your Mac.
Now that you know the remote access indicators and how to secure your Mac to prevent unauthorized access in the future, you might still have some questions.
Can a Mac be hacked remotely?
Yes, Macs are not immune to remote hackers. With SSH enabled, anyone with administrator privileges can remotely execute code that can take full control of your Mac.
How can I see recent activity on my Mac?
The system.log file in the Console utility is a good place to start. You can search this log file for specific keywords. If you are specifically looking for screen sharing events, use the instructions above.
Take control of your Mac
By following the steps above, you can not only detect if someone is accessing your Mac remotely, but also check past activity and even secure your system to prevent further compromise.
There's no need to be afraid when using your Mac. By following this guide and using your common sense, you'll be sure that your Mac is yours and that no one but you and those you give permission to have access to it.
About Andre Gilmore
Based in Norman, Oklahoma, Andrew is a former Apple Certified Engineer with over fifteen years of experience in the IT world, specializing in macOS and iOS. When not writing, he enjoys video games, reading, and really bad movies.