How to Tell If Your Mac Has Been Remotely Accessed

It’s one of the worst feelings.

You’re using your Mac computer and begin to notice some things are off. Files appear that you have never seen before. Maybe you notice applications you never installed. Or maybe your mouse even starts moving on its own.

Has your Mac been hacked?

I’m Andrew, a former Mac administrator with fifteen years of experience in Information Technology, and I’ll show you what to check if you suspect your MacBook, iMac, or any other device running macOS has been compromised.

In this article, we’ll examine three different scenarios. We’ll look at how to tell if someone is actively monitoring your Mac, how to tell if your Mac has been compromised in the past, and how to harden your OS to help prevent unauthorized remote access in the future.

Let’s dive in.

How Do I Know If Someone Is Remotely Accessing My Mac?

If you suspect someone might be remotely accessing your Mac while using it, there are a few telltale signs.

1. Check the Camera Light

You’ve probably heard nightmarish stories of hackers enabling webcams without the owner’s knowledge and watching—or worse, recording—everything the camera can see.

Fortunately, Macs with built-in cameras like iMacs and MacBooks have an indicator light that turns green when your camera is in use.

Is the light a foolproof tell?

Apple claims the cameras are wired in series with the camera, meaning that if the light were to shut off, the camera would also shut down. In the company’s own words

“The camera is engineered so that it can’t activate without the camera indicator light also turning on. This is how you can tell if your camera is on.”

Nevertheless, webcam lights have been disabled before, and it’s not out of the realm of possibility that hackers could find a way to enable your camera while keeping the indicator LED dim. 

Don’t rely 100% on the LED, but if you notice it’s on and you aren’t running any programs accessing the camera, then someone else might be accessing it.

2. Look for The Apple Remote Desktop or Screen Sharing Icon

Apple’s remote-control software called Apple Remote Desktop (ARD for short) allows teachers, IT professionals, or anyone with permission to monitor, manipulate, and even control other Macintosh computers.

Screen sharing is another method for giving someone or another device access to your computer.

But when someone connects to your Mac using ARD or via screen sharing, macOS displays a screen sharing icon in the top right corner of your screen.

If your Mac is at the lock screen (or login screen) you’ll also see a message that says “Your screen is being observed.”

Depending on your OS version, this will be in the top right next to the screen sharing icon in macOS 12 Monterey, or near the center above the user accounts in older versions. 

Here’s what it looks like in macOS Monterey:

If you see this icon, your Mac may be under surveillance.

There are two instances when this icon does not mean someone is remotely monitoring your screen.

The first is if you’re using AirPlay to wirelessly mirror your Mac’s screen. When you do so by connecting to an Apple TV or other AirPlay-compatible device, macOS will show the Screen Sharing icon just like the OS does with ARD and remote screen sharing.

Of course, if you did not initiate the screen mirroring session, then it is still possible someone remotely started AirPlay. But if someone did have access to your Mac, it’s unlikely he or she would have any motive to use AirPlay.

The second scenario occurs when recording your screen. Did you know screen recording is possible on macOS? It is.

The easiest way to start a screen recording session is by using the keyboard shortcut, shift + command + 5 and then clicking the “Record” button. 

If you’re following along at home, you’ll notice a circle with a square stop button appears in the top right corner. You’ll only see the screen sharing icon if your screen locks while screen recording is in progress.

3. Watch for Mouse Movement or Other Erratic GUI Behavior

Is your mouse moving on its own?

Are programs opening or closing all by themselves? Are you seeing keystrokes entered on your computer?

These and other strange or erratic behaviors could indicate someone is remote-controlling your Mac.

Verify that any peripheral input devices like your Magic Mouse or wireless keyboard or trackpad aren’t misbehaving, as these could cause some of the same symptoms.

4. Use the Who Command

If Remote Login is enabled on your Mac, someone could be accessing your Mac using Secure Shell (SSH).

A simple way to check is to run the “who” command from the macOS terminal. From Launchpad, search for “Terminal” and click on the app to open it.

At the prompt, type “who” (without the quotation marks) and press the return key.

Terminal will show any users logged in to your computer.

Remote users will be listed along with their IP addresses. In the screenshot above, a user called “jeremiah” is connected from IP 192.168.1.22.

How to Tell If Your Mac Has Been Hacked

If you don’t suspect someone is actively accessing your Mac, but want to know if anyone has remotely accessed your Mac in the past, there are several places you can look.

1. Check Log Files

Back in Terminal, type the following command:

log show –last 7d –predicate ‘processImagePath CONTAINS “screensharingd” AND eventMessage CONTAINS “Authentication”‘

This command will show all screen sharing log items from the past seven days with messages regarding authentication.

You can see in the above example that user ‘jeremiah’ attempted to establish a screen sharing session from the IP address 192.168.1.22.

2. Look for New or Modified Files

Do you notice any new files you didn’t create? Are some of your files modified but you didn’t change them?

These are signs someone may have accessed and manipulated your computer.

Keep in mind that the system generates its own files all over the OS, so don’t immediately jump to conclusions if you see files you don’t recognize.

Nevertheless, strange files could be a symptom of unauthorized remote access.

3. Check for New User Accounts

Open Terminal up again and type:

dscl . list /Users

You can ignore any users starting with an underscore, and you can also ignore daemon, nobody, and root. These are normal users and are built-in to macOS.

If you do see any users you don’t recognize, it is possible someone with remote access created these users and is using the accounts to access your Mac.

4. Check for Malware

Another item to check is malware.

Malware comes in many forms, but one of its functions is to remotely access your computer for a variety of purposes like identity theft, botnets, and extortion.

Bitdefender Antivirus consistently ranks among the best of the best when it comes to macOS virus scanning and protection. The software is not free, so be prepared to shell out a few bucks per year to use the program.

Another good option is Malwarebytes. Malwarebytes is not free either, but the program does come with a 14-day trial. So if all you need is a one-time scan, this might be a good option.

5. Look for Newly Installed Applications

From the Finder menu, click on Go and then on Applications. In the list view, click on Date Modified to sort the applications.

Do you notice any recent programs that seem suspicious or you don’t recognize?

If so, enter the applications’ names in an Internet search engine to see if they are legitimate. If not, delete them.

6. Check Your Login Items

Unauthorized startup programs might indicate some sort of spyware, adware, or other types of malware is present on your computer.

This could be something as simple (and nefarious) as a script that re-enables screen sharing every time you log in to your computer.

To see which programs are running at login, go to System Preferences and click on the Users & Groups icon. Then click on the Login Items tab on the right-hand side.

This pane will list programs you have running when you log in. Select any items you don’t recognize or need and then click on the minus button to remove them.

How to Stop Someone from Accessing Your Mac Remotely

Even if you have no suspicions someone has accessed your Mac in the past, it’s always a good idea to tweak your OS settings to make it more secure. This is called hardening, and doesn’t require too much time. Here are some settings to check:

1. Check Camera and Microphone Access

In System Preferences, click on Security & Privacy and then choose the Privacy tab.

Click the padlock icon on the bottom left and authenticate in order to change settings in this pane.

Scroll to Camera on the lefthand side and select the item. Any apps that have access will be listed on the right side with a checkmark in the box next to it.

Uncheck any programs you don’t want accessing your camera.

Follow the same steps for the Microphone.

2. Install Antimalware Software

A good antivirus program, although it can be cumbersome, is another line of defense against nefarious activity on your Mac. See above for recommendations.

3. Turn off SSH, Screen Sharing, and Remote Management Access

Back in System Preferences, navigate to the Sharing pane.

Uncheck the following boxes: “Screen Sharing,” and “Remote Login,” and “Remote Management.” 

Doing so will limit remote access to your Mac. You can always manually turn these back if you need to allow temporary access to your Mac.

FAQs

Now you know the indicators of remote access and how to harden your Mac to prevent unauthorized access in the future, but you might have a couple more questions.

Can a Mac be hacked remotely?

Yes, Macs are not immune to remote hacking. If SSH is enabled, anyone with administrative credentials can remotely execute code that could lead to a full takeover of your Mac.

How do I see recent activity on my Mac?

The system.log file in the Console utility is a good place to start. In that log file, you can search for certain keywords. If you’re specifically looking for screensharing events, use the instructions above.

Take Back Control of Your Mac

By following the steps above, not only can you identify if someone is accessing your Mac remotely, but also you will be able to check for past activity and even harden your system to prevent future compromises.

There’s no need to be fearful when using your Mac. By following this guide and using some common sense, you’ll feel confident moving forward that your Mac is yours, and no one but you and those to whom you give permission will have access.

About Andrew Gilmore
Based in Norman, Oklahoma, Andrew is an ex-certified Apple technician with over fifteen years of experience in the IT world specializing in macOS and iOS. When he's not writing, he enjoys video games, reading, and really bad movies.

Leave a Reply

Your email address will not be published.