Researchers Matthew Brocker and Stephen Checkoway of Johns Hopkins University demonstrated something of concern: they were able to turn on the FaceTime camera for MacBooks and iMacs (ie, capture images) without the LED indicator lighting up, warning that the camera is indeed working.
The entire study / case was released by The Washington Post, but in short here's what happened.
The FaceTime camera on Macs has a kind of hardware interconnection between the sensor and the LED indicator both are directly connected and, when the camera turns on, it is mandatory and automatically the LED lights up. However, according to the study (PDF), the researchers managed to circumvent this connection by reprogramming the firmware present on the camera's microcontroller, thus ignoring the signals sent by the USB interface that the camera uses to communicate with other parts of the computer leaving the LED indicator off.
This type of firmware change does not necessarily need the privileges of an OS X administrator account. Worse, it does not even need direct contact with the machine – everything can be done remotely. It is true that Brocker and Checkoway's proof of concept only affects Macs manufactured before 2008, but they claim that there are other methods to use this same vulnerability that can be put into practice on the most current Macs even though they have not been able to prove it. .
Undoubtedly the information is worrying, but since they are good, they released the study to Apple's security team in the middle of the year so let's hope that Ma's engineers can remedy this in some way.