The researchers said they've sent the report and their proof-of-concept code to Apple, but they haven't been informed about any possible mitigation plans.
Apple did not immediately respond to a request for comment.
There's been a rise in recent years in the number of cases in which hackers spied on victims -- primarily women -- in their bedrooms and other private settings though their webcams.
One recent case of "sextortion" -- extortion using illegally obtained nude photographs of victims -- involved 19-year-old Cassidy Wolf, the winner of the 2013 Miss Teen USA title.
In September, the FBI arrested a 19-year-old man named Jared Abrahams from Temecula, Calif., on charges that he hacked into the social media accounts of several women, including Wolf, and took nude photographs of them by remotely controlling their webcams. He then allegedly contacted the victims and threatened to post the pictures on their social media profiles unless they sent him more nude photos and videos or did what he demanded for five minutes in Skype video chats.
Wolf said in media interviews that she had no idea someone was watching her through her webcam because the camera's light didn't go on.
There are hackers who bundle remote administration tools (RATs) that can record video and sound from webcams with malware, the JHU researchers said in their paper. Based on discussion threads on hacker forums many of these individuals, who are known as "ratters," are interested in the ability to disable the webcam LEDs, but do not think it is possible, they said.
This new research shows that it is possible, at least on some computers.
"In this paper, we have examined only a single generation of webcams produced by a single manufacturer," the researchers said. "In future work, we plan to expand the scope of our investigation to include newer Apple webcams (such as their most recent high-definition FaceTime cameras) as well as webcams installed in other popular laptop brands."
Security experts have advised users in the past to cover their webcams when not in use in order to avoid being spied on in case their computers get compromised.