I thought the whole point of these camera LEDs was to have them wired to/through the power to the camera, so they are always on when the camera is getting power, no matter what.
Having the LED control exposed through the firmware completely defeats this.
They are hardwired on Macbooks. From Daring Fireball, quoting an email from an Apple engineer.
> All cameras after [2008] were different: The hardware team tied the LED to a hardware signal from the sensor: If the (I believe) vertical sync was active, the LED would light up. There is NO firmware control to disable/enable the LED. The actual firmware is indeed flashable, but the part is not a generic part and there are mechanisms in place to verify the image being flashed. […]
> So, no, I don’t believe that malware could be installed to enable the camera without lighting the LED. My concern would be a situation where a frame is captured so the LED is lit only for a very brief period of time.
>The actual firmware is indeed flashable, but the part is not a generic part and there are mechanisms in place to verify the image being flashed.
That might make it harder to develop a hack, but one would hope that if the hardware team tied the LED to a hardware signal, it would not matter if the firmware were reflashed.
I believe that it’s not literally hardwired in the sense that powering up the camera also powers up the camera LED, and instead this relies on logic in the hopefully un-flashable camera+LED firmware. Someone correct me if I’m wrong.
You need some logic to enforce things like a minimum LED duration that keeps the LED on for a couple seconds even if the camera is only used to capture one brief frame.
I have a script that takes periodic screenshots of my face for fun and I can confirm the LED stays on even if the camera only captures one quick frame.
I don't think they would waste a high value capacitor just to keep a led lit for longer, also a led directly lit by a capacitor would be noticeable by slowly dimming when the capacitor discharges. It's more likely that the signal driving the led comes out of a monostable implemented in code: pin_on() drives the led on; pin_off() waits n secs then drives the led off.
This is Apple, so that assertion isn’t guaranteed valid like it would be for non-enterprise HP or Lenovo. They absolutely would invest in a capacitor if that’s what it takes, as they are maximally focused on camera privacy concerns and have made a point of that in their security marketing over time; or else they wouldn’t be allowing hardware security engineers to brag about it, much less talk publicly about it, at all.
The trick is to keep using the camera until that capacitor is discharged. I'm pretty sure most cameras can run at voltages below a LED's forward voltage nowadays.
I happen to have some first-hand knowledge around the subject! In 2014 someone did a talk[0] on disabling the camera on some older Macbooks. It was fairly trivial, basically just reflashing the firmware that controlled the LED. I worked on the security team at Apple at the time and in response to this I attempted to do the same for more modern Macbooks. I won't go into the results but the decision was made to re-architect how the LED is turned on. I was the security architect for the feature.
A custom PMIC for what's known as the forehead board was designed that has a voltage source that is ALWAYS on as long as the camera sensor has power at all. It also incorporates a hard (as in, tie-cells) lower limit for PWM duty cycle for the camera LED so you can't PWM an LED down to make it hard to see. (PWM is required because LED brightness is somewhat variable between runs, so they're calibrated to always have uniform brightness.)
On top of this the PMIC has a counter that enforces a minimum on-time for the LED voltage regulator. I believe it was configured to force the LED to stay on for 3 seconds.
This PMIC is powered from the system rail, and no system rail means no power to the main SoC/processor so it's impossible to cut the 3 seconds short by yoinking the power to the entire forehead board.
tl;dr On Macbooks made after 2014, no firmware is involved whatsoever to enforce that the LED comes on when frames could be captured, and no firmware is involved in enforcing the LED stay on for 3 seconds after a single frame is captured.
There seems to be widespread anxiety regarding cameras, but hardly anyone ever talks about microphones. Are conversations not much more privileged information than potentially seeing someone in their underwear?
"All Apple silicon-based Mac notebooks and Intel-based Mac notebooks with the Apple T2 Security Chip feature a hardware disconnect that disables the microphone whenever the lid is closed. On all 13-inch MacBook Pro and MacBook Air notebooks with the T2 chip, all MacBook notebooks with a T2 chip from 2019 or later, and Mac notebooks with Apple silicon, this disconnect is implemented in hardware alone." [1]
Nobody but Abby and Ben care if Ben is caught admitting hwe cheated on Abby.
But naked images of Abby can head off into the ether and be propagated more or less forever, turn up on hate sites, be detrimental to careers etc.
If your threat model is leaking company secrets then sure, microphone bad, as is anything having access to any hardware on your machine.
So sure, maybe people ought to be more concerned about microphones as well, rather than instead.
I'm not arguing a point here, but I'm curious what the actual number of instances exist where someone is naked or in some other extortionate way (accidently of course) potentially exposed from the position of their webcam. I too would be much more concerned about my microphone, where I know one had conversations that in front of or next to my machine that I wouldn't want "out there". In terms of where my camera is, I woukd imagine they would catch me picking my nose every so often but that's about it.
> and no firmware is involved in enforcing the LED stay on for 3 seconds after a single frame is captured.
I may be the oddball here, but that 3 second duration does not comfort me. The only time I would notice it is if I am sitting in front of the computer. While someone snapping a photo of me while working is disconcerting, it is not the end of the world. Someone snapping photos while I am away from the screen is more troublesome. (Or it would be if my computer was facing an open space, which it doesn't.)
OK, but then what? Leave the LED on for 24 hours after you've captured a single frame? At that point the LED isn't really indicating camera usage because you'll just get used to seeing it on all the time whether the camera is in use or not.
It's strange that none of these companies will include a closable cover for the camera. I got one aftermarket. It is very reassuring since no hacking or accidental misclicks on my part can move the cover.
I've seen HP desktops that have a closeable camera cover, and Lenovo does on some ThinkPads [1], so probably others do too. Laptops usually have very little depth available in the screen part though, which is why most laptop cameras are crappy (exceptions include Surface Pro and Surface Book, which have more depth available and so much better cameras than most, but no cover - at least their camera light is not software controlled).
I've seen a million people parroting "oh now apple fixed it!" and not a single person who has actually verified/proved it. Go on, show my any third party security researcher who has verified this claim via examining the actual hardware.
You'll pardon us all if we don't really believe you, because a)there's no way for any of us to verify this and b)Apple lied about it before, claiming the LED was hard-wired in blah blah same thing, except it turned out it was software controlled by the camera module's firmware.
See then it's not hardwired at all. It is equally vulnerable to a reflash. Apple just did hardware security (i.e. signed firmware) better and also are relying on security through obscurity (its not a publicly available part).
The context from the article the parent comment linked is that Mac webcams made prior to 2008 both had the camera LED controlled in firmware and didn't verify the camera firmware blob when it was downloaded into the camera's RAM. The quote you're replying to simply says that Apple solved these security issues by tying the LED to a hardware signal AND verifying the camera firmware blob. The result is still that there's no way to turn on the webcam without making the LED light up.
AFAIK iOS devices use a tiny firmware on the camera and a larger one on the secure enclave chip.
If you successfully compromise the host OS and also the secure enclave firmware, that might be enough to let you turn on the camera (without vsync) and reconstruct the correct image via later analysis... but at that point you have committed tens of millions to the hack (so you'd better not overuse it or it'll get noticed & patched).
Many complex chips have GPIO signals rather than hardwired outputs. That way you can select any [5-10] of [20-100] functions for each pin. As a result, things that you think should be hardwired are controlled by firmware.
An indicator light hardwired is nice but I apparently can't trust hardware manufacturers to design it properly. My work laptop (HP Dragonfly) has a physical blocker that closes over the camera when I haven't explicitly pressed the button that enables the camera. The blocker is black and white stripes so it's very obvious when it's covering the sensor. This should absolutely be the security standard we all strive for with camera privacy.
On my ThinkPad it’s instead painted with a red dot. Because, obviously, the conventional meaning of a red dot appearing on a camera is “not recording”.
Not just the weird meaning, but on my last Thinkpad the red dot and the slightly red glean of the camera lens look surprisingly like each other. Even worse I managed to get the cover in a position where it looked like it was closed, but the camera could still see.
The Dell Latitude business laptops now have a wired led and wired switch. Besides the white led, there’s no indication which is on or off, and I don’t trust any of the software or firmware chain to be reliable. (score one for macs being transparent and prescient)
For some inexplicable reason Dell has chosen to mark the button as "mute mic" (mic icon + X). So if the LED on the keyboard is lit up, the microphone is off, or rather, the microphone muting is on on. Brilliant design.
Probably the camera “power” is always on as any other microcontroller on the same board, but is only active when called through the control bus or an interrupt, having an LED tied to the power rail would keep it on all the time whenever the lapop is on.
Then tie it to some signal or power rail that only gets enabled when the camera is in use, and that must be enabled for the camera to work, e.g. when there's power to the sensor itself.
I suspect most people don't want it. I can imagine lots of people calling customer service "Q: why doesn't my camera work?", "A: Did you open the cover?"
There's just a valid an argument to do the same for phones. How many phones ship with camera covers and how many users want them?
You can get a stick on camera cover for $5 or less if you want one. I have them on my laptops but not on my phone. They came in packs of 6 so I have several left.
> I can imagine lots of people calling customer service "Q: why doesn't my camera work?", "A: Did you open the cover?"
In some over-engineered world, when the camera cover is engaged the webcam video feed would be replaced by an image of the text "Slide camera cover open" (in the user's language) and an animation showing the user how to do so.
The cover on my laptop's camera is behind the glass. I suppose there is a chance that the slider itself could get damaged, but at least they minimized the exposed surface that could be damaged.
That said, I really can't comment on how durable it is. I only remove the cover about a half dozen times a year.
I had that exact discussion with somebody recently, and it took me a few minutes to realize that their laptop had a physical camera cover that somehow disables camera permissions in windows too. So yeah, happens a ton I would imagine.
For what it's worth, you could just power on the camera, take a pic, then turn it back off instead. Provided you can do this fast enough, an indicator LED is rendered worthless. So you'd need to make the indicator LED staggered, to stay lit for a minimum amount of time.
There's also the scenario where the LED or the connections to it simply fail. If the circuit doesn't account for that, then boom, now your camera can function without the light being on.
Can't think of any other pitfalls, but I'm sure they exist. Personally, I'll just continue using the privacy shutter, as annoying as that is. Too bad it doesn't do anything about the mic input.
I worked on this feature for Apple Macbooks around 2014 as the security architect. All Macbooks since then have a camera indicator LED that is (barring the physical removal of the LED) always on at least 3 seconds. This feature is implemented in gates in the power management controller on the camera sub-board.
There's a LOT of pitfalls still (what if you manage to pull power from the entire camera sub-assembly?), this was a fun one to threat-model.
A minimum light duration seems pretty trivial to physically engineer.
For one the energy to take a picture is probably enough to power a light for a noticeable amount of time.
And if it isn't, a capacitor that absorbs energy and only allows energy through once it's full would allow the light to remain on for a couple of seconds after power subsides.
Wasn't arguing that it's difficult, just that it's needed (and that I'm not expecting it to be done in practice. Because the indicator LED on my laptop doesn't do it either, despite being enterprise grade).
Trust me, I was using it semi-sarcastically too. This thing is slower than my old Pentium 4 would be, yet has a fast enough 30% to 3% battery discharge rate that it would make the speed of light itself blush.
While true, the amount of power would be too low, LEDs also have quite high forward voltage (~3V for blue ones) and they are current driven devices. That suggestion would require pass all the current through the LEDs. LEDs don't like to be reverse biased either. Overall, it's a rather appalling idea. On top of the fact that LEDs can fail short.
More also you'd want a hold up time for the light (few seconds at least), as taking pictures would flash them for 1/60 of a second or so.
I might be out of the loop, but I thought that was only for some machines - I remember the LED being wired that way being a selling point for MacBooks at some point, as a privacy feature. It definitely should be the standard, though!
I can't find it now, but recently I read how one company's design team added this feature to their laptops. A subsequent review by the team responsible for manufacturing found that they could change the circuit to cut down on the part count to save money. The light was still there, but it was no longer hardwired. The company continued to advertise the camera light as being hardwired even though it wasn't.
I stumbled on a forum once where it was just filled with people trying to modify the software for various laptops to disable the "tally lamp" (as it is called). There were people selling the mods and one guy claiming he was selling his cracks to three-letter agencies. The people on there seemed to be using this to extort people (mostly women) by being able to record videos without the owner knowing. Some really dark shit.
Yeah the first day I read about RATers... jesus. The camera LED seemed to be a major thing for them, because if they could bypass it then the chance their RAT would be discovered was much lower.
Really nasty world they've made for themselves, blackmailing, extorting and generally controlling other people (mostly women and girls, but some men too) with threats of releasing compromising material.
In the past I've used microsnitch on macos which tells you when the mic or camera are activated, but macos seems to have support for this baked into the os now. In zoom calls the menu bar shows what is active. If this can be sidestepped and avoided in software, and the camera can be activated without any indicator, I do not know. If direct access can be done, and you don't need to go through some apple api to hit the camera, maybe.
Since some sort of firmware is required, this seems like a "turing tarpit" security exploit from my laymans perspective.
There's no standard that I know, that, like "Secure EFI / Boot" (or whatever exact name it is), locks the API of periphery firmware and that would be able to statically verify that said API doesn't allow for unintended exploits.
That being said: imagination vs reality: the Turing tarpit has to be higher in the chain than the webcam firmware when flashing new firmware via internal USB was the exploit method.
No firmware is required. Macbooks manufactured since 2014 turn on the LED whenever any power is supplied to the camera sensor, and force the LED to remain on for at least 3 seconds.
Thanks for your reply — yourself as the Source can only make me feel flattered then for you responding to me.
> Macbooks manufactured since 2014 turn on the LED whenever any power is supplied to the camera sensor, and force the LED to remain on for at least 3 seconds.
That convinced me originally I think, good old days! I'd almost forgotten about it. The way you phrased it, it sounded like 50% OS concern to me.
But if cam & LED rly share a power supply, and the LED is always on without any external switch, Good then!
I was not very popular with the camera firmware folks for a while. They had to re-architect a bunch of things as they used to occasionally power on the camera logic without powering the sensor array to get information out of the built-in OTP. Because the LED now came on whenever the camera was powered they had to defer all that logic.
Apologies. OTP is One-Time-Programmable. The physical implementation of this varies, in this specific case it was efuses (anti-fuse, actually). It's used for things like calibration data. For a camera it contains information about the sensor (dead pixels, color correction curves, etc.).
We may already have this law. If the manufactures makes claims about this LED, then that this attack is possible mean a lawyer can force them to recall and fix everything.
The idea has been around for quite some time. But it is always dropped.
My guess is that, assuming the most basic and absolute physicial design, the light would flash for silly things like booting, upgrading firmware, checking health or stuff like that.
Flashing is easily fixed with a capacitor and also not a bad thing if it turns off when it loses power immediately. The only explanation that makes sense to me is it being separately controlled is a feature not a bug.
I agree on the capacitor fix for flashing, I pointed it out in another post.
In this case I was referring to false positives to the user.
This would mean we can't update the firmware without causing the user some paranoia.
Also. Would an app requesting permission to use camera itself send some power to the camera to verify it is available? In a similar vein, what about checking if the camera is available before even showing the user the button to use the camera?
Maybe there's solutions to this, I'm just pointing out some reasons they may have gone the software route instead of the hardware route.
That's why many ThinkPads have physical covers over their cameras. You don't even need to worry about whether the LEDs are hardwired - relying on any electronic indicator is already a half-baked security measure. If you want real security, just go with a physical solution.
It could be something very simple, such as requiring less USB hub complexity for a camera that can be woken up via a command on the USB bus instead of needing to connect/disconnect the USB power rails (wired in parallel with the LED) to it.
Somebody here has also mentioned Apple using the camera for brightness and maybe color temperature measurement, for which they wouldn't want to enable the LED (or it would effectively always be on).
That doesn't automatically make that a good tradeoff, of course; I'd appreciate such a construction.
It's probably done to keep it in a low powered state and reduce the initialization delay. Maybe also to prevent the Windows USB plugging sound from playing upon turning the camera on, as it would seem weird to the user ("I don't have any USB devices plugged in...")
Most business class thinkpads have a physical cover in the screen that covers the camera with a piece of plastic.
Led, no led, who cares, plastic is blocking the lens. Move the cover away, say hi on zoom, wave, turn the camera back off, cover on, and stay with audio only, as with most meetings :)
"Add an LED next to the camera, our customers demand it!"
"Job done boss!"
That's it. That's what happens. Nobody ever reviews anything in the general industry. It's extremely rare for anyone to raise a stink internally about anything like this, and if they do, they get shouted down as "That's more expensive" even if it is in every way cheaper, or "We'll have to repeat this work! Are you saying Bob's work was a waste of time and money!?" [1]
[1] Verbatim, shouted responses I've received for making similar comments about fundamentally Wrong things being done with a capital W.
Lawyers after the fact review this. I expect one to start a class action - they will make millions, and everyone else who has this laptop will get $1. The real point is the millions means every other company is on notice that these mistakes hurt the bottom line and so the industry starts to review these things. So long as it doesn't hurt they won't review.
I feel really dirty calling lawyers the good guy here, but ...
Yeah, my understanding is that is how the light on MacBooks works, but I'm not sure about any other makes/models. Obviously, if this is possible that Thinkpad model doesn't do that.
It isn't clear to me that webcam firmware ever powers down a typical camera module. See below for data about how the Sony IMX708 sensor is an I2C device with start and stop streaming commands.
> I thought the whole point of these camera LEDs was to have them wired to/through the power to the camera, so they are always on when the camera is getting power, no matter what.
This definitely happened too on Mac in the past, then they went in damage control mode. Not only had Apple access to turn off the LED while the camera was filming, but there was also a "tiny" company no-one had ever heard off that happened to have the keys allowing to trigger the LED off too. Well "tiny company" / NSA cough cough maybe.
After that they started saying, as someone commented, that it requires a firmware update to turn the LED off.
My laptop has a sticker on its camera since forever and if I'm not mistaken there's a famous picture of the Zuck where he does the same.
I've got bridges to sell to those who believe that the LED has to be on for the camera to be recording.
I can see why some people might be concerned about the camera, but I'm far more concerned by the microphone. There's far more sensitive and actionable information that can be gathered from me that way! I'm glad that macOS started putting a light in the menubar when the microphone is in use, but I'd prefer to have unhackable hardware for that instead.
I believe it is possible to turn a speaker into a microphone. Found a paper which claims to do just that[0]. So, there is no safety anywhere?
SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profit
It is possible to manipulate the headphones (or earphones) connected to a computer, silently turning them into a pair of eavesdropping microphones - with software alone. The same is also true for some types of loudspeakers. This paper focuses on this threat in a cyber-security context. We present SPEAKE(a)R, a software that can covertly turn the headphones connected to a PC into a microphone. We present technical background and explain why most of PCs and laptops are susceptible to this type of attack. We examine an attack scenario in which malware can use a computer as an eavesdropping device, even when a microphone is not present, muted, taped, or turned off. We measure the signal quality and the effective distance, and survey the defensive countermeasures.
Even where it works, speakers are much worse microphones that dedicated microphones, and so the amount of data that can be gathered is low. Why bother when you probably have a microphone on the same PC that can capture far more sound?
I think there was a long period where a proper PC would frequently have only the cheap stereo speakers which are small enough to far outperform raw microphone leads. But I'm not sure this works that well in >=HDMI even if some monitor speakers might otherwise be ideal.
Despite this being a 2016 paper, it's worth noting that this is true in general and has been common(ish) knowledge among electrical engineers for decades. Highschoolers and undergrads in electrical engineering classes often discover this independently.
What's notable about this paper is only that they demonstrate it as a practical attack, rather than just a neat fun fact of audio engineering.
As a fun fact, an LED can also be used as a photometer. (You can verify this with just a multimeter, an LED, and a light source.) But I doubt there's any practical attack using a monitor as a photosensor.
Yes! LEDs as photometers is something that you don't really see around much anymore, but it is really cool. Even an LED matrix can be used as a self-illuminating proximity sensor with the right setup.
I recall in the early or mid 2000s using some cheap earbuds plugged into the microphone port of my family computer as a pair of microphones in lieu of having a real microphone nor the money for one. Then I used Audacity to turn the terrible recording into a passable sound effect for the video games I was making.
Not knowing much about how soundcards work, I imagine it would be feasible to flash some soundcards with custom firmware to use the speaker port for input without the user knowing.
Yup it's wild to me how much anxiety there is about cameras while no mind is given to microphones. Conversations are much more privileged than potentially seeing me in my underwear.
That said the most sensitive information is what we already willingly transmit: search queries, interactions, etc. We feed these systems with so much data that they arguably learn things about us that we're not even consciously aware of.
Covering your camera with tape seems like a totally backwards assessment of privacy risk.
Plus one-ing this - I think the external monitor may be the kicker to keeping the mic active. This drives me up the wall when Google Meet decides to just default to the closed Macbook next to me instead of my already connected Air Pods when joining work meetings.
Are you sure it’s the MacBook (T2 or Arm) mic? I imagine you’d sound super muffled if you were trying to use it while closed anyway, so I can’t imagine it’s very usable to yourself?
I just tested this with Voice Memo and can confirm it works at least in that scenario. The recording didn't stop, the mic was just disconnected then reconnected when lid was opened. Using Amphetamine w/ script installed on M1.
The microphone also can't be covered with a $1 plastic camera cover off Amazon. It's so easy to solve the camera issue if you care about it, but there's really nothing you can do about the mic.
I'm not sure if an attacker could get some additional sensitive information from me with access to the microphone or the camera, if they already have full access to my PC (files, screen captures, keylogger). Most things they would be interested in is already there.
If you're half-serious about this sort of opsec, you already have bluetooth disabled. Ideally your hardware wouldn't have support for it at all. Same for wifi.
macOS is a proprietary binary blob, remotely controlled by Apple. So, the light in the menu bar is not a reliable indicator of anything. There is no privacy on macOS, nor any other proprietary system. You can never be 100% sure what the system is doing right now, as can be anything it is capable of. Apple is putting a lot of money to "teach people" otherwise, but that is marketing, not truth.
The root of all trust is eventually some human, or group of humans. See "Reflections on Trusting Trust." At least so far, Apple has convinced me that they are both willing and competent enough to maintain that trust.
Myself, I stopped trusting Apple. There are now too many dark patterns in their software, especially once one stops using their services. And, DRM was re-instantiated, when iTunes started streaming as Apple Music. On top of that, their lies, such as those about the Butterfly keyboards being fixed, cost me a fortune. They fuck up the keyboard design, and then they buy the computer back for 40% of its original price, due to a microscopic scratch nobody else could see. And that happened twice to me. They put a lot of money into advertising themselves as being ethical, but that is only marketing. These, of course, are my personal opinions.
> DRM was re-instantiated, when iTunes started streaming as Apple Music
Purchased music is DRM free. Streaming music was never DRM free, since you arguably do not "own" music that you have not purchased. Though I'm sure record labels would love if they could get DRM back on purchased music again.
> There is no privacy on macOS, nor any other proprietary system.
Nor is there on any free system for which you didn't make every hardware component yourself, as well as audit the executable of the compiler with which you compiled every executable. (You did self-compile everything, hopefully?)
> Nor is there on any free system for which you didn't make every hardware component yourself, as well as audit the executable of the compiler with which you compiled every executable.
If the components follow standards and have multiple independent implementations, you can be reasonable confident it's not backdoored in ways that would require cooperation across the stack. At least you raise the cost bar a lot. Whereas for a vertically integrated system, made by a company headquartered in a jurisdiction with a national security law that permits them to force companies to secretly compromise themselves, the cost of compromise is so low that it would be crazy to think it hasn't been done.
But this is a pretty extremist take. Just because a company doesn't push source code and you can't deterministically have 100% certainty, doesn't mean you can't make any assertions about the software.
To refuse to make any claims about software without source is as principled as it is lazy.
Imagine an engineer brought to a worksite, and they don't have blueprints, can he do no work at all? Ok, good for you, but there's engineers that can.
Yes, I think all devices packed with sensors that live in our homes should be transparent in what they do, that is their code should be available for everyone to see. And yes, it is extremist take, given where we ended up today.
> There is no privacy on macOS, nor any other proprietary system.
Which is to say, every system in actual widespread use. All such CPUs, GPUs, storage devices, displays, etc. run closed microcode and firmware. It'd be funny if it wasn't so profoundly sad.
And even if they didn't, the silicon design is again, closed. And even if it wasn't closed, it's some fab out somewhere that manufactures it into a product for you. What are you gonna do, buy an electron microscope, etch/blast it layer by layer, and inspect it all the way through? You'll have nothing by the end. The synchrotron option isn't exactly compelling either.
Yes, ultimately, I want everything to be open. This is not a bag of rice. These are devices packed with sensors, in our homes. As for inspection, I do not have a problem trusting others. I just do not trust big corporations with remotely controlled binary blobs, no matter how much money they put into the safety and security ads. This is a personal opinion, of course.
For something as compressible as voice, I do not know how you would feel confident that data was not slipping through. Edge transcription models (eg Whisper) are continuing to get better, so it would be possible for malware to send a single bit if a user says a trigger word.
Network traffic monitoring is routinely done at enterprises. It's usually part-automated using the typical approaches (rules and AI), and part-manual (via a dedicated SOC team).
There are actual compromises caught this way too, it's not (entirely) just for show. A high-profile example would be Kaspersky catching a sophisticated data exfiltration campaign at their own headquarters: https://www.youtube.com/watch?v=1f6YyH62jFE
So it is definitely possible, just maybe not how you imagine it being done.
M2 and newer MacBooks have an IMU on-board, which is just a funny way of spelling microphone. Admittedly a very low quality one; I'm not sure if you could pick up understandable speech at the 1.6kHz sample rate Bosch's IMUs seem to support.
Going into full paranoid mode, I wonder if some other sensors / components can be used as a makeshift microphone. For instance, a sufficiently accurate accelerometer can pick up vibrations, right? Maybe even the laser in a CD drive? Anything else?
A condenser microphone is just a capacitor. Your computer is full of them.
They are very low level input and generally need a pre-amp just to get the signal outside the microphone. However conceptually at least they are there and so maybe someone can get it to work.
Well it doesn’t need to be visible to work in contrast to camera. Seriously though, no technological and almost no economic barrier preventing embedding a mic into every wireless communication chip.
On a ThinkPad X1 Carbon Gen 8, it's easily possible record video with the webcam LED off. I did not verify newer generations of the X1 Carbon.
Lenovo put a little physical switch—they call it "ThinkShutter"—that serves to physically obstruct the webcam lens to prevent recording. It's supposed to have only two positions: lens obstructed or not. But if the user accidentally slides it halfway, you can still record video with the lens unobstructed but somehow the webcam LED turns off. It's because the ThinkShutter actually moves 2 pieces of plastic: 1 to cover the lens, 1 to cover the LED. But the piece covering the LED blocks it first, before the other piece of plastic blocks the lens. I discovered this accidentally yesterday while toying with a X1 Carbon... I am reporting it to Lenovo.
I assumed that most if not all of these webcam LEDs are wired in series with the power to the camera itself. Which then makes it impossible to disable them. Who designs this LED to be software addressable?
Assuming Hanlon's razor it's a Chesterton's fence situation you just see a LED that indicates the camera is on. Assuming they ask the question at all they think it's just to remind you your still streaming/in a meeting. Then someone asks any of the following questions:
Can we use it to indicate additional information?
Can we make it standard with the other LEDs?
Can we dim it so it's more pleasant to use at night or make it a customisable colour?
I'm sure plenty of other questions take you down the same path and you've just destroyed one of the LEDs most useful functions.
Hanlon's Razor: Don't attribute to malice what can be attributed to stupidity
Chesterton's Fence (worth googling as it's a nice little parable, or it might be a derivation of the parable,can't quite remember): Can boil it down to: if you don't know what something does assume it serves a purpose until you've figured out what purpose it used to serve. In this case I'm implying these people are playing the part of wanting to change the fence without knowing it's purpose.
In series with the power to the camera would be odd. You would be passing the same amount of current through both the camera and the LED. Unless you meant in parallel, which still leaves the other issue that the camera is likely always powered even when not in use, so the LED would always be on.
I'm not an EE by trade, but I personally wouldn't want to put a CCD in series with an LED with god-knows-what Vf tolerances. Then again, I'd bet that nearly all laptop webcams come as off-the-shelf modules with their own internal regulators for the CCD anyway. So maybe it wouldn't matter.
I'll bet it went something like this: As originally specified, the user need was "LED privacy indicator for the webcam." Product management turns that into two requirements:
1) LED next to webcam.
2) LED turns on and off when webcam turns on and off.
Requirement 1 gets handed to the EEs, and requirement 2 gets handed to the firmware engineers. By the time a firmware engineer gets assigned the job of making the LED turn on and off, the hardware designers are already 1 or 2 board spins in. If the firmware engineer suggested that we revise the board to better fit the intention of the user needs, one of two things will happen:
1) They'll get laughed out of the room for suggesting the EEs and manufacturing teams go through another cycle to change something so trivial.
2) They'll get berated by management because it's "not the engineers' place to make decisions about product requirements."
Of course this is all spitballing. I've definitely never been given a requirement that obviously should have been a hardware requirement. I've definitely never brought up concerns about the need to implement certain privacy and security-critical features in hardware, then been criticized for that suggestion. And I've definitely never, ever written code that existed for the sole purpose of papering over bad product-level decision making.
I'd just add a resistor and stick it + the LED in parallel with the camera module. If it's a white LED and a 1.8V supply, you might not even need the resistor (you should probably still put a 0 ohm link in there though, just in case).
Arguably a much, much bigger problem are the (many) microphones of modern devices.
These usually get neither an LED nor a switch, and unlike cameras can't easily be covered, nor pointed away from potentially sensitive topics/subjects.
And having a microphone in the same chassis as the keyboard would make creating a keylogger easier. A microphone in the same room as the keyboard can be made into a keylogger[1].
At the same time we're at a point where synthesizing your voice is getting more trivial everyday, you need only a few seconds of it and you can be made to say whatever someone wants.
Sure, but that doesn’t mean they learn everything I said: Passwords, personal details etc.
Also, getting a voice sample in the first place gets significantly easier that way: Not everybody publishes video or audio recordings of themselves online.
Which reminds me, to strengthen your point, it doesn't have 100% keystroke recognition, but there are works[1] on keylogging via audio, and 93% via Zoom-quality audio streams is concerning enough for me.
Lots of ThinkPads have «Microphone is muted» LED. Not exactly what's requested (and is bound to a software mute/unmute shortcut), but it's better than nothing regarding state of machine being observable with a quick glance.
That one seems to be software controlled. I'm fairly sure I remember having the mic working with the mute LED lit, which was confusing. That was on a x1 carbon gen9.
For example, I'd not be happy having my voice auto-transcribed by some malware as I authenticate to my bank providing my SSN etc (which as an authentication method is of course horribly insecure, but that's a different discussion).
Of course, this will vary from person to person, but as mentioned above, just being able to mechanically cover a camera when required makes it less of an issue for me.
For what it's worth, my Lenovo laptop has a manuel shutter slider button on the side that actually physically covers the camera (and it must also does something driver wise because windows considers it unplugged). It's so easy and convenient that I always use to off the camera.
Many of lenovo have that even included their gaming laptop line (it's actually even better and more convient on that one, thanks to the larger size available).
Doesn't solve the problem this article talks about, but if that's something that worries you I would still trust that more than most (and it's a lot less weirdo looking than taping your camera).
This exploit picks up audio, too. The shutter helps make sure you're not accidentally sending nudes to North Korea's hacking teams, but audio can still be hijacked unfortunately.
Taping your camera doesn't necessarily look like anything. I have a small piece of electrical tape over my webcam, and it blends in so perfectly with the background that other people probably wouldn't see it unless they were specifically looking for it.
(I personally just leave the tape there all the time, because if I need to videoconference, I’d rather connect my mirrorless camera with a much better lens and sexy bokeh.)
The Electronic Frontier Foundation sells a set of stickers exactly for this purpose [0]. I have a set and it works reasonably well. And it supports a good cause.
Turning off camera LEDs and recording video is an old hack and old news. This is for a specific firmware and computer model and attack surface via USB to update the webcam's firmware, so I am assuming that makes it news?
EDIT: I keep a piece of black electric tape over any of my notebook's webcams.
this is so widespread and simple that i basically don't have any respect for laptop manufacturers who refuse to add a simple webcam shutter onto their laptop designs
what would be even better is PHYSICAL HARDWARE POWER SWITCHES for microphones, speakers, and webcam
this ought to be a manufacturer regulation, no more ridiculousness
In their new upcoming webcam module for Framework they would still cut off the sensor power, but not the USB interface due to usability issues (e.g. in my experience Google Meet can detect the camera after the privacy switch turned on, but Zoom and Microsoft Teams do not)
> Cameras and microphones and write enable must have physical switches, not software ones. When will people learn?
Your preferences are not everybody's. Personally, I'd be totally fine with a camera and microphone LED that is guaranteed to activate whenever there is power/signal flowing from either.
> Me, I unplug the camera and mike when not in use.
That's a bit hard to do on a laptop that has both built in.
> That's a bit hard to do on a laptop that has both built in.
The Framework laptops have two tiny switches near the camera that physically turn off the mic and camera, and it presumably wouldn't be difficult for other manufacturers to follow suit if enough people cared.
Some laptops (I've seen it on a lot of Thinkpads) include a physical cover that can be slid over the webcam when you aren't using it. While that doesn't cut power to the camera or mic, I figure would pretty straightforward for manufacturers to add contacts to the camera cover to use it as a power killswitch instead of just a privacy cover.
I think that's pretty standard outside the Apple ecosystem. HP seem to have this on most (if not all) the laptops I've seen at $DAY_JOB which uses HP for all laptops.
> Cameras and microphones and write enable must have physical switches, not software ones. When will people learn?
I feel like people were pleading for this when people were getting ratted and began taping over their cameras, and the tiny number of laptop manufacturers just ignored what would be a cheap easy change. Eventually, people just accepted that it must be impossible to install a switch. I couldn't ever think of any motivation for a lack of a switch other than government pressure, so I've always assumed that the cameras and microphones are backdoored.
I don't get how "some tape" became the standard solution for these thousand dollar devices.
I am not a hardware engineer or anything of the sort. My laptop has a slide shutter over the webcam, but this obviously does nothing about the microphone. How difficult/error prone would it be for the power signals to the microphone and camera to be individual wires/traces and have a physical switch that breaks the power or data connection physically? Surely these are very low voltage so the switch could be like the iphone mute switch?
My Framework 13 has this - 2 physical switches next to the camera.
I would assume (but haven't checked), that they physically disconnect the camera/mic.
The Framework laptop does this for both microphone and webcam, and there are privacy focused Android phones which also have a microphone switch which cuts the power to the microphone. It's definitely possible.
I'm surprised how much these X230s are still being used. People who love real keyboards love them.
Personally I didn't think Lenovo's later keyboards were too bad. The one on my T490s was wonderful. However since my work moved to the T14s series, the keyboards have become terrible. The key movement range is too low now, and the feel is crap. It's too bad because Lenovo was the last holdout which still had decent keyboards. The T14s is also bad in other ways, the body got thinner but the screen got a lot thicker and heavier so it's actually worse to carry than the T490s.
Anyway, ontopic: I'm not surprised these cam controller firmwares can be hacked. It's very specific to the controller though.
However, most people I know that care about privacy close the cam door anyway, or put a sticker over it. I use the SpyFy. https://spy-fy.com/collections/webcam-covers . Good luck hacking that.
What worries me a lot more is the microphone. It doesn't have a light, and it's really hard to block. A simple sticker won't do much. These things are super sensitive. I can literally hear myself talking in the other room with the right boost settings.
100% agree with you on the keyboards. I had an X220, then a T490, and now I'm on an E16. The keyboard has gotten noticeably worse every time I've upgraded, sacrificing key travel and feel for flatness. It's such a shame - I would happily take a little extra body thickness for a nicer feeling keyboard.
How does the Macbook check the ambient light to determine the screen brightness, does it have a separate ambient light detector buried under the screen somewhere or inside the camera? (if the camera is not used for this I mean which would have been the best thing to do, but would require the camera to grab frames now and then without the LED flashing)
This is well known in the security community, when I was at Bromium around 2011 or 2012 this was shown in internal demos. And the X230 is a very old laptop, hopefully the newer ones have fixed this problem.
Technology connections made a very sarcastic but entertaining video of the "stupid" design of being able to control the camera and the led independently.
Could be useful, if this was 2000s. These days don’t even need to hack the victim. They proudly give it all up via social media. Talk to a person long enough and they will spill every detail about their life. Routine, job, social life, deepest desires.
The top part of a sticky note, found in most offices, works great with having to take off and put back on. Always assume that the company's provided laptop is a RAT with voice and video recording with notice is a norm.
> Always assume that the company's provided laptop is a RAT with voice and video recording with notice is a norm.
I... don't? Depends on the company, but I trust that my company has no override for the hardware based LED light on my Mac, as well as the software based microphone indicator. If they did, I would consider this highly scandalous for apple
The odds of being targeted don't matter in what we're talking about. The fact its possible is what we're talking about. High value targets like zuck being well aware of that fact, and taking steps to guard against it is just icing on the cake.
Another demonstration that duct tape can fix almost everything. Put a little over the webcam and presto, no more malware spying on you through webcam video. Now about something for the microphone?
And arguably if one applies duct tape all over the laptop, the laptop can no longer be used, therefore no data can be input into it, preventing that data to be then exfiltrated by malware. A truly versatile product.
after it can read my keyboard, .ssh files, browser cookie files... i couldn't care much for the camera. and everything you run can already do all that. occlude stuff you npm/cargo/mvn/go/pip/mix install. not to mention those git hooks or build scripts of that project you just downloaded the source in vscode and it's already running all that for your convenience right away.
As other mentioned Apple has had either good circuit design or now 'attestation' (which has other concerns, but that's more of a state actor worry).
That said it reminds me of the fun reversal of how a decade or so ago, Windows Phone 'lost' the ability to get the hot app SnapChat, because they did not want to give apps the ability to 'detect' a screenshot command in the name of privacy. Now, We have Copilot on windows, and LinkedIn tells me when I've screenshotted a post as a notification.
I am so disappointed that there are camera LEDs out there that they aren't hardware connected to the sensor. Especially when there are bio-metric sensors out there that can do a crap-ton of calculation all in-device so no privacy concerns arise. I wonder if any of them are vulnerable to a firmware attack.
Don't even understand why laptops have cameras and microphones. If you're serious about video meetings you'll want an external camera anyway.
I keep covering them up with bits of paper (because like most people, I don't trust LEDs or switches) that look ugly and invariably get blown off by a gust of wind and have to be reapplied when moving.
It just seems like at some point around 2010 some cabal decided that every device with a screen needs to have a camera facing the user and a microphone.
> Don't even understand why laptops have cameras and microphones. If you're serious about video meetings you'll want an external camera anyway.
The whole point of a laptop is to be able to move around and travel with it.
FWIW you can still encounter laptops without webcams (MNT reform comes to my mind) and you can also choose to disable/load/unload the kernel modules for them dynamically on linux distros and BSDs
That would be yet another gadget (with yet another tangly wire) to add to your bag. One of the best things (and one of the worst things, if you're interested in repairability and upgradability) of a laptop is that everything (other than the external power adapter) is built-in.
When those cameras first came out I said that of course the LEDs could be disabled with firmware only, and it was probably a government-mandated requirement to be able to do so, and I was called a conspiracy theorist.
Well who's laughing from within a tinfoil Faraday cage now?
Fantastic, another nothingburger proof of concept for people to point to when arguing in favor of more manufacturer-lockdown-based "security". It's not a coincidence that this demonstration is on one of the last generations of laptops that can actually be secured against Intel themselves.
In reality, remote code execution should be considered game over, end of story. Trying to obfuscate to hide that fact just ends up creating more unknown places for malware to persistently hide. The same knowledge that allows one to write new camera firmware also allows one to verify it on every boot. Meanwhile the camera model that hasn't been publicly documented is an ever-present black box.
> for people to point to when arguing in favor of more manufacturer-lockdown-based "security"
I don't see why this is the first thing you think of, when the infinitely more obvious thing to point out is that the indicator LED should be impossible to address and be connected in series with the power pin of the camera instead. Case in point, most other comments in this very discussion thread.
Conversely, your comment (to me) reads like you're trying to derail conversation and argue in favor of weakening device security in whatever flavor you find compelling. Very intellectually honest of you to present those ideas this way.
Sure, you can solve this one particular thing with fixed hardware [0]. The problem is that just slightly more complex, any designer isn't going to opt for hardcoded logic but rather going to go "we have a microcontroller sitting right here, of course we're going to use it". This path ends with firmware "security" that prevents straightforwardly reading/writing these devices, which is exactly what my comment is about.
> you're trying to derail conversation and argue in favor of weakening device security
No, I'm arguing in favor of analyzing security in terms of device owners rather than manufacturers. "Security" isn't simply some singular property, but is rather in the context of a specific party [1]. It's certainly possible to build hardware that verifies running software and also doesn't privilege the manufacturer with an all-access pass. Just no manufacturers have done it, because centralizing control in their favor is easier.
[0] even this case is borderline. Your series LED suggestion isn't likely to be work because it will drop at least 1.6v, and constrain the current draw of the camera. Also if the firmware can be reprogrammed such that it can take pictures using very low average current draw, you haven't actually solved the problem. Alternatively, an LED in parallel with the power supply will require at least an additional resistor (if not a diode and a capacitor), which costs real money in the eyes of a design engineer working at consumer volumes.
[1] eg how the TSA that drones on about "security", while they're actually making individual travelers less secure from having to unpack and splay their belongings out, making them easy targets for immediate or later theft. They're not talking about your security, they're talking about their operation's security.
I thought the whole point of these camera LEDs was to have them wired to/through the power to the camera, so they are always on when the camera is getting power, no matter what.
Having the LED control exposed through the firmware completely defeats this.
They are hardwired on Macbooks. From Daring Fireball, quoting an email from an Apple engineer.
> All cameras after [2008] were different: The hardware team tied the LED to a hardware signal from the sensor: If the (I believe) vertical sync was active, the LED would light up. There is NO firmware control to disable/enable the LED. The actual firmware is indeed flashable, but the part is not a generic part and there are mechanisms in place to verify the image being flashed. […]
> So, no, I don’t believe that malware could be installed to enable the camera without lighting the LED. My concern would be a situation where a frame is captured so the LED is lit only for a very brief period of time.
https://daringfireball.net/2019/02/on_covering_webcams
>The actual firmware is indeed flashable, but the part is not a generic part and there are mechanisms in place to verify the image being flashed.
That might make it harder to develop a hack, but one would hope that if the hardware team tied the LED to a hardware signal, it would not matter if the firmware were reflashed.
I believe that it’s not literally hardwired in the sense that powering up the camera also powers up the camera LED, and instead this relies on logic in the hopefully un-flashable camera+LED firmware. Someone correct me if I’m wrong.
You need some logic to enforce things like a minimum LED duration that keeps the LED on for a couple seconds even if the camera is only used to capture one brief frame.
I have a script that takes periodic screenshots of my face for fun and I can confirm the LED stays on even if the camera only captures one quick frame.
A capacitor can hold enough charge to power led for noticable amount of time even if powered for a brief moment, no logic needed
I don't think they would waste a high value capacitor just to keep a led lit for longer, also a led directly lit by a capacitor would be noticeable by slowly dimming when the capacitor discharges. It's more likely that the signal driving the led comes out of a monostable implemented in code: pin_on() drives the led on; pin_off() waits n secs then drives the led off.
This is Apple, so that assertion isn’t guaranteed valid like it would be for non-enterprise HP or Lenovo. They absolutely would invest in a capacitor if that’s what it takes, as they are maximally focused on camera privacy concerns and have made a point of that in their security marketing over time; or else they wouldn’t be allowing hardware security engineers to brag about it, much less talk publicly about it, at all.
EDIT: It’s not just a capacitor, it’s a full custom chip, that can’t be software-modified, that keeps the light on for 3 seconds. https://news.ycombinator.com/item?id=42260379
The trick is to keep using the camera until that capacitor is discharged. I'm pretty sure most cameras can run at voltages below a LED's forward voltage nowadays.
I happen to have some first-hand knowledge around the subject! In 2014 someone did a talk[0] on disabling the camera on some older Macbooks. It was fairly trivial, basically just reflashing the firmware that controlled the LED. I worked on the security team at Apple at the time and in response to this I attempted to do the same for more modern Macbooks. I won't go into the results but the decision was made to re-architect how the LED is turned on. I was the security architect for the feature.
A custom PMIC for what's known as the forehead board was designed that has a voltage source that is ALWAYS on as long as the camera sensor has power at all. It also incorporates a hard (as in, tie-cells) lower limit for PWM duty cycle for the camera LED so you can't PWM an LED down to make it hard to see. (PWM is required because LED brightness is somewhat variable between runs, so they're calibrated to always have uniform brightness.)
On top of this the PMIC has a counter that enforces a minimum on-time for the LED voltage regulator. I believe it was configured to force the LED to stay on for 3 seconds.
This PMIC is powered from the system rail, and no system rail means no power to the main SoC/processor so it's impossible to cut the 3 seconds short by yoinking the power to the entire forehead board.
tl;dr On Macbooks made after 2014, no firmware is involved whatsoever to enforce that the LED comes on when frames could be captured, and no firmware is involved in enforcing the LED stay on for 3 seconds after a single frame is captured.
0: https://www.usenix.org/system/files/conference/usenixsecurit...
There seems to be widespread anxiety regarding cameras, but hardly anyone ever talks about microphones. Are conversations not much more privileged information than potentially seeing someone in their underwear?
"All Apple silicon-based Mac notebooks and Intel-based Mac notebooks with the Apple T2 Security Chip feature a hardware disconnect that disables the microphone whenever the lid is closed. On all 13-inch MacBook Pro and MacBook Air notebooks with the T2 chip, all MacBook notebooks with a T2 chip from 2019 or later, and Mac notebooks with Apple silicon, this disconnect is implemented in hardware alone." [1]
[1] https://support.apple.com/guide/security/hardware-microphone...
That's what they said about the first gen Facetime cameras. "oooh don't worry, it's controlled in hardware!"
We have no way of verifying that anything they said in that document is true.
Yes, photos of naked people are used to extort them (usually into just paying the holder to delete them).
https://news.ycombinator.com/item?id=42261730
Depends what your threat model is?
Nobody but Abby and Ben care if Ben is caught admitting hwe cheated on Abby. But naked images of Abby can head off into the ether and be propagated more or less forever, turn up on hate sites, be detrimental to careers etc.
If your threat model is leaking company secrets then sure, microphone bad, as is anything having access to any hardware on your machine.
So sure, maybe people ought to be more concerned about microphones as well, rather than instead.
I'm not arguing a point here, but I'm curious what the actual number of instances exist where someone is naked or in some other extortionate way (accidently of course) potentially exposed from the position of their webcam. I too would be much more concerned about my microphone, where I know one had conversations that in front of or next to my machine that I wouldn't want "out there". In terms of where my camera is, I woukd imagine they would catch me picking my nose every so often but that's about it.
> Nobody but Abby and Ben care if Ben is caught admitting he cheated on Abby.
This isn't true at all, even for private citizens. Your friends, parents, children, and colleagues are all likely to care.
> and no firmware is involved in enforcing the LED stay on for 3 seconds after a single frame is captured.
I may be the oddball here, but that 3 second duration does not comfort me. The only time I would notice it is if I am sitting in front of the computer. While someone snapping a photo of me while working is disconcerting, it is not the end of the world. Someone snapping photos while I am away from the screen is more troublesome. (Or it would be if my computer was facing an open space, which it doesn't.)
OK, but then what? Leave the LED on for 24 hours after you've captured a single frame? At that point the LED isn't really indicating camera usage because you'll just get used to seeing it on all the time whether the camera is in use or not.
It's strange that none of these companies will include a closable cover for the camera. I got one aftermarket. It is very reassuring since no hacking or accidental misclicks on my part can move the cover.
I've seen HP desktops that have a closeable camera cover, and Lenovo does on some ThinkPads [1], so probably others do too. Laptops usually have very little depth available in the screen part though, which is why most laptop cameras are crappy (exceptions include Surface Pro and Surface Book, which have more depth available and so much better cameras than most, but no cover - at least their camera light is not software controlled).
[1] https://www.businessinsider.com/lenovo-thinkshutter-laptops-...
I had a closable cover and someone shut my laptop with enough force that the cover caused the screen to break. Be careful when closing.
Thanks, this is the reason I browse Hacker News
Thank you for your work on this! I wish some other large companies took privacy that seriously.
Thanks for posting this interesting tidbit! I find this kind of knowledge absolutely fascinating!
I've seen a million people parroting "oh now apple fixed it!" and not a single person who has actually verified/proved it. Go on, show my any third party security researcher who has verified this claim via examining the actual hardware.
You'll pardon us all if we don't really believe you, because a)there's no way for any of us to verify this and b)Apple lied about it before, claiming the LED was hard-wired in blah blah same thing, except it turned out it was software controlled by the camera module's firmware.
I assume you're not longer working on it, but why not just wire it so that:
- The LED is in parallel, but with the sensor voltage supply, not the chip
- Camera sensor idle voltage = low voltage for the LED (be it with stepping if needed)
- Camera sensor active voltage = high voltage for the LED (again, stepping if needed)
- little capacitor that holds enough charge to run the LED for ~3 seconds after camera goes back to idle voltage.
Good luck hacking that :)
Thank you for doing this.
See then it's not hardwired at all. It is equally vulnerable to a reflash. Apple just did hardware security (i.e. signed firmware) better and also are relying on security through obscurity (its not a publicly available part).
The context from the article the parent comment linked is that Mac webcams made prior to 2008 both had the camera LED controlled in firmware and didn't verify the camera firmware blob when it was downloaded into the camera's RAM. The quote you're replying to simply says that Apple solved these security issues by tying the LED to a hardware signal AND verifying the camera firmware blob. The result is still that there's no way to turn on the webcam without making the LED light up.
AFAIK iOS devices use a tiny firmware on the camera and a larger one on the secure enclave chip.
If you successfully compromise the host OS and also the secure enclave firmware, that might be enough to let you turn on the camera (without vsync) and reconstruct the correct image via later analysis... but at that point you have committed tens of millions to the hack (so you'd better not overuse it or it'll get noticed & patched).
Many complex chips have GPIO signals rather than hardwired outputs. That way you can select any [5-10] of [20-100] functions for each pin. As a result, things that you think should be hardwired are controlled by firmware.
I wonder how quickly it turns on/off as per Gruber’s worry - if you just record a single frame would it even be visible if looking right at it?
Below, axoltl writes:
> no firmware is involved in enforcing the LED stay on for 3 seconds after a single frame is captured.
https://news.ycombinator.com/item?id=42260379
> My concern would be a situation where a frame is captured so the LED is lit only for a very brief period of time.
Maybe enable a pre-charged capacitor to the LED whenever the circuit is activated? A "minimum duty cycle" for the LED might help solve this.
Yeah, the camera needs a physical lid.
An indicator light hardwired is nice but I apparently can't trust hardware manufacturers to design it properly. My work laptop (HP Dragonfly) has a physical blocker that closes over the camera when I haven't explicitly pressed the button that enables the camera. The blocker is black and white stripes so it's very obvious when it's covering the sensor. This should absolutely be the security standard we all strive for with camera privacy.
> The blocker is black and white stripes
On my ThinkPad it’s instead painted with a red dot. Because, obviously, the conventional meaning of a red dot appearing on a camera is “not recording”.
Not just the weird meaning, but on my last Thinkpad the red dot and the slightly red glean of the camera lens look surprisingly like each other. Even worse I managed to get the cover in a position where it looked like it was closed, but the camera could still see.
The Dell Latitude business laptops now have a wired led and wired switch. Besides the white led, there’s no indication which is on or off, and I don’t trust any of the software or firmware chain to be reliable. (score one for macs being transparent and prescient)
For some inexplicable reason Dell has chosen to mark the button as "mute mic" (mic icon + X). So if the LED on the keyboard is lit up, the microphone is off, or rather, the microphone muting is on on. Brilliant design.
Probably the camera “power” is always on as any other microcontroller on the same board, but is only active when called through the control bus or an interrupt, having an LED tied to the power rail would keep it on all the time whenever the lapop is on.
Then tie it to some signal or power rail that only gets enabled when the camera is in use, and that must be enabled for the camera to work, e.g. when there's power to the sensor itself.
Interesting, my work HP Probook does not have that functionality. I wonder why HP chooses to do this only for some laptop lines.
I suspect most people don't want it. I can imagine lots of people calling customer service "Q: why doesn't my camera work?", "A: Did you open the cover?"
There's just a valid an argument to do the same for phones. How many phones ship with camera covers and how many users want them?
You can get a stick on camera cover for $5 or less if you want one. I have them on my laptops but not on my phone. They came in packs of 6 so I have several left.
https://www.google.com/search?q=camera+cover+laptop
> I can imagine lots of people calling customer service "Q: why doesn't my camera work?", "A: Did you open the cover?"
In some over-engineered world, when the camera cover is engaged the webcam video feed would be replaced by an image of the text "Slide camera cover open" (in the user's language) and an animation showing the user how to do so.
This doesn’t seem that wild to me. Zoom already prompts me to unmute my microphone when I cough.
It's also a moving part. Worse, a part the customer moves. Which means more opportunity for crap getting crammed in or breaking.
The cover on my laptop's camera is behind the glass. I suppose there is a chance that the slider itself could get damaged, but at least they minimized the exposed surface that could be damaged.
That said, I really can't comment on how durable it is. I only remove the cover about a half dozen times a year.
i miss android popup cameras.
I had that exact discussion with somebody recently, and it took me a few minutes to realize that their laptop had a physical camera cover that somehow disables camera permissions in windows too. So yeah, happens a ton I would imagine.
Money.
Supporting that theory: my HP EliteBook does have a slide-over cover.
(It could also be contention between thickness of the display vs enterprise customer sensitivity to cameras)
For what it's worth, you could just power on the camera, take a pic, then turn it back off instead. Provided you can do this fast enough, an indicator LED is rendered worthless. So you'd need to make the indicator LED staggered, to stay lit for a minimum amount of time.
There's also the scenario where the LED or the connections to it simply fail. If the circuit doesn't account for that, then boom, now your camera can function without the light being on.
Can't think of any other pitfalls, but I'm sure they exist. Personally, I'll just continue using the privacy shutter, as annoying as that is. Too bad it doesn't do anything about the mic input.
I worked on this feature for Apple Macbooks around 2014 as the security architect. All Macbooks since then have a camera indicator LED that is (barring the physical removal of the LED) always on at least 3 seconds. This feature is implemented in gates in the power management controller on the camera sub-board.
There's a LOT of pitfalls still (what if you manage to pull power from the entire camera sub-assembly?), this was a fun one to threat-model.
A minimum light duration seems pretty trivial to physically engineer.
For one the energy to take a picture is probably enough to power a light for a noticeable amount of time.
And if it isn't, a capacitor that absorbs energy and only allows energy through once it's full would allow the light to remain on for a couple of seconds after power subsides.
Wasn't arguing that it's difficult, just that it's needed (and that I'm not expecting it to be done in practice. Because the indicator LED on my laptop doesn't do it either, despite being enterprise grade).
JIRA is "enterprise grade", I wouldn't place too much faith into that term.
Trust me, I was using it semi-sarcastically too. This thing is slower than my old Pentium 4 would be, yet has a fast enough 30% to 3% battery discharge rate that it would make the speed of light itself blush.
The main culprit is that anyone estimating battery life in percentages. It's about voltage and current draw. The battery voltage can be read directly.
About being slow, I suppose it does run windows and its infamous 'defender'
My 2023 MBP webcam light stays on for nearly 3 seconds after the webcam itself turns off.
Which is part of the design (see comments from the security architect elsewhere in the discussion).
LEDs are diodes. So you can run power _through_ them. Power Supply -> LED -> Camera.
While true, the amount of power would be too low, LEDs also have quite high forward voltage (~3V for blue ones) and they are current driven devices. That suggestion would require pass all the current through the LEDs. LEDs don't like to be reverse biased either. Overall, it's a rather appalling idea. On top of the fact that LEDs can fail short.
More also you'd want a hold up time for the light (few seconds at least), as taking pictures would flash them for 1/60 of a second or so.
I might be out of the loop, but I thought that was only for some machines - I remember the LED being wired that way being a selling point for MacBooks at some point, as a privacy feature. It definitely should be the standard, though!
I can't find it now, but recently I read how one company's design team added this feature to their laptops. A subsequent review by the team responsible for manufacturing found that they could change the circuit to cut down on the part count to save money. The light was still there, but it was no longer hardwired. The company continued to advertise the camera light as being hardwired even though it wasn't.
That fact pattern would setup a solid fraud case against the company and necessitate a recall at a minimum.
I stumbled on a forum once where it was just filled with people trying to modify the software for various laptops to disable the "tally lamp" (as it is called). There were people selling the mods and one guy claiming he was selling his cracks to three-letter agencies. The people on there seemed to be using this to extort people (mostly women) by being able to record videos without the owner knowing. Some really dark shit.
Yeah the first day I read about RATers... jesus. The camera LED seemed to be a major thing for them, because if they could bypass it then the chance their RAT would be discovered was much lower.
Really nasty world they've made for themselves, blackmailing, extorting and generally controlling other people (mostly women and girls, but some men too) with threats of releasing compromising material.
There was a school district that took pictures of the kids at home.
They briefly saw the LED flash.
But it was not on for any length of time and you could miss it.
This stuff should be completely in hardware, and sensible - stay on for a minimum time, and have a hardware cutoff switch.
In the past I've used microsnitch on macos which tells you when the mic or camera are activated, but macos seems to have support for this baked into the os now. In zoom calls the menu bar shows what is active. If this can be sidestepped and avoided in software, and the camera can be activated without any indicator, I do not know. If direct access can be done, and you don't need to go through some apple api to hit the camera, maybe.
edit: looks easily bypassed https://github.com/cormiertyshawn895/RecordingIndicatorUtili...
Using this tool requires disabling SIP, so not "easily bypassed" at least from a malware perspective.
Did it ever snitch on anything interesting?
idk, but maybe you know! it was probably easily bypassed anyway. hardware disconnects are the only thing that can ever be trusted imo
Since some sort of firmware is required, this seems like a "turing tarpit" security exploit from my laymans perspective.
There's no standard that I know, that, like "Secure EFI / Boot" (or whatever exact name it is), locks the API of periphery firmware and that would be able to statically verify that said API doesn't allow for unintended exploits.
That being said: imagination vs reality: the Turing tarpit has to be higher in the chain than the webcam firmware when flashing new firmware via internal USB was the exploit method.
No firmware is required. Macbooks manufactured since 2014 turn on the LED whenever any power is supplied to the camera sensor, and force the LED to remain on for at least 3 seconds.
(Source: I architected the feature)
Thanks for your reply — yourself as the Source can only make me feel flattered then for you responding to me.
> Macbooks manufactured since 2014 turn on the LED whenever any power is supplied to the camera sensor, and force the LED to remain on for at least 3 seconds.
That convinced me originally I think, good old days! I'd almost forgotten about it. The way you phrased it, it sounded like 50% OS concern to me.
But if cam & LED rly share a power supply, and the LED is always on without any external switch, Good then!
I was not very popular with the camera firmware folks for a while. They had to re-architect a bunch of things as they used to occasionally power on the camera logic without powering the sensor array to get information out of the built-in OTP. Because the LED now came on whenever the camera was powered they had to defer all that logic.
What does OTP stand for in this case? The camera PROM??
Apologies. OTP is One-Time-Programmable. The physical implementation of this varies, in this specific case it was efuses (anti-fuse, actually). It's used for things like calibration data. For a camera it contains information about the sensor (dead pixels, color correction curves, etc.).
I'd like a law to this effect.
We may already have this law. If the manufactures makes claims about this LED, then that this attack is possible mean a lawyer can force them to recall and fix everything.
We have to be realistic though. We can't even get a law requiring right to replace a battery on our own iPhones...
We can’t? Then what is this? : https://environment.ec.europa.eu/news/new-law-more-sustainab... ?
Go to https://www.ifixit.com/Device/iPhone, then search for your iPhone's battery replacement guide.
The idea has been around for quite some time. But it is always dropped.
My guess is that, assuming the most basic and absolute physicial design, the light would flash for silly things like booting, upgrading firmware, checking health or stuff like that.
Flashing is easily fixed with a capacitor and also not a bad thing if it turns off when it loses power immediately. The only explanation that makes sense to me is it being separately controlled is a feature not a bug.
I agree on the capacitor fix for flashing, I pointed it out in another post.
In this case I was referring to false positives to the user.
This would mean we can't update the firmware without causing the user some paranoia.
Also. Would an app requesting permission to use camera itself send some power to the camera to verify it is available? In a similar vein, what about checking if the camera is available before even showing the user the button to use the camera?
Maybe there's solutions to this, I'm just pointing out some reasons they may have gone the software route instead of the hardware route.
That's why many ThinkPads have physical covers over their cameras. You don't even need to worry about whether the LEDs are hardwired - relying on any electronic indicator is already a half-baked security measure. If you want real security, just go with a physical solution.
same... i'm also surprised that having a software controlled led would be cheaper ..
It could be something very simple, such as requiring less USB hub complexity for a camera that can be woken up via a command on the USB bus instead of needing to connect/disconnect the USB power rails (wired in parallel with the LED) to it.
Somebody here has also mentioned Apple using the camera for brightness and maybe color temperature measurement, for which they wouldn't want to enable the LED (or it would effectively always be on).
That doesn't automatically make that a good tradeoff, of course; I'd appreciate such a construction.
It's probably done to keep it in a low powered state and reduce the initialization delay. Maybe also to prevent the Windows USB plugging sound from playing upon turning the camera on, as it would seem weird to the user ("I don't have any USB devices plugged in...")
Likely UX over security and privacy.
Most business class thinkpads have a physical cover in the screen that covers the camera with a piece of plastic.
Led, no led, who cares, plastic is blocking the lens. Move the cover away, say hi on zoom, wave, turn the camera back off, cover on, and stay with audio only, as with most meetings :)
Yeah, on Chromebooks and MacBooks the LED is hardwired to ensure it's always on when the camera is enabled.
Sure, for a brand headquartered in Cupertino they might design it that way. But this one is a Beijing brand.
"Add an LED next to the camera, our customers demand it!"
"Job done boss!"
That's it. That's what happens. Nobody ever reviews anything in the general industry. It's extremely rare for anyone to raise a stink internally about anything like this, and if they do, they get shouted down as "That's more expensive" even if it is in every way cheaper, or "We'll have to repeat this work! Are you saying Bob's work was a waste of time and money!?" [1]
[1] Verbatim, shouted responses I've received for making similar comments about fundamentally Wrong things being done with a capital W.
Lawyers after the fact review this. I expect one to start a class action - they will make millions, and everyone else who has this laptop will get $1. The real point is the millions means every other company is on notice that these mistakes hurt the bottom line and so the industry starts to review these things. So long as it doesn't hurt they won't review.
I feel really dirty calling lawyers the good guy here, but ...
What law as been broken by not implementing this feature?
If they promise a feature they don't have that is falwe advertising.
Yeah, my understanding is that is how the light on MacBooks works, but I'm not sure about any other makes/models. Obviously, if this is possible that Thinkpad model doesn't do that.
It isn't clear to me that webcam firmware ever powers down a typical camera module. See below for data about how the Sony IMX708 sensor is an I2C device with start and stop streaming commands.
https://github.com/Hermann-SW/imx708_regs_annotated?tab=read...
It wasn't. Only responsible manufacturers wired them up that way.
> I thought the whole point of these camera LEDs was to have them wired to/through the power to the camera, so they are always on when the camera is getting power, no matter what.
This definitely happened too on Mac in the past, then they went in damage control mode. Not only had Apple access to turn off the LED while the camera was filming, but there was also a "tiny" company no-one had ever heard off that happened to have the keys allowing to trigger the LED off too. Well "tiny company" / NSA cough cough maybe.
After that they started saying, as someone commented, that it requires a firmware update to turn the LED off.
My laptop has a sticker on its camera since forever and if I'm not mistaken there's a famous picture of the Zuck where he does the same.
I've got bridges to sell to those who believe that the LED has to be on for the camera to be recording.
I believe every paragraph of this besides the personal anecdote is completely made up. Care to change my mind?
Only apple does this properly.
I can see why some people might be concerned about the camera, but I'm far more concerned by the microphone. There's far more sensitive and actionable information that can be gathered from me that way! I'm glad that macOS started putting a light in the menubar when the microphone is in use, but I'd prefer to have unhackable hardware for that instead.
I believe it is possible to turn a speaker into a microphone. Found a paper which claims to do just that[0]. So, there is no safety anywhere?
[0] https://arxiv.org/abs/1611.07350This only works on audio chipsets that allow pin retasking. Which is, coincidentally, all Realtek chipsets that are present in every PC...
(you also need to plug the speaker directly, mostly limiting it to headphones and laptop speakers)
Even where it works, speakers are much worse microphones that dedicated microphones, and so the amount of data that can be gathered is low. Why bother when you probably have a microphone on the same PC that can capture far more sound?
I think there was a long period where a proper PC would frequently have only the cheap stereo speakers which are small enough to far outperform raw microphone leads. But I'm not sure this works that well in >=HDMI even if some monitor speakers might otherwise be ideal.
Despite this being a 2016 paper, it's worth noting that this is true in general and has been common(ish) knowledge among electrical engineers for decades. Highschoolers and undergrads in electrical engineering classes often discover this independently.
What's notable about this paper is only that they demonstrate it as a practical attack, rather than just a neat fun fact of audio engineering.
As a fun fact, an LED can also be used as a photometer. (You can verify this with just a multimeter, an LED, and a light source.) But I doubt there's any practical attack using a monitor as a photosensor.
and has been common(ish) knowledge among electrical engineers for decades.
Not only is it common knowledge it's how drive-thru kiosks work!
Source: I used to test microphone/speakers for a kiosk OEM.
Yes! LEDs as photometers is something that you don't really see around much anymore, but it is really cool. Even an LED matrix can be used as a self-illuminating proximity sensor with the right setup.
https://www.youtube.com/watch?v=GaAtpAuNN_o
I recall in the early or mid 2000s using some cheap earbuds plugged into the microphone port of my family computer as a pair of microphones in lieu of having a real microphone nor the money for one. Then I used Audacity to turn the terrible recording into a passable sound effect for the video games I was making.
Not knowing much about how soundcards work, I imagine it would be feasible to flash some soundcards with custom firmware to use the speaker port for input without the user knowing.
This is common at nightclubs (or was) - a DJ can use their headphones as a microphone, speaking into one channel and listening to another
Example https://m.youtube.com/watch?v=1NNP6AFkpjs
:-)
Yup it's wild to me how much anxiety there is about cameras while no mind is given to microphones. Conversations are much more privileged than potentially seeing me in my underwear.
That said the most sensitive information is what we already willingly transmit: search queries, interactions, etc. We feed these systems with so much data that they arguably learn things about us that we're not even consciously aware of.
Covering your camera with tape seems like a totally backwards assessment of privacy risk.
FWIW, modern Macbooks also hardware disable the mic when the lid is closed.
https://support.apple.com/en-ca/guide/security/secbbd20b00b/...
How is that true? I use my macbook mic occasionally with the lid closed, and an external monitor.
Plus one-ing this - I think the external monitor may be the kicker to keeping the mic active. This drives me up the wall when Google Meet decides to just default to the closed Macbook next to me instead of my already connected Air Pods when joining work meetings.
Are you sure it’s the MacBook (T2 or Arm) mic? I imagine you’d sound super muffled if you were trying to use it while closed anyway, so I can’t imagine it’s very usable to yourself?
I just tested this with Voice Memo and can confirm it works at least in that scenario. The recording didn't stop, the mic was just disconnected then reconnected when lid was opened. Using Amphetamine w/ script installed on M1.
Just to point it out, but there’s a native terminal command `caffeinate` that does the same as Amphetamine.
I use the -disu flags
The microphone also can't be covered with a $1 plastic camera cover off Amazon. It's so easy to solve the camera issue if you care about it, but there's really nothing you can do about the mic.
Miclocks are a thing, or any chopped 3.5mm 3 prong plug should do the trick
https://mic-lock.com/products/copy-of-mic-lock-3-5mm-metalli...
This still doesn't stop a program from switching the input from external back to the internal mics though afaik
I'm not sure if an attacker could get some additional sensitive information from me with access to the microphone or the camera, if they already have full access to my PC (files, screen captures, keylogger). Most things they would be interested in is already there.
Hardware switch in line with the microphone. Can’t be turned on behind my back.
Wireless noise-cancelling headphones. Oh no, the microphone is back through bluetooth.
If you're half-serious about this sort of opsec, you already have bluetooth disabled. Ideally your hardware wouldn't have support for it at all. Same for wifi.
macOS is a proprietary binary blob, remotely controlled by Apple. So, the light in the menu bar is not a reliable indicator of anything. There is no privacy on macOS, nor any other proprietary system. You can never be 100% sure what the system is doing right now, as can be anything it is capable of. Apple is putting a lot of money to "teach people" otherwise, but that is marketing, not truth.
The root of all trust is eventually some human, or group of humans. See "Reflections on Trusting Trust." At least so far, Apple has convinced me that they are both willing and competent enough to maintain that trust.
Myself, I stopped trusting Apple. There are now too many dark patterns in their software, especially once one stops using their services. And, DRM was re-instantiated, when iTunes started streaming as Apple Music. On top of that, their lies, such as those about the Butterfly keyboards being fixed, cost me a fortune. They fuck up the keyboard design, and then they buy the computer back for 40% of its original price, due to a microscopic scratch nobody else could see. And that happened twice to me. They put a lot of money into advertising themselves as being ethical, but that is only marketing. These, of course, are my personal opinions.
> DRM was re-instantiated, when iTunes started streaming as Apple Music
Purchased music is DRM free. Streaming music was never DRM free, since you arguably do not "own" music that you have not purchased. Though I'm sure record labels would love if they could get DRM back on purchased music again.
> There is no privacy on macOS, nor any other proprietary system.
Nor is there on any free system for which you didn't make every hardware component yourself, as well as audit the executable of the compiler with which you compiled every executable. (You did self-compile everything, hopefully?)
> Nor is there on any free system for which you didn't make every hardware component yourself, as well as audit the executable of the compiler with which you compiled every executable.
If the components follow standards and have multiple independent implementations, you can be reasonable confident it's not backdoored in ways that would require cooperation across the stack. At least you raise the cost bar a lot. Whereas for a vertically integrated system, made by a company headquartered in a jurisdiction with a national security law that permits them to force companies to secretly compromise themselves, the cost of compromise is so low that it would be crazy to think it hasn't been done.
I get it, free software take, nothing new.
But this is a pretty extremist take. Just because a company doesn't push source code and you can't deterministically have 100% certainty, doesn't mean you can't make any assertions about the software.
To refuse to make any claims about software without source is as principled as it is lazy.
Imagine an engineer brought to a worksite, and they don't have blueprints, can he do no work at all? Ok, good for you, but there's engineers that can.
Yes, I think all devices packed with sensors that live in our homes should be transparent in what they do, that is their code should be available for everyone to see. And yes, it is extremist take, given where we ended up today.
It’s even dumber than that because the people that do assurance work don’t rely solely on source even when it’s available.
Reversing the software is table stakes for assurance work already so suggesting source is a requirement just doesn’t match reality.
> There is no privacy on macOS, nor any other proprietary system.
Which is to say, every system in actual widespread use. All such CPUs, GPUs, storage devices, displays, etc. run closed microcode and firmware. It'd be funny if it wasn't so profoundly sad.
And even if they didn't, the silicon design is again, closed. And even if it wasn't closed, it's some fab out somewhere that manufactures it into a product for you. What are you gonna do, buy an electron microscope, etch/blast it layer by layer, and inspect it all the way through? You'll have nothing by the end. The synchrotron option isn't exactly compelling either.
Yes, ultimately, I want everything to be open. This is not a bag of rice. These are devices packed with sensors, in our homes. As for inspection, I do not have a problem trusting others. I just do not trust big corporations with remotely controlled binary blobs, no matter how much money they put into the safety and security ads. This is a personal opinion, of course.
> As for inspection, I do not have a problem trusting others. I just do not trust big corporations with remotely controlled binary blobs
I'll just highlight this excerpt of your own words for you, and usher you to evaluate whether your position is even internally consistent.
Once malware is installed, the proprietary blobs from my hardware vendor are the least of my concerns. Thus my request for hardware.
You can watch network traffic for data leaving the device. Trust but verify.
For something as compressible as voice, I do not know how you would feel confident that data was not slipping through. Edge transcription models (eg Whisper) are continuing to get better, so it would be possible for malware to send a single bit if a user says a trigger word.
Good luck auditing even just a single day of moderately active web browsing.
It's easier than reading all of the code in Ubuntu.
But still entirely impossible. So does it matter?
Network traffic monitoring is routinely done at enterprises. It's usually part-automated using the typical approaches (rules and AI), and part-manual (via a dedicated SOC team).
There are actual compromises caught this way too, it's not (entirely) just for show. A high-profile example would be Kaspersky catching a sophisticated data exfiltration campaign at their own headquarters: https://www.youtube.com/watch?v=1f6YyH62jFE
So it is definitely possible, just maybe not how you imagine it being done.
Soldering iron to the rescue. Locate the microphone and unsolder it.
I haven't seen any microphone integrated in the processor.
Yet
M2 and newer MacBooks have an IMU on-board, which is just a funny way of spelling microphone. Admittedly a very low quality one; I'm not sure if you could pick up understandable speech at the 1.6kHz sample rate Bosch's IMUs seem to support.
> M2 and newer MacBooks have an IMU on-board
Why?
Going into full paranoid mode, I wonder if some other sensors / components can be used as a makeshift microphone. For instance, a sufficiently accurate accelerometer can pick up vibrations, right? Maybe even the laser in a CD drive? Anything else?
Camera + bag of chips: https://people.csail.mit.edu/mrub/VisualMic/
A condenser microphone is just a capacitor. Your computer is full of them.
They are very low level input and generally need a pre-amp just to get the signal outside the microphone. However conceptually at least they are there and so maybe someone can get it to work.
Well it doesn’t need to be visible to work in contrast to camera. Seriously though, no technological and almost no economic barrier preventing embedding a mic into every wireless communication chip.
Sure, but that requires the manufacturer to be intending to spy, in contrast to someone compromising after the fact.
On a ThinkPad X1 Carbon Gen 8, it's easily possible record video with the webcam LED off. I did not verify newer generations of the X1 Carbon.
Lenovo put a little physical switch—they call it "ThinkShutter"—that serves to physically obstruct the webcam lens to prevent recording. It's supposed to have only two positions: lens obstructed or not. But if the user accidentally slides it halfway, you can still record video with the lens unobstructed but somehow the webcam LED turns off. It's because the ThinkShutter actually moves 2 pieces of plastic: 1 to cover the lens, 1 to cover the LED. But the piece covering the LED blocks it first, before the other piece of plastic blocks the lens. I discovered this accidentally yesterday while toying with a X1 Carbon... I am reporting it to Lenovo.
In Yoga C740 it only blocks the shutter. Covering the LED doesn't make sense to me
I assumed that most if not all of these webcam LEDs are wired in series with the power to the camera itself. Which then makes it impossible to disable them. Who designs this LED to be software addressable?
Assuming Hanlon's razor it's a Chesterton's fence situation you just see a LED that indicates the camera is on. Assuming they ask the question at all they think it's just to remind you your still streaming/in a meeting. Then someone asks any of the following questions:
Can we use it to indicate additional information?
Can we make it standard with the other LEDs?
Can we dim it so it's more pleasant to use at night or make it a customisable colour?
I'm sure plenty of other questions take you down the same path and you've just destroyed one of the LEDs most useful functions.
What do you mean by Hanlon's razor and Chesterton's fence?
Both are common sayings and easily googleable:
Hanlon's Razor: Don't attribute to malice what can be attributed to stupidity
Chesterton's Fence (worth googling as it's a nice little parable, or it might be a derivation of the parable,can't quite remember): Can boil it down to: if you don't know what something does assume it serves a purpose until you've figured out what purpose it used to serve. In this case I'm implying these people are playing the part of wanting to change the fence without knowing it's purpose.
To be fair, from what I can tell ThinkPad X230 is from 2012, which is over a decade ago, and my guess is that this practice was not yet common place.
In series with the power to the camera would be odd. You would be passing the same amount of current through both the camera and the LED. Unless you meant in parallel, which still leaves the other issue that the camera is likely always powered even when not in use, so the LED would always be on.
I'm not an EE by trade, but I personally wouldn't want to put a CCD in series with an LED with god-knows-what Vf tolerances. Then again, I'd bet that nearly all laptop webcams come as off-the-shelf modules with their own internal regulators for the CCD anyway. So maybe it wouldn't matter.
I'll bet it went something like this: As originally specified, the user need was "LED privacy indicator for the webcam." Product management turns that into two requirements:
1) LED next to webcam.
2) LED turns on and off when webcam turns on and off.
Requirement 1 gets handed to the EEs, and requirement 2 gets handed to the firmware engineers. By the time a firmware engineer gets assigned the job of making the LED turn on and off, the hardware designers are already 1 or 2 board spins in. If the firmware engineer suggested that we revise the board to better fit the intention of the user needs, one of two things will happen:
1) They'll get laughed out of the room for suggesting the EEs and manufacturing teams go through another cycle to change something so trivial.
2) They'll get berated by management because it's "not the engineers' place to make decisions about product requirements."
Of course this is all spitballing. I've definitely never been given a requirement that obviously should have been a hardware requirement. I've definitely never brought up concerns about the need to implement certain privacy and security-critical features in hardware, then been criticized for that suggestion. And I've definitely never, ever written code that existed for the sole purpose of papering over bad product-level decision making.
Nope, never. Couldn't be me.
Could you wire it with a relay/transistor?
I'd just add a resistor and stick it + the LED in parallel with the camera module. If it's a white LED and a 1.8V supply, you might not even need the resistor (you should probably still put a 0 ohm link in there though, just in case).
>Who designs this LED to be software addressable?
The very first home made monitoring camera I made with a Raspberry Pi 1 and the camera module you could disable the LED in the config.
So it seems to be an old pattern. Definitely would make the most sense to focus on privacy and make the LED hard wired but here we are.
Does that mean if the LED dies the camera is dead?
You could wire it up either way. In general the LED is extremely likely to outlive the rest of the laptop, though.
Arguably a much, much bigger problem are the (many) microphones of modern devices.
These usually get neither an LED nor a switch, and unlike cameras can't easily be covered, nor pointed away from potentially sensitive topics/subjects.
And having a microphone in the same chassis as the keyboard would make creating a keylogger easier. A microphone in the same room as the keyboard can be made into a keylogger[1].
[1] <https://github.com/shoyo/acoustic-keylogger>
At the same time we're at a point where synthesizing your voice is getting more trivial everyday, you need only a few seconds of it and you can be made to say whatever someone wants.
Sure, but that doesn’t mean they learn everything I said: Passwords, personal details etc.
Also, getting a voice sample in the first place gets significantly easier that way: Not everybody publishes video or audio recordings of themselves online.
> Passwords
Which reminds me, to strengthen your point, it doesn't have 100% keystroke recognition, but there are works[1] on keylogging via audio, and 93% via Zoom-quality audio streams is concerning enough for me.
[1] https://arxiv.org/abs/2308.01074
>These usually get neither an LED nor a switch
Lots of ThinkPads have «Microphone is muted» LED. Not exactly what's requested (and is bound to a software mute/unmute shortcut), but it's better than nothing regarding state of machine being observable with a quick glance.
That one seems to be software controlled. I'm fairly sure I remember having the mic working with the mute LED lit, which was confusing. That was on a x1 carbon gen9.
Correct, its usefulness depends on software working as expected (and not being tampered with)
is enough to turn the LED on without muting the mic.No amount of microphones will ever be a bigger problem than a single compromising photo or video.
Then you're lacking fantasy.
For example, I'd not be happy having my voice auto-transcribed by some malware as I authenticate to my bank providing my SSN etc (which as an authentication method is of course horribly insecure, but that's a different discussion).
Of course, this will vary from person to person, but as mentioned above, just being able to mechanically cover a camera when required makes it less of an issue for me.
I'm with you. I can recover from nudes of me being on the Internet. That night even help me filter out friends that aren't really friends.
If someone drains my accounts, I'm definitely screwed.
I can’t think of much if anything which would be a compromising photo or video from my laptop, but conversations certainly are.
A photo may be merely embarrassing. You could get a lot of immediately useful information hearing my phone calls though.
I am dying for a compromising photo/video leak - I’ll finally be able to convince my wife to start OF channel :)
For what it's worth, my Lenovo laptop has a manuel shutter slider button on the side that actually physically covers the camera (and it must also does something driver wise because windows considers it unplugged). It's so easy and convenient that I always use to off the camera.
Many of lenovo have that even included their gaming laptop line (it's actually even better and more convient on that one, thanks to the larger size available).
Doesn't solve the problem this article talks about, but if that's something that worries you I would still trust that more than most (and it's a lot less weirdo looking than taping your camera).
This exploit picks up audio, too. The shutter helps make sure you're not accidentally sending nudes to North Korea's hacking teams, but audio can still be hijacked unfortunately.
I'm a known exhibitionist. It would damage my reputation if there weren't nudes floating around.
Taping your camera doesn't necessarily look like anything. I have a small piece of electrical tape over my webcam, and it blends in so perfectly with the background that other people probably wouldn't see it unless they were specifically looking for it.
(I personally just leave the tape there all the time, because if I need to videoconference, I’d rather connect my mirrorless camera with a much better lens and sexy bokeh.)
Permanent black marker ink over camera lens. Easier fix
A post-it note works if you don't have a slider.
The Electronic Frontier Foundation sells a set of stickers exactly for this purpose [0]. I have a set and it works reasonably well. And it supports a good cause.
[0] https://shop.eff.org/products/laptop-camera-cover-set-ii
People won't look at you the same way after you do this. And it won't be for the better
It's an extremely common practice in enterprise IT, literally nobody gives a shit.
More effective than trying to get permanent marker ink to block light getting through the lens.
Turning off camera LEDs and recording video is an old hack and old news. This is for a specific firmware and computer model and attack surface via USB to update the webcam's firmware, so I am assuming that makes it news?
EDIT: I keep a piece of black electric tape over any of my notebook's webcams.
Many assume that led indicators are tied to hardware rather than firmware. And this just proves that it is still not always the case.
I wonder why Macs stopped using record LEDS. Seems if they are hardwired into the enable signal of the camera you would have some piece of mind.
this is so widespread and simple that i basically don't have any respect for laptop manufacturers who refuse to add a simple webcam shutter onto their laptop designs
what would be even better is PHYSICAL HARDWARE POWER SWITCHES for microphones, speakers, and webcam
this ought to be a manufacturer regulation, no more ridiculousness
Of course it can.
Cameras and microphones and write enable must have physical switches, not software ones. When will people learn?
Never.
Me, I unplug the camera and mike when not in use.
Agreed. I find so much peace of mind in the microphone / webcam hardware switches of my Framework laptop.
Seeing the webcam actually vanish from the list of devices is very nice. :D
In their new upcoming webcam module for Framework they would still cut off the sensor power, but not the USB interface due to usability issues (e.g. in my experience Google Meet can detect the camera after the privacy switch turned on, but Zoom and Microsoft Teams do not)
https://youtu.be/k6AsIqAmpeQ?t=1021
> Cameras and microphones and write enable must have physical switches, not software ones. When will people learn?
Your preferences are not everybody's. Personally, I'd be totally fine with a camera and microphone LED that is guaranteed to activate whenever there is power/signal flowing from either.
> Me, I unplug the camera and mike when not in use.
That's a bit hard to do on a laptop that has both built in.
> That's a bit hard to do on a laptop that has both built in.
The Framework laptops have two tiny switches near the camera that physically turn off the mic and camera, and it presumably wouldn't be difficult for other manufacturers to follow suit if enough people cared.
Some laptops (I've seen it on a lot of Thinkpads) include a physical cover that can be slid over the webcam when you aren't using it. While that doesn't cut power to the camera or mic, I figure would pretty straightforward for manufacturers to add contacts to the camera cover to use it as a power killswitch instead of just a privacy cover.
I think that's pretty standard outside the Apple ecosystem. HP seem to have this on most (if not all) the laptops I've seen at $DAY_JOB which uses HP for all laptops.
> When will people learn?
Different persons learn this at different times (or never).
But then market dynamics come into play, as well as the current state of the legal code / enforcement.
> Cameras and microphones and write enable must have physical switches, not software ones. When will people learn?
I feel like people were pleading for this when people were getting ratted and began taping over their cameras, and the tiny number of laptop manufacturers just ignored what would be a cheap easy change. Eventually, people just accepted that it must be impossible to install a switch. I couldn't ever think of any motivation for a lack of a switch other than government pressure, so I've always assumed that the cameras and microphones are backdoored.
I don't get how "some tape" became the standard solution for these thousand dollar devices.
I am not a hardware engineer or anything of the sort. My laptop has a slide shutter over the webcam, but this obviously does nothing about the microphone. How difficult/error prone would it be for the power signals to the microphone and camera to be individual wires/traces and have a physical switch that breaks the power or data connection physically? Surely these are very low voltage so the switch could be like the iphone mute switch?
My Framework 13 has this - 2 physical switches next to the camera. I would assume (but haven't checked), that they physically disconnect the camera/mic.
Yes it disconnects power: https://youtu.be/k6AsIqAmpeQ?t=1021
The Framework laptop does this for both microphone and webcam, and there are privacy focused Android phones which also have a microphone switch which cuts the power to the microphone. It's definitely possible.
How else would you do lights out eye tracking for heatmap evaluation??
My laptop just has a little plastic cover you slide over the lens when not in use. Why isn’t this simply more common?
Surprised Apple hasn't implemented it and charged an additional $50 for the feature.
I'm surprised how much these X230s are still being used. People who love real keyboards love them.
Personally I didn't think Lenovo's later keyboards were too bad. The one on my T490s was wonderful. However since my work moved to the T14s series, the keyboards have become terrible. The key movement range is too low now, and the feel is crap. It's too bad because Lenovo was the last holdout which still had decent keyboards. The T14s is also bad in other ways, the body got thinner but the screen got a lot thicker and heavier so it's actually worse to carry than the T490s.
Anyway, ontopic: I'm not surprised these cam controller firmwares can be hacked. It's very specific to the controller though.
However, most people I know that care about privacy close the cam door anyway, or put a sticker over it. I use the SpyFy. https://spy-fy.com/collections/webcam-covers . Good luck hacking that.
What worries me a lot more is the microphone. It doesn't have a light, and it's really hard to block. A simple sticker won't do much. These things are super sensitive. I can literally hear myself talking in the other room with the right boost settings.
Still use my X230.
I swapped its keyboard with an x220 one, which is the thing to do if you are into the older thinkpad KB feel.
100% agree with you on the keyboards. I had an X220, then a T490, and now I'm on an E16. The keyboard has gotten noticeably worse every time I've upgraded, sacrificing key travel and feel for flatness. It's such a shame - I would happily take a little extra body thickness for a nicer feeling keyboard.
How does the Macbook check the ambient light to determine the screen brightness, does it have a separate ambient light detector buried under the screen somewhere or inside the camera? (if the camera is not used for this I mean which would have been the best thing to do, but would require the camera to grab frames now and then without the LED flashing)
In this vein, apps on your phone likely have unrestrained access to the photosensor, and researchers have figured out how to take low-resolution photos with it: https://news.mit.edu/2024/study-smart-devices-ambient-light-...
There is a third little dot near the camera you can see with a flashlight and that's an ambient light sensor.
Macbooks have a dedicated ALS (Ambient Light Sensor). They don't use the camera.
This is well known in the security community, when I was at Bromium around 2011 or 2012 this was shown in internal demos. And the X230 is a very old laptop, hopefully the newer ones have fixed this problem.
Software interlocks considered harmful.
See: Therac-25
Technology connections made a very sarcastic but entertaining video of the "stupid" design of being able to control the camera and the led independently.
https://m.youtube.com/watch?v=m0mMF7GaIR0
Could be useful, if this was 2000s. These days don’t even need to hack the victim. They proudly give it all up via social media. Talk to a person long enough and they will spill every detail about their life. Routine, job, social life, deepest desires.
The top part of a sticky note, found in most offices, works great with having to take off and put back on. Always assume that the company's provided laptop is a RAT with voice and video recording with notice is a norm.
> Always assume that the company's provided laptop is a RAT with voice and video recording with notice is a norm.
I... don't? Depends on the company, but I trust that my company has no override for the hardware based LED light on my Mac, as well as the software based microphone indicator. If they did, I would consider this highly scandalous for apple
If someone has this level of control of my system, pictures of me are my least concern. You can have them. Fuck off away from my bank account tho.
I got a webcam with a built in cover, so that's not an issue for me. Microphones are creepy, however.
There's a reason that zuck has tape over his webcam and a 3.5mm dummy plugged into his combo headphone/mic jack
How would a 3.5mm dummy mic jack prevent software from just changing the input mic source to the built in one?
Yeah but he's also WAAAAYYYYY more likely to be targeted than any of us, I would argue.
The odds of being targeted don't matter in what we're talking about. The fact its possible is what we're talking about. High value targets like zuck being well aware of that fact, and taking steps to guard against it is just icing on the cake.
Ah, but can it remove the painters tape I have across the lens at all times because I read about f*ckery like this?
Another demonstration that duct tape can fix almost everything. Put a little over the webcam and presto, no more malware spying on you through webcam video. Now about something for the microphone?
And arguably if one applies duct tape all over the laptop, the laptop can no longer be used, therefore no data can be input into it, preventing that data to be then exfiltrated by malware. A truly versatile product.
It’s easy enough to disassemble your thinkpad and unplug the mike. Use external mikes if you need them, they will be better quality anyways
Slideable plastic covering tabs on Amazon people. Only a $2 purchase for a pack of 6.
after it can read my keyboard, .ssh files, browser cookie files... i couldn't care much for the camera. and everything you run can already do all that. occlude stuff you npm/cargo/mvn/go/pip/mix install. not to mention those git hooks or build scripts of that project you just downloaded the source in vscode and it's already running all that for your convenience right away.
Is this even news news?
As other mentioned Apple has had either good circuit design or now 'attestation' (which has other concerns, but that's more of a state actor worry).
That said it reminds me of the fun reversal of how a decade or so ago, Windows Phone 'lost' the ability to get the hot app SnapChat, because they did not want to give apps the ability to 'detect' a screenshot command in the name of privacy. Now, We have Copilot on windows, and LinkedIn tells me when I've screenshotted a post as a notification.
my ideapad has a native physical webcam cover. no idea why this isn't universal standard
Eh. If it's not a physical power-disconnect switch, one could imagine it still being able to record audio, which still sucks.
The microphone is usually not part of the camera assembly in modern laptops.
And there is usually more than one. For example, recent Macbooks have three, as far as I know.
Oh, bummer. I definitely had assumed that they were a single "device".
That's how it works on my work-provided HP laptop. The physical switch is only an opaque block on the camera.
Duck tape FTW, sometimes, simple things achieve the best results.
I'd like a laptop without a built in microphone and camera altogether, to be honest.
I am so disappointed that there are camera LEDs out there that they aren't hardware connected to the sensor. Especially when there are bio-metric sensors out there that can do a crap-ton of calculation all in-device so no privacy concerns arise. I wonder if any of them are vulnerable to a firmware attack.
They need to wire the led directly to the wire that powers the camera sensor in parallel, can’t hack physics.
This surprises you how? It's just software controlling hardware. Heck, they can flash that led to music if they wanted.
This has been possible for decades, lots of mischief was done by teenagers using different RAT tools like BackOrfice, SubSeven etc back in the day...
Don't even understand why laptops have cameras and microphones. If you're serious about video meetings you'll want an external camera anyway.
I keep covering them up with bits of paper (because like most people, I don't trust LEDs or switches) that look ugly and invariably get blown off by a gust of wind and have to be reapplied when moving.
It just seems like at some point around 2010 some cabal decided that every device with a screen needs to have a camera facing the user and a microphone.
> Don't even understand why laptops have cameras and microphones. If you're serious about video meetings you'll want an external camera anyway.
The whole point of a laptop is to be able to move around and travel with it.
FWIW you can still encounter laptops without webcams (MNT reform comes to my mind) and you can also choose to disable/load/unload the kernel modules for them dynamically on linux distros and BSDs
HP also allows ordering some of their business laptops without webcams.
I'm not serious about video meetings, but that doesn't mean I never have to take them.
There's lots of people who aren't "serious about video meetings" but still want to be able to do a face-to-face chat with family or whatnot.
So get a $15 USB webcam.
I bought a laptop specifically so I had less objects and wires to carry around.
But you do carry your phone with you right? You can use that as a webcam/mic.
That would be yet another gadget (with yet another tangly wire) to add to your bag. One of the best things (and one of the worst things, if you're interested in repairability and upgradability) of a laptop is that everything (other than the external power adapter) is built-in.
When those cameras first came out I said that of course the LEDs could be disabled with firmware only, and it was probably a government-mandated requirement to be able to do so, and I was called a conspiracy theorist.
Well who's laughing from within a tinfoil Faraday cage now?
Fantastic, another nothingburger proof of concept for people to point to when arguing in favor of more manufacturer-lockdown-based "security". It's not a coincidence that this demonstration is on one of the last generations of laptops that can actually be secured against Intel themselves.
In reality, remote code execution should be considered game over, end of story. Trying to obfuscate to hide that fact just ends up creating more unknown places for malware to persistently hide. The same knowledge that allows one to write new camera firmware also allows one to verify it on every boot. Meanwhile the camera model that hasn't been publicly documented is an ever-present black box.
> for people to point to when arguing in favor of more manufacturer-lockdown-based "security"
I don't see why this is the first thing you think of, when the infinitely more obvious thing to point out is that the indicator LED should be impossible to address and be connected in series with the power pin of the camera instead. Case in point, most other comments in this very discussion thread.
Conversely, your comment (to me) reads like you're trying to derail conversation and argue in favor of weakening device security in whatever flavor you find compelling. Very intellectually honest of you to present those ideas this way.
Sure, you can solve this one particular thing with fixed hardware [0]. The problem is that just slightly more complex, any designer isn't going to opt for hardcoded logic but rather going to go "we have a microcontroller sitting right here, of course we're going to use it". This path ends with firmware "security" that prevents straightforwardly reading/writing these devices, which is exactly what my comment is about.
> you're trying to derail conversation and argue in favor of weakening device security
No, I'm arguing in favor of analyzing security in terms of device owners rather than manufacturers. "Security" isn't simply some singular property, but is rather in the context of a specific party [1]. It's certainly possible to build hardware that verifies running software and also doesn't privilege the manufacturer with an all-access pass. Just no manufacturers have done it, because centralizing control in their favor is easier.
[0] even this case is borderline. Your series LED suggestion isn't likely to be work because it will drop at least 1.6v, and constrain the current draw of the camera. Also if the firmware can be reprogrammed such that it can take pictures using very low average current draw, you haven't actually solved the problem. Alternatively, an LED in parallel with the power supply will require at least an additional resistor (if not a diode and a capacitor), which costs real money in the eyes of a design engineer working at consumer volumes.
[1] eg how the TSA that drones on about "security", while they're actually making individual travelers less secure from having to unpack and splay their belongings out, making them easy targets for immediate or later theft. They're not talking about your security, they're talking about their operation's security.