Malware can turn off webcam LED and record video, demonstrated on ThinkPad X230

2024-11-2720:101042521github.com

Tools for controlling webcam LED on ThinkPad X230. Contribute to xairy/lights-out development by creating an account on GitHub.

Show article

This repository contains tools that allow getting software control of the webcam LED on ThinkPad X230 without physical access to the laptop. These were created as a practical demonstration that malware can record video through the webcam without the LED indication.

This works via reflashing the webcam firmware over USB (the X230 webcam is connected over USB internally) to add a capability of arbitrarily controlling the LED. This approach likely affects many other laptops, as connecting the webcam over USB and allowing to reflash its firmware is a common design pattern across laptop manufacturers.

See the "Lights Out: Covertly turning off the ThinkPad webcam LED indicator" talk (pdf) I gave at POC 2024 for the details: discovering a way to reflash the X230 webcam firmware, reverse engineering the firmware, adding an implant for LED control, and notes about the applicability of the approach to other laptops.

Note: Reflashing the webcam firmware might brick the webcam, use these tools with caution.

The webcam used on ThinkPad X230 (and a few other laptops from the same era) is based on the Ricoh R5U8710 USB camera controller. This controller stores a part of its firmware, the SROM part, on the SPI flash chip located on the webcam board. The controller also allows reflashing the contents of the SPI chip over USB.

The LED on the X230 webcam board is connected to the GPIO B1 pin of the R5U8710 controller. The GPIO B port is mapped to address 0x80 in the XDATA memory space of the 8051-based CPU inside R5U8710. Thus, changing the value at that address changes the state of the LED. This works regardless of whether the webcam is streaming video at the moment or not.

The tools provided in this repository allow flashing custom firmware with a USB-controlled so-called "universal implant" onto the SPI chip on the webcam board. This implant allows writing controlled data to arbitrary addesses (within the XDATA memory space) and calling arbitrary addresses (within the CODE memory space; aliased with XDATA starting from offset 0xb000).

The universal implant can be used for:

Dynamically uploading a second-stage implant within the camera contoller memory and executing it (originally used for reverse engineering purposes);
Directly controlling the webcam LED.

See the talk slides for more details.

srom.py — reads and writes the SROM part of the firmware of a Ricoh R5U8710–based webcam over USB.

Note: The webcam only loads the SROM firmware during its boot. Thus, you will need to power cycle the laptop (full shutdown, not just reboot) for the updated firmware to get loaded;
patch_srom.py — patches the SROM image from the FRU 63Y0248 webcam (not from the original X230 webcam) to add the universal implant.

Note: This tool requires modification to work with the original X230 webcam SROM image. However, the FRU 63Y0248 SROM image (optionally, with the implant added) can be flashed onto the original X230 webcam as well;
fetch.py — fetches the contents of the IRAM, XDATA, or CODE memory space over USB via a second-stage implant that gets dynamically uploaded via the universal implant;
led.py — turns the webcam LED on or off by overwriting the value at address 0x80 in XDATA via the universal implant.

srom/x230.bin — SROM contents of the original X230 webcam module (FRU unknown; 19N1L1NVRA0H marking on the board);
srom/63Y0248.bin — SROM contents of the FRU 63Y0248 webcam module;
code/63Y0248.bin — Contents of the CODE memory space leaked from the FRU 63Y0248 webcam module.

Note: Boot ROM is below the offset 0xb000, and it is identical to the Boot ROM on the original X230 webcam module.

Page 2

You can’t perform that action at this time.

Read the original article

Comments

By sbarre 2024-11-2720:2729 reply

I thought the whole point of these camera LEDs was to have them wired to/through the power to the camera, so they are always on when the camera is getting power, no matter what.

Having the LED control exposed through the firmware completely defeats this.

By 542458 2024-11-2720:549 reply

They are hardwired on Macbooks. From Daring Fireball, quoting an email from an Apple engineer.

> All cameras after [2008] were different: The hardware team tied the LED to a hardware signal from the sensor: If the (I believe) vertical sync was active, the LED would light up. There is NO firmware control to disable/enable the LED. The actual firmware is indeed flashable, but the part is not a generic part and there are mechanisms in place to verify the image being flashed. […]

> So, no, I don’t believe that malware could be installed to enable the camera without lighting the LED. My concern would be a situation where a frame is captured so the LED is lit only for a very brief period of time.

https://daringfireball.net/2019/02/on_covering_webcams

By nine_k 2024-11-285:057 reply

That's backwards.

The LED should be connected to camera's power, or maybe camera's "enable" signal. It should not be operable via any firmware in any way.

The led also has to be connected through a one-shot trigger (a transistor + a capacitor) so that it would light up, say, for at least 500 ms no matter how short the input pulse is. This would prevent making single shots hard to notice.

Doing that, of course, would incur a few cents more in BOM, and quite a bit more in being paranoid, well, I mean, customer-centric.

By jdblair 2024-11-286:525 reply

or, you can have a physical switch, like the Framework. that also hits your BOM but its not complex!

By alwyn 2024-11-2815:451 reply

My previous HP Envy x360 had such a switch on the side of the laptop that would electronically disconnect the webcam; it would completely disconnect according to the system. Enabling it would show a new device being connected in `dmesg`.

Not a great laptop otherwise, but that was pretty good!

By Vogtinator 2024-11-2819:15

My envy x360 has that button as well and it even puts a physical shutter in front of the webcam in addition to disconnecting USB.

By oneshtein 2024-11-287:295 reply

You can buy/print and stick a physical «webcam cover»[1] manually on your notebook or phone.

My current notebook, manufactured in 2023, has very thin bar on top of screen with camera, so I need a thin, U-like attachment for the switch, which is hard to find.

[1]: https://www.printables.com/model/2479-webcam-cover-slider

By ddalex 2024-11-287:4613 reply

Am I the only one that is not worried at all about the camera and super concerned about microphones ? The camera may see me staring into the screen, woo hoo. The microphones will hear everything I discuss, incl. confidential information.

There is no physical microphone cover there, is it ?

By lukan 2024-11-289:262 reply

Sound is usually more sensitive, yes. But even if there is a physical switch on the laptop, only very exotic smartphones have them.

Also, loudspeakers can act as microphones, too.

In other words, paranoia gets exhausting in modern times.

(And my smartphone has a replacable battery for that reason to at least sometimes enjoy potentially surveillance free time)

By MarcusE1W 2024-11-2810:112 reply

My Pinephone has a switch for the microphone and also my Pinebook Pro laptop. But I also would agree that this is exotic hardware.

By whatevaa 2024-11-2813:082 reply

Well i have Pinebook Pro and it's pretty much abandonware, pine doesn't do any software and OSS lacks maintainers, nobody want's it, e-waste laptop. Take it as you will.

By KetoManx64 2024-11-2819:36

Don't they warn you on the product page that you are buying hardware that is fully reliant on the community for functionality? That's the reason it's so inexpensive

By megous 2024-11-2818:41

Yeah, that's nonsense. Pinebook Pro is well supported by Linux kernel and you can thus put any aarch64 Linux distro on it. And it's been this way for the last 3-4 years at the very least.

I've been using it daily for 3 years for watching movies and main notebook while traveling.

It's not at all abandonware or e-waste.

By lukan 2024-11-2810:342 reply

"But I also would agree that this is exotic hardware."

No shit. How is the current state btw?

I suppose still not ready to be a daily driver to replace my normal phone?

By ri0t 2024-11-2812:52

> I suppose still not ready to be a daily driver to replace my normal phone?

I'd say that depends on your definition of daily driver and/or how much compromises you're willing to take. I occasionally see members at my larger hackerspace running around with those or other seemingly "unfit" hardware and not complain too much about it ;)

By megous 2024-11-2823:23

Kernel is in "maintenance and focussed on upstreaming" mode for a few years already, after getting nearly full HW support about 2-3 years ago.

As for phone feature, reliability of that depends on reliability of firmware of the modem, which was always shaky.

By sharpshadow 2024-11-2818:22

I have an old iPhone 7 which has an audio IC issue and the microphone is physically disconnected. Calls don’t work, video records without sound etc. need to connect an external microphone to have one.

Apart from the inconvenience it was somehow liberating knowing there is no microphone physically active.

By jdblair 2024-11-288:22

The Framework has a physical microphone switch next to the camera switch.

By klausa 2024-11-288:071 reply

Modern (2019-ish? forwards?) MacBooks have physical disconnect for microphones when the lid is shut.

By jack_arleth 2024-11-288:25

Framework laptops have the same solution.

By dghughes 2024-11-2814:504 reply

And the true or not Google or other apps listening then you see ads based on that conversation. I think it's true since far too many times obscure things I've spoken about appear in ads soon after the conversation. So yes I'd say a mic blocking feature you can confirm is working, blocking, is needed.

By karolist 2024-11-2815:36

Recommendation engines work on vast amounts of data they have on you and whatever made you speak about thing X was likely preceded by your internet activity which is not very unique as a precursor to speaking about X. In other words, if other people do Y on the internet and then end up doing stuff related to X, the recommendation engine will show you X just because you also did Y.

The other explanation is one of your contacts who were part of the conversation did things that either directly related to thing X, which you spoke about, or something the algorithm see other people do that relates to X, and you got shown ads based on your affiliation to this person.

I've also worked at FAANG and never seen proof to such claims anywhere in the code, and with the amount of people working there who care about these issues deeply I'd expect this to leak by now, if this happens but is siloed...

By ch4s3 2024-11-2815:082 reply

> I think it's true since far too many times obscure things I've spoken about appear in ads soon after the conversation

People have been making claims like this since at least the early 90s, about TV then, and no one ever credibly claims to have worked on something like this. I've worked with purchased ad data and I've never seen this data or anything that implies that it exists. It seems far more likely that its a trick of memory. You ignore most ads you see, but you remember ones that relate to odd topics that interest you.

By wsintra2022 2024-11-2815:361 reply

I agree with this sentiment, people talk about x product then realise they are seeing ads for x product. Most likely the ads were there first and the people only start talking about it cause the ads have been working.

By ch4s3 2024-11-2816:25

That’s pretty much it. You see an obscure ad without realizing it and have a related conversation later. Then when you see the ad again and make note of it, it feels strange.

By megous 2024-11-2822:271 reply

Yeah, we're well past a point where "phones" have NPUs powerful enough to locally process "sensor" input and produce decontextualized probabilties of potential interests.

It's going to happen sooner or later and people will accept it, just like they accepted training of AI models on copyrighted works without permission, or SaaS, or AWS/PaaS, or sending all their photos to Apple/Google (for "backup").

By ch4s3 2024-11-291:10

I really question the commercial value of that kind of data. Credit card data has a lot more to do with intent to make future purchases than any keyword you might spit out verbally or in a search engine.

By gravitronic 2024-11-2815:39

Reminds me of the chrome bug I filed years ago that is still unfixed. An extension with access to all browsing tabs can open a hidden iframe to a website that commonly would have mic and camera permission (like hangouts.google.com), and then inject its own JavaScript into that hidden iframe to capture mic or camera.

For this to work hangouts.google.com had to not include the HTTP header to block iframing but thankfully if you make up a URL the 404 page served on that domain does not include that http header.

By Qem 2024-11-2816:381 reply

Just a personal anecdote: I don't have a dog, but my grandma has two. Once, while visiting her, the dogs were barking a lot. Almost immediately I started receiving ads for dog food in my cellphone.

By sandywaffles 2024-11-2816:501 reply

It is more likely your GPS placed you in the vicinity (regularly?) with another AD ID that regularly searches for, purchases, or visits dog centric locations. It's also entirely possible that the other AD ID's (your grandma) dog food schedule is predictable and you happen to be visiting within a time frame of dog food purchases.

By Qem 2024-11-2816:591 reply

My grandma never owned a cellphone, only an old landline. And she buys dogfood in the neighborhood mom & pop store.

By xvector 2024-11-2818:131 reply

Well, we know for a fact it wasn't your mic being recorded. Maybe you walked by WiFi networks where people purchase dog food.

By chipsrafferty 2024-12-032:17

Or maybe the mic IS being recorded. We don't know it for a fact until all phone software is open sourced.

By michaelt 2024-11-2812:171 reply

The camera privacy issue arises because teenagers and college kids often have their computer in their bedroom.

So a webcam hack that lets them watch my 16 year old daughter study would also let them watch her sleeping, getting dressed, and making out with her boyfriend.

By pmontra 2024-11-2814:52

It's not only a teenager or college kid issue. I've seen adults with a computer in their bedroom because it's a kind of private space where they don't expect anybody to inadvertently bump into it.

My laptop is in my bedroom in winter, right now, because it's one of the smallest rooms and I can heat it easily. I use it in other parts of the house in the other seasons. I do have a sliding cover on the camera. I bought it years ago. The main issue is the microphone.

By shermantanktop 2024-11-293:49

When I have to do faux-2FA auth using numeric codes sent by text or email, I sometimes catch myself quietly saying the numbers. A microphone would by quite handy for an attacker, even if they couldn’t see all my network traffic.

By camgunz 2024-11-289:323 reply

A picture of you with the subject "I know what you were looking at when I took this picture of you" is pretty good blackmail--I think there's an active campaign doing this even.

By ddalex 2024-11-289:59

This would've been blackmail 20 years ago.... nowadays it's just "of course you know, I shared my OF likes publicly", will not even raise an eyebrow; or perhaps I'm living in too bohemian society circles

By throw16180339 2024-11-2820:11

I received a phishing email from this campaign or a similar one several months ago. The email opened with my name and contained a Google Maps photo of a house where I'd lived 8 years before. The author claimed to have hacked my laptop and captured videos of me doing embarrassing things. They would release the videos unless I paid them $1000 in Bitcoin. I searched and it's an extremely common scam, but I did panic for a few minutes.

By jeltz 2024-11-2813:14

Excellent blackmail against teenagers. Pointless against me as an adult.

By spacemanspiff01 2024-11-289:49

I honestly like the physical switch on the framework, which disconnects the microphone/webcam fully.

By djtango 2024-11-288:36

Yes I really wish we could have a physical switch for device mic

By ykonstant 2024-11-289:191 reply

As someone who often speaks gibberish to myself due to ptsd, if someone recorded me in my room they could convince anyone I am utterly insane, beyond any hope. It is a great way to blackmail people with coprolalia or other verbal tics.

And yeah, if they had access to my webcam, they would just see a guy staring into the screen or walking back and forth in the room.

By chmod775 2024-11-2815:22

Eh, random utterances are more common than you think. Especially amongst older people. Most will know at least a couple family members who tend to mutter random things to themselves.

Nobody who is themselves sane is going to judge another for random crap they say when they think themselves alone.

By ashoeafoot 2024-11-289:582 reply

Your speakers are a microphone ..

By benj111 2024-11-2811:36

I seem to recall reading somewhere that 'everything' is a thermometer, on the basis that many things behave differently at different temperatures.

You can also use an LED as a light sensor.

and I also came across a YT vid of a console that used a piezo electric speaker for motion sensing.

I wonder if you could use a track pad to pick up sound.

By Sporktacular 2024-11-2811:311 reply

Yeah, but they aren't an input device with an amp wired in the right direction and an A/D converter to read it out.

By dfox 2024-11-2814:52

If there is a discrete PA in the speaker path, then not. But I would not be that surprised if there is a single chip codec + PA combination that can conect an internal ADC to pins that are primarily meant as PA outputs of the integrated PA.

By _joel 2024-11-2815:18

Disable it all in the BIOS?

By pmoriarty 2024-11-2816:27

"Am I the only one that is not worried at all about the camera and super concerned about microphones ? The camera may see me staring into the screen, woo hoo. The microphones will hear everything I discuss, incl. confidential information."

All phones are suspect. We should go back to only carrying pagers.

By volkl48 2024-11-2815:351 reply

Just to note: Apple will refuse to cover any screen damage under warranty if one of these sorts of things was in use.

I would not be surprised if the same is true for some other manufacturers, too, but I can only speak definitely to Mac.

The issue is that lids close too closely + tightly now, and so anything more than a piece of tape winds up focusing all the pressure applied to the closed lid on that one spot in the glass, since the cover winds up holding the display slightly off the base of the laptop when in the closed position.

By micahdeath 2024-11-2816:32

i use a piece of tin foil - tiny peanut butter cup wrappy - stays in place lovely

By moregrist 2024-11-2816:12

I find that the sticky part of a post-it works very well for this. Sometimes you have to clean the adhesive part off with 70% IPA, but not too often.

Not as pretty as a custom cover but cost-effective and can generally be done in under a minute with common office supplies (post-it + scissors) which has its own advantages.

By codedokode 2024-11-2815:45

My laptop has built-in physical camera cover, and it doesn't cost even as much as a half MacBook.

By SiVal 2024-11-287:133 reply

Would a bit of Post-It Note (for minimal adhesion) damage the screen coating if left on most of the time? Would even that much thickness stress the screen when opened and closed thousands of times? Is there a better (self-service) material?

By moregrist 2024-11-2816:18

I’ve used one for years on various MacBooks and it’s very effective. The paper is very thin so it causes no real mechanical stress and also opaque, so all the camera sees is a field the color of that paper.

There’s been no damage to the screen from the adhesive although occasionally I’ve had to clean the residual adhesive with 70% IPA, but nothing worse than the typical grime that most laptop monitors pick up.

By pcblues 2024-11-2810:02

Plastic slide covers that stick on are pretty cheap if your laptop doesn't already have one. I also think that the open microphone issue is a greater problem, especially with the current ability of speech-to-text, but what you utter may not be as important as being seen "doing a Toobin" during an online meeting. YMMV :) (I won't expand that acronym!)

By cuu508 2024-11-2810:161 reply

> Would a bit of Post-It Note (for minimal adhesion) damage the screen coating if left on most of the time?

Possible, I have one IPS monitor with a spot on screen where the color is pale. I had a post-it note there and I guess something bad happened when I tore it off.

By grvbck 2024-11-2812:591 reply

I used electrical pvc tape for many years on my macbooks, no damage but I got tired of them leaving glue residue. Switched to post-its about 10 years ago, works perfectly.

I've never tried them on a matte or coated screen though.

By ARandomerDude 2024-11-2815:32

I use painter’s tape for a similar effect.

By goodpoint 2024-11-289:111 reply

This is the right solution. And a hardware switch cost is completely negligible in a $1000 laptop.

By xandrius 2024-11-2813:021 reply

But the margins?

By GTP 2024-11-2814:52

Customers wouldn't care to pay a dollar more on a thousand plus device. This would likely increase the margin instead of shrinking it.

By throw646577 2024-11-287:204 reply

> The LED should be connected to camera's power, or maybe camera's "enable" signal.

Wiring it in like this is suboptimal because this way you might never see the LED light up if a still photo is surreptitiously captured. This has been a problem before: illicit captures that happen so quickly the LED never has time to warm up.

Controlling the LED programmatically from isolated hardware like this is better, because then you can light up the LED for long enough to make it clear to the user something actually happened. Which is what Apple does -- three seconds.

By nine_k 2024-11-287:351 reply

Pray read the third paragraph of my reply :) It specifically mentions a way to make the LED be lit for long enough.

By throw646577 2024-11-288:522 reply

Which is not an adjustable method -- without changing the hardware design later in production to just tweak a delay -- and surely causes the LED to slowly fade out?

By GTP 2024-11-2814:55

Would it be so important to be able to tweak the duration later? And why would it be a problem to have the LED fade out?

By neop1x 2024-11-2914:12

If fade out is such a big problem (which it isn't IMO) there are cheap regulator ICs which can provide constant current.

By rightbyte 2024-11-287:52

You can design a simple circuit such that both long and short pulses light up the led for atleast 500ms. There is no tradeoff needed to be made at all.

By atoav 2024-11-288:211 reply

The mentioned one shot circuit does precisely that, in hardware for less cost and 100% non-overridable.

The only time that isolated hardware approach is benefitial in terms of costs would be when you already have to have that microcontroller there for different reasons and the cost difference we are talking about is in the order of a few cents max.

By throw646577 2024-11-288:531 reply

Well there is a microcontroller there, isn't there? For the camera.

By atoav 2024-11-289:30

But is it isolated? If you can update its Firmware from the computer it isn't.

By kirkules 2024-11-287:34

I mean can't you just have the input signal to the light be a disjunction of signals? So it's on if the camera is on OR if some programmatic signal says turn it on?

I don't see why they should be mutually exclusive

By beAbU 2024-11-288:071 reply

Yet some laptops (Thinkpads ironically) come with a built in camera shutter that's entirely mechanical.

By codedokode 2024-11-2815:46

And they often cost less than a MacBook for which you need to buy an external shutter.

By kazinator 2024-11-2818:47

Even if the LED were controlled by hardware, merely that you can reprogram the camera firmware on this Thinkpad is troubling. Malicious things can be done without the ability to turn off the LED during recording. Like capture images during legitimate recording, or start recording with the LED on banking on the user not noticing.

Firmware programming should require physical access, like temporarily installing a jumper, or pushing some button on the circuit board or something.

(I don't want to suggest signed images, because that's yet another face of the devil).

By Thorrez 2024-11-2818:46

From this comment: https://news.ycombinator.com/item?id=42260379

it sounds like Apple is doing something similar to what you suggest.

By tehwebguy 2024-11-2821:56

If the LED fails the camera should be inoperable too as a security feature

By ComputerGuru 2024-11-2815:234 reply

Cameras are now always on, to reduce the latency to taking a picture or scrubbing video feed. You’d need to wire the led to something tied to the data lines, perhaps.

By vanilla_nut 2024-11-2815:38

Source? This seems extremely unlikely to me, running a camera all the time consumes a fair bit of energy and they don't take long to turn on. Unless that's because they're always on?

Regardless, that's a pretty strong claim. I'd love to learn more if you have a link that can back you up!

By ewoodrich 2024-11-2818:27

My M1 Macbook has some pretty extreme latency going from opening Photobooth black screen -> displayed image. Roughly five seconds to useable image.

  :00 Photobooth window open 
  :03 Camera LED lights up 
  :05 First image displayed

By saagarjha 2024-12-0113:00

That's generally not the case. Keeping the camera on requires power and processing its video stream is resource-intensive.

By gtirloni 2024-11-2815:35

Any links you could share abouy someone confirming this?

By aftbit 2024-11-2721:054 reply

>The actual firmware is indeed flashable, but the part is not a generic part and there are mechanisms in place to verify the image being flashed.

That might make it harder to develop a hack, but one would hope that if the hardware team tied the LED to a hardware signal, it would not matter if the firmware were reflashed.

By varenc 2024-11-2721:114 reply

I believe that it’s not literally hardwired in the sense that powering up the camera also powers up the camera LED, and instead this relies on logic in the hopefully un-flashable camera+LED firmware. Someone correct me if I’m wrong.

You need some logic to enforce things like a minimum LED duration that keeps the LED on for a couple seconds even if the camera is only used to capture one brief frame.

I have a script that takes periodic screenshots of my face for fun and I can confirm the LED stays on even if the camera only captures one quick frame.

By axoltl 2024-11-2722:218 reply

I happen to have some first-hand knowledge around the subject! In 2014 someone did a talk[0] on disabling the camera on some older Macbooks. It was fairly trivial, basically just reflashing the firmware that controlled the LED. I worked on the security team at Apple at the time and in response to this I attempted to do the same for more modern Macbooks. I won't go into the results but the decision was made to re-architect how the LED is turned on. I was the security architect for the feature.

A custom PMIC for what's known as the forehead board was designed that has a voltage source that is ALWAYS on as long as the camera sensor has power at all. It also incorporates a hard (as in, tie-cells) lower limit for PWM duty cycle for the camera LED so you can't PWM an LED down to make it hard to see. (PWM is required because LED brightness is somewhat variable between runs, so they're calibrated to always have uniform brightness.)

On top of this the PMIC has a counter that enforces a minimum on-time for the LED voltage regulator. I believe it was configured to force the LED to stay on for 3 seconds.

This PMIC is powered from the system rail, and no system rail means no power to the main SoC/processor so it's impossible to cut the 3 seconds short by yoinking the power to the entire forehead board.

tl;dr On Macbooks made after 2014, no firmware is involved whatsoever to enforce that the LED comes on when frames could be captured, and no firmware is involved in enforcing the LED stay on for 3 seconds after a single frame is captured.

0: https://www.usenix.org/system/files/conference/usenixsecurit...

By ohhnoodont 2024-11-281:324 reply

There seems to be widespread anxiety regarding cameras, but hardly anyone ever talks about microphones. Are conversations not much more privileged information than potentially seeing someone in their underwear?

By jamesmotherway 2024-11-282:222 reply

"All Apple silicon-based Mac notebooks and Intel-based Mac notebooks with the Apple T2 Security Chip feature a hardware disconnect that disables the microphone whenever the lid is closed. On all 13-inch MacBook Pro and MacBook Air notebooks with the T2 chip, all MacBook notebooks with a T2 chip from 2019 or later, and Mac notebooks with Apple silicon, this disconnect is implemented in hardware alone." [1]

[1] https://support.apple.com/guide/security/hardware-microphone...

By KennyBlanken 2024-11-283:242 reply

That's what they said about the first gen Facetime cameras. "oooh don't worry, it's controlled in hardware!"

We have no way of verifying that anything they said in that document is true.

By jamesmotherway 2024-11-2816:58

I'm inclined to believe it. If someone managed to prove Apple's lying about it, there would be serious reputational (and other) risks to their business. I also can't imagine how they would benefit from such a fabrication.

That said, I still use "Nanoblock" webcam covers and monitor for when either the camera or microphone are activated.

By kimixa 2024-11-285:572 reply

It's clear Apple define "Hardware" as "Not using the main CPU". They've pretty much admitted it's firmware based, otherwise the T2 chip simply wouldn't be involved to be mentioned.

By dfox 2024-11-2815:03

It is implemented in dedicated small CPLD that cannot be flashed by any software means. My understanding of relation to T2/SEP is that this CPLD serves as a kind of "IO expander" for T2/SEP which also hardwires logic like this.

By swiftcoder 2024-11-287:21

The T2 chip is mentioned in the quoted passage as an indicator of the architecture version, not necessarily an indicator that the T2 chip is directly involved

By ohhnoodont 2024-11-283:47

Obviously the camera is also 'disabled' when the lid is closed regardless of the controlling circuitry. So while that's a good feature, it's not relevant.

By Nursie 2024-11-282:093 reply

Depends what your threat model is?

Nobody but Abby and Ben care if Ben is caught admitting he cheated on Abby. But naked images of Abby can head off into the ether and be propagated more or less forever, turn up on hate sites, be detrimental to careers etc.

If your threat model is leaking company secrets then sure, microphone bad, as is anything having access to any hardware on your machine.

So sure, maybe people ought to be more concerned about microphones as well, rather than instead.

By ohhnoodont 2024-11-283:591 reply

My point is that the threat model is backwards. The threat associated with a camera is the least severe compared to anything else a malicious person could do with access to your computer. Recored conversations, chats and email, browsing history, etc are all much more likely to result in harm if leaked than a recording of you innocently in your home.

> Nobody but Abby and Ben care if Ben is caught admitting he cheated on Abby.

That destroys families, standing within a community, and very often careers.

By Nursie 2024-11-285:141 reply

I don't think it is backwards, personally. The threat of public humiliation, and the capability for someone to spy on what you do in your own home, is worse with the camera.

> chats and email, browsing history, etc are all much more likely to result in harm if leaked than a recording of you innocently in your home.

This is far less of an intrusion for most people than recording what they are actually doing in their own home IRL. People know that information can be hacked, they don't expect and react quite differently to someone actually watching them.

> That destroys families, standing within a community, and very often careers.

Yes, but it doesn't stay on the internet forever in quite the same way.

Now I get to some extent what you're saying - aren't the consequences potentially worse from other forms of information leak?

Maybe. It depends on how you weight those consequences. I'd put (for example) financial loss due to fraud enabled by hacking my accounts as far less important than someone spying on me in my own home. Even if they didn't use that to then extort me, and were using the footage for ... uh ... personal enjoyment. I think a lot of people will feel the same way. The material consequences might be lesser, but the psychological ones not so much. Not everything is valued in dollars.

By ohhnoodont 2024-11-285:422 reply

I think we may just be bumping into cultural differences here. I grew up in a household were being naked around family members was common. I spend time in clothing-optional spaces. I rarely draw the blinds on my windows, etc. I'm not concerned with what other people think in this way and such images could never be used to extort me. Consider the case of Germany - people there are extremely concerned about their privacy and data protection. At the same time public nudity is an entrenched cultural norm.

It's also known that people are not very good at assessing risk. People are more word about dying at the hands of a serial killer than they are of dying in a car crash or slipping in the shower. I feel you're underplaying the psychological harm of having all of your data crawled through by a creep (that would include all of your photos, sites visited, messages sent, everything).

All I can really say is that if someone gained access to my machine, the camera would be the least of my concerns. That's true in nearly every context (psychological, financial, physical, etc).

By rocqua 2024-11-287:151 reply

Empirically, most low level extortion does seem to be about leaking video. I would see a threat model based on 'criminal wants to extort me for money'. As more reasonable than 'creep wants to look through my computer for creeping'. And it seems like extortion focusses on video, so that is the bigger threat. Even if it is less invasive.

I presume the reason behind this is that video is much more likely to be re-shared. Sending bob a zip of someone's inbox is unlikely to be opened, and even less likely to be shared with strangers. But send bob a video of Alice, and he might open it. Heck, he might not know what the video is until he opens it. So even if he is decent, he might still see it. And if he is less decent and shares it, strangers are much more likely to actually view it.

By Thorrez 2024-11-2818:55

I think extortion in the form of "I've encrypted your data, pay to get it back" is much more common. Ransomware. It's scalable, automatable. Extortion of video is harder to automate.

By Nursie 2024-11-287:081 reply

I think, though am prepared to be wrong, that you'll probably find yourself in the minority there.

It's not just about nudity and extortion, but someone having access to watch you, whenever they feel like, in your safe space. That sense of violation that people also feel when (for instance) they have been the victim of burglary - the missing stuff is often secondary to the ruined sense of security. There's a vast difference between leaving your curtains open and having someone spying on you from inside your own home.

Is it rational to put this above other concerns? That's a whole different debate and not one I'm particularly interested in. But it explains why people are concerned about cameras over 'mere' data intrusion.

By hunter-gatherer 2024-11-283:001 reply

I'm not arguing a point here, but I'm curious what the actual number of instances exist where someone is naked or in some other extortionate way (accidently of course) potentially exposed from the position of their webcam. I too would be much more concerned about my microphone, where I know one had conversations that in front of or next to my machine that I wouldn't want "out there". In terms of where my camera is, I woukd imagine they would catch me picking my nose every so often but that's about it.

By rocqua 2024-11-287:17

People watch porn on their laptops. Even just your orgasm face would be embarrassing for most people.

By joeblubaugh 2024-11-283:011 reply

> Nobody but Abby and Ben care if Ben is caught admitting he cheated on Abby.

This isn't true at all, even for private citizens. Your friends, parents, children, and colleagues are all likely to care.

By Nursie 2024-11-283:46

It's very limited, it's certainly not going to be passed around like naked pictures could be.

By qingcharles 2024-11-282:131 reply

Yes, photos of naked people are used to extort them (usually into just paying the holder to delete them).

https://news.ycombinator.com/item?id=42261730

By ohhnoodont 2024-11-283:501 reply

This raises a different but related question. In what world should a victim of a crime be extorted for doing innocent things in their home. If a peeping tom took a photo though a window, could that be used to extort someone?

When people are extorted for these kinds of things it's usually catfishing that leads to sexual acts being recorded. That's not related to cybersecurity.

By pfix 2024-11-287:14

Fear of harrasment. You don't want your coworkers see you naked, do you?

edit: s/baked/naked/ :D

By sneak 2024-11-287:38

They are, but people aren’t scared of those because they can’t see them staring at them.

By II2II 2024-11-282:223 reply

> and no firmware is involved in enforcing the LED stay on for 3 seconds after a single frame is captured.

I may be the oddball here, but that 3 second duration does not comfort me. The only time I would notice it is if I am sitting in front of the computer. While someone snapping a photo of me while working is disconcerting, it is not the end of the world. Someone snapping photos while I am away from the screen is more troublesome. (Or it would be if my computer was facing an open space, which it doesn't.)

By axoltl 2024-11-284:09

Right, so this is all defense in depth. That LED is sort of the last line of defense if all others have failed, like:

The exploit mitigations to prevent you from getting an initial foothold.

The sandboxing preventing you from going from a low-privileged to a privileged process.

The permissions model preventing unauthorized camera access in the first place.

The kernel hardening to stop you from poking at the co-processor registers.

etc. etc.

If all those things have failed, the last thing to at least give you a chance of noticing the compromise, that's that LED. And that's why it stays on for 3 seconds, all to increase the chances of you noticing something is off. But things had to have gone pretty sideways before that particular hail-mary kicks in.

By jstanley 2024-11-282:341 reply

OK, but then what? Leave the LED on for 24 hours after you've captured a single frame? At that point the LED isn't really indicating camera usage because you'll just get used to seeing it on all the time whether the camera is in use or not.

By II2II 2024-11-2914:06

A ranfom thought, that probably won't cover all cases: a second LED or a colour LED. One LED/colour indicates the camera is active, the second can be on for a longer period of time (and perhaps dim as time goes on). I prefer the second LED option since it is better for us colourblind folks, though I suspect there would be more resistance to the idea.

And, of course, covers are an option.

By tehjoker 2024-11-282:466 reply

It's strange that none of these companies will include a closable cover for the camera. I got one aftermarket. It is very reassuring since no hacking or accidental misclicks on my part can move the cover.

By mkl 2024-11-283:22

I've seen HP desktops that have a closeable camera cover, and Lenovo does on some ThinkPads [1], so probably others do too. Laptops usually have very little depth available in the screen part though, which is why most laptop cameras are crappy (exceptions include Surface Pro and Surface Book, which have more depth available and so much better cameras than most, but no cover - at least their camera light is not software controlled).

[1] https://www.businessinsider.com/lenovo-thinkshutter-laptops-...

By quacksilver 2024-11-2814:00

Higher end Lenovos and Dell Latitude / Precision tend to. Was one reason why I went for a Latitude 74XX rather than a 54XX or 34XX when looking at them last time.

By sunnybeetroot 2024-11-283:202 reply

I had a closable cover and someone shut my laptop with enough force that the cover caused the screen to break. Be careful when closing.

By zlsa 2024-11-2820:55

Was it a built-in camera cover, or a third-party one? Apple specifically (and possibly other manufacturers?) recommends against third-party covers because the tolerance is so close:

https://support.apple.com/en-us/102177

By II2II 2024-11-2813:25

Sure, that is going.to be true for anything with moving pats. Yet I would also imagine that design and materials are a factor here. Let's face it, these covers aren't exactly common on laptops. There is probably a lack of good design practices for them.

By nanomonkey 2024-11-286:44

I also purchased a cover for mine, although in a pinch, the removable stickers on fruit work well.

By whartung 2024-11-284:221 reply

I have a sticky piece of post it note more or less permanently affixed over my camera.

By throwaway2037 2024-11-286:54

I can remember when someone spotted tape over Zuckerberg's laptop camera. Ref: https://www.theverge.com/2016/6/21/11995032/mark-zuckerberg-...

By cozzyd 2024-11-285:33

My Thinkpad does.

By rubatuga 2024-11-2722:59

Thanks, this is the reason I browse Hacker News

By PicardsFlute 2024-11-2723:14

Thanks for posting this interesting tidbit! I find this kind of knowledge absolutely fascinating!

By int_19h 2024-11-282:59

Thank you for your work on this! I wish some other large companies took privacy that seriously.

By Mistletoe 2024-11-2722:50

Thank you for doing this.

By jorvi 2024-11-282:242 reply

I assume you're not longer working on it, but why not just wire it so that:

- The LED is in parallel, but with the sensor voltage supply, not the chip

- Camera sensor idle voltage = low voltage for the LED (be it with stepping if needed)

- Camera sensor active voltage = high voltage for the LED (again, stepping if needed)

- little capacitor that holds enough charge to run the LED for ~3 seconds after camera goes back to idle voltage.

Good luck hacking that :)

By axoltl 2024-11-284:361 reply

That's basically how this works, but manufacturing electronics at a massive scale requires some more flexibility. For example, capacitors have a pretty large tolerance (sometimes +/- 20%) and LEDs have quite a bit of variety in what voltages they'll work at. So for some people the LEDs might last 3 seconds, for some they might last 5s. Using a capacitor also means the LEDs will fade slowly instead of just turning off sharply.

If the LEDs come from a different supplier one day, who is going to make sure they're still within the spec for staying on for 3 seconds?

(And yes, I have long since parted ways with Apple)

Edit:

And to add on: That capacitor needs time to charge so now the LED doesn't actually come on when the sensor comes on, it's slightly delayed!

By jorvi 2024-11-2813:18

Thank you for the clarifications. Armchair (well, workbench) engineering strikes again haha!

By shiroiushi 2024-11-287:09

You can't drive an LED that way in production electronics: you need to use an LED driver circuit of some kind to ensure the LED has constant current, and also to protect against failure modes. Also, a capacitor large enough to power a daylight-visible LED for 3 seconds is not as "little" as you're thinking; there's likely not enough space in a laptop lid for one of those. A driver circuit would be smaller and thinner.

Agreed, however, that the LED should be controlled by the camera sensor idle vs. active voltage.

By KennyBlanken 2024-11-283:152 reply

I've seen a million people parroting "oh now apple fixed it!" and not a single person who has actually verified/proved it. Go on, show my any third party security researcher who has verified this claim via examining the actual hardware.

You'll pardon us all if we don't really believe you, because a)there's no way for any of us to verify this and b)Apple lied about it before, claiming the LED was hard-wired in blah blah same thing, except it turned out it was software controlled by the camera module's firmware.

By axoltl 2024-11-284:28

I'd love for a third party to verify the claim! I'm just giving you an overview of the work that went into making this a thing, knowing full well you have absolutely no reason to trust me.

The LED being "hard-wired" is a tricky statement to make, and I actually wasn't aware Apple has publicly ever made a statement to that effect. What I can say is that relying on the dedicated LED or "sensor array active" signal some camera sensors provide, while technically hard-wired in the sense there is no firmware driving it, is not foolproof.

By trogdor 2024-11-283:58

> Apple lied about it before, claiming the LED was hard-wired in blah blah same thing, except it turned out it was software controlled by the camera module's firmware.

Source?

By MaxikCZ 2024-11-2721:163 reply

A capacitor can hold enough charge to power led for noticable amount of time even if powered for a brief moment, no logic needed

By squarefoot 2024-11-2723:102 reply

I don't think they would waste a high value capacitor just to keep a led lit for longer, also a led directly lit by a capacitor would be noticeable by slowly dimming when the capacitor discharges. It's more likely that the signal driving the led comes out of a monostable implemented in code: pin_on() drives the led on; pin_off() waits n secs then drives the led off.

By altairprime 2024-11-282:12

This is Apple, so that assertion isn’t guaranteed valid like it would be for non-enterprise HP or Lenovo. They absolutely would invest in a capacitor if that’s what it takes, as they are maximally focused on camera privacy concerns and have made a point of that in their security marketing over time; or else they wouldn’t be allowing hardware security engineers to brag about it, much less talk publicly about it, at all.

EDIT: It’s not just a capacitor, it’s a full custom chip, that can’t be software-modified, that keeps the light on for 3 seconds. https://news.ycombinator.com/item?id=42260379

By HeyLaughingBoy 2024-11-283:341 reply

Logic on an already existing ASIC is going to be cheaper than a capacitor.

By MrDrMcCoy 2024-11-287:281 reply

This is counter-intuitive enough to warrant further explanation.

By ale42 2024-11-2811:04

If you are designing an ASIC for the camera, you can include all the required logic gates to control the LED for a cost that is close to zero. It wouldn't impact the production cost of the ASIC, whereas a capacitor is an additional item in the BOM (and to be charged it requires current, more than the LED, so the driver in the IC must be bigger).

By RA2lover 2024-11-2721:39

The trick is to keep using the camera until that capacitor is discharged. I'm pretty sure most cameras can run at voltages below a LED's forward voltage nowadays.

By throwaway984393 2024-11-2721:26

[dead]

By aftbit 2024-11-2721:301 reply

See then it's not hardwired at all. It is equally vulnerable to a reflash. Apple just did hardware security (i.e. signed firmware) better and also are relying on security through obscurity (its not a publicly available part).

By ndiddy 2024-11-2721:37

The context from the article the parent comment linked is that Mac webcams made prior to 2008 both had the camera LED controlled in firmware and didn't verify the camera firmware blob when it was downloaded into the camera's RAM. The quote you're replying to simply says that Apple solved these security issues by tying the LED to a hardware signal AND verifying the camera firmware blob. The result is still that there's no way to turn on the webcam without making the LED light up.

By danielheath 2024-11-2722:22

AFAIK iOS devices use a tiny firmware on the camera and a larger one on the secure enclave chip.

If you successfully compromise the host OS and also the secure enclave firmware, that might be enough to let you turn on the camera (without vsync) and reconstruct the correct image via later analysis... but at that point you have committed tens of millions to the hack (so you'd better not overuse it or it'll get noticed & patched).

By pclmulqdq 2024-11-2723:13

Many complex chips have GPIO signals rather than hardwired outputs. That way you can select any [5-10] of [20-100] functions for each pin. As a result, things that you think should be hardwired are controlled by firmware.

By izacus 2024-11-2813:442 reply

Yep, and Apple changed that after some schools were spying on their students through software that could enable cameras on MacBooks without the light: https://en.wikipedia.org/wiki/Robbins_v._Lower_Merion_School...

By TheKarateKid 2024-11-300:10

I've also read of exploits which found ways to burn out the Macbook LED light by somehow messing with the power being supplied to the webcam without damaging the camera. Thus afterward, the LED light no longer powers on when in use but the camera still works.

By saagarjha 2024-12-0113:05

Your Wikipedia article disagrees with the claim that it could disable the light.

By jonplackett 2024-11-2722:061 reply

I wonder how quickly it turns on/off as per Gruber’s worry - if you just record a single frame would it even be visible if looking right at it?

By Tempest1981 2024-11-2722:291 reply

Below, axoltl writes:

> no firmware is involved in enforcing the LED stay on for 3 seconds after a single frame is captured.

https://news.ycombinator.com/item?id=42260379

By jonplackett 2024-11-2812:27

That is quite clever! Thanks

By makeitdouble 2024-11-283:431 reply

While Apple made a laudable effort in this design, sadly it requires thoughtful care and design at every iteration. Typically the iPhone team couldn't pull it off and the only official claim is for macbooks.

I think it's simpler to assume that most devices can be hacked and the LED indicator isn't infailable than to always keep in mind which device lines are supposed to be safe and which ones aren't.

By danieldk 2024-11-286:581 reply

Apparently it was purely in software on iPhone/iPad. However, starting with the iPhone 16 and M4 iPad Pro, the LED indicator is rendered by a separate secure exclave:

https://www.tomsguide.com/phones/iphones/iphone-16s-a18-chip...

https://mastodon.social/@_inside/112552696723119626

By saagarjha 2024-12-0113:06

That is purely in software.

By dkga 2024-11-285:53

Do you know if the same occurs in iPhones? That was always my assumption, but seeing a Mac-only response makes me wonder if it is addressing a Mac/only question or if it’s applicable only to Macs.

By accrual 2024-11-282:02

> My concern would be a situation where a frame is captured so the LED is lit only for a very brief period of time.

Maybe enable a pre-charged capacitor to the LED whenever the circuit is activated? A "minimum duty cycle" for the LED might help solve this.

By wseqyrku 2024-11-2721:50

Yeah, the camera needs a physical lid.

By Anna3321AQ 2024-11-2814:55

[dead]

By connicpu 2024-11-2721:074 reply

An indicator light hardwired is nice but I apparently can't trust hardware manufacturers to design it properly. My work laptop (HP Dragonfly) has a physical blocker that closes over the camera when I haven't explicitly pressed the button that enables the camera. The blocker is black and white stripes so it's very obvious when it's covering the sensor. This should absolutely be the security standard we all strive for with camera privacy.

By aendruk 2024-11-280:155 reply

> The blocker is black and white stripes

On my ThinkPad it’s instead painted with a red dot. Because, obviously, the conventional meaning of a red dot appearing on a camera is “not recording”.

By BuildTheRobots 2024-11-282:29

Not just the weird meaning, but on my last Thinkpad the red dot and the slightly red glean of the camera lens look surprisingly like each other. Even worse I managed to get the cover in a position where it looked like it was closed, but the camera could still see.

By j1elo 2024-11-2812:17

I just looked up to my "Lenovo Performance" webcam and saw its red dot [1] looking at me... some product designers have a worrying lack of awareness about de-facto standards and user expectations affecting the UX.

[1]: https://imgur.com/Kowt8WJ

By d1sxeyes 2024-11-288:10

Same on my Dell Latitude. Seems a very odd design decision. They've also centrally aligned the switch so that it's not immediately obvious from the switch position whether the cover is iver the lens or not. Super annoying.

By FridayoLeary 2024-11-2811:02

To be fair a red dot is a design feature of lenovo. So at least it fits in nicely with the overall look of the laptop.

By darig 2024-11-282:09

[dead]

By dole 2024-11-2723:073 reply

The Dell Latitude business laptops now have a wired led and wired switch. Besides the white led, there’s no indication which is on or off, and I don’t trust any of the software or firmware chain to be reliable. (score one for macs being transparent and prescient)

By shiroiushi 2024-11-287:15

Dell should go back to the basic design of the Latitude E6400, but with modern electronics and screen of course, and drop the optical drive. The keyboard on that laptop was fantastic, and the single captive screw on the back panel was great for serviceability.

By jorvi 2024-11-282:14

For some inexplicable reason Dell has chosen to mark the button as "mute mic" (mic icon + X). So if the LED on the keyboard is lit up, the microphone is off, or rather, the microphone muting is on on. Brilliant design.

By gregmac 2024-11-2818:27

Yeah, the physical barrier is key. It's not that hard, and provides absolute certainty. As indicated by this thread, software experts (rightly) don't trust software by itself enough. It's by the same rationale software people are proponents of electronic voting machines printing physical, verifiable paper copies of votes.

My Latitude 7440 has a physical slider switch that covers the camera, in addition to turning it off in a software-detectable way (it shows "no signal" and not just a black screen once the slider is about 50% covering the lens). My only criticism of this is that it's subtle and at a glance hard to tell the difference between open and closed, but I guess you just get used to the slider being to the right.

I was just testing and the white LED comes on when I open something that wants to use the camera, even when the cover is closed. This seems like a useful way to detect something (eg malware) trying to use the camera, and is a good reason to not bluntly cut power to the entire camera module.

By neuralRiot 2024-11-2721:481 reply

Probably the camera “power” is always on as any other microcontroller on the same board, but is only active when called through the control bus or an interrupt, having an LED tied to the power rail would keep it on all the time whenever the lapop is on.

By grishka 2024-11-280:54

Then tie it to some signal or power rail that only gets enabled when the camera is in use, and that must be enabled for the camera to work, e.g. when there's power to the sensor itself.

By kiwijamo 2024-11-2721:152 reply

Interesting, my work HP Probook does not have that functionality. I wonder why HP chooses to do this only for some laptop lines.

By nox101 2024-11-2721:404 reply

I suspect most people don't want it. I can imagine lots of people calling customer service "Q: why doesn't my camera work?", "A: Did you open the cover?"

There's just a valid an argument to do the same for phones. How many phones ship with camera covers and how many users want them?

You can get a stick on camera cover for $5 or less if you want one. I have them on my laptops but not on my phone. They came in packs of 6 so I have several left.

https://www.google.com/search?q=camera+cover+laptop

By netsharc 2024-11-2722:162 reply

> I can imagine lots of people calling customer service "Q: why doesn't my camera work?", "A: Did you open the cover?"

In some over-engineered world, when the camera cover is engaged the webcam video feed would be replaced by an image of the text "Slide camera cover open" (in the user's language) and an animation showing the user how to do so.

By nrp 2024-11-285:262 reply

We have that on the most recent generation of Framework Laptop. When the hardware privacy switch is engaged, the image sensor is electrically powered off and the camera controller feeds a dummy frame with an illustration of the switch.

By dvergeylen 2024-11-288:50

Happy Framework customer here, I just wanted to say thank you for all your efforts on privacy.

By vaylian 2024-11-286:321 reply

Is there a video or some images of this somewhere? I would love to see a demonstration.

By netsharc 2024-11-289:231 reply

I looked it up on YouTube

https://www.youtube.com/watch?v=k6AsIqAmpeQ&t=1145s

And adding 2+2, the man being interviewed (Nirav Patel) is the same man who replied to my comment (HN user nrp), i.e. the man who actually did the overengineering.

If you rewind to 17:03, he talks about the changes of what the switch does (previously: USB disconnection, now: as he described in grandparent comment).

By nrp 2024-11-2818:32

Our engineering team did the engineering!

By longdustytrail 2024-11-281:09

This doesn’t seem that wild to me. Zoom already prompts me to unmute my microphone when I cough.

By JumpCrisscross 2024-11-2722:561 reply

It's also a moving part. Worse, a part the customer moves. Which means more opportunity for crap getting crammed in or breaking.

By II2II 2024-11-282:10

The cover on my laptop's camera is behind the glass. I suppose there is a chance that the slider itself could get damaged, but at least they minimized the exposed surface that could be damaged.

That said, I really can't comment on how durable it is. I only remove the cover about a half dozen times a year.

By moffkalast 2024-11-2721:46

I had that exact discussion with somebody recently, and it took me a few minutes to realize that their laptop had a physical camera cover that somehow disables camera permissions in windows too. So yeah, happens a ton I would imagine.

By dvngnt_ 2024-11-2721:48

i miss android popup cameras.

By MaxikCZ 2024-11-2721:171 reply

Money.

By zeroping 2024-11-2721:201 reply

Supporting that theory: my HP EliteBook does have a slide-over cover.

(It could also be contention between thickness of the display vs enterprise customer sensitivity to cameras)

By throwaway984393 2024-11-2721:27

[dead]

By perching_aix 2024-11-2720:473 reply

For what it's worth, you could just power on the camera, take a pic, then turn it back off instead. Provided you can do this fast enough, an indicator LED is rendered worthless. So you'd need to make the indicator LED staggered, to stay lit for a minimum amount of time.

There's also the scenario where the LED or the connections to it simply fail. If the circuit doesn't account for that, then boom, now your camera can function without the light being on.

Can't think of any other pitfalls, but I'm sure they exist. Personally, I'll just continue using the privacy shutter, as annoying as that is. Too bad it doesn't do anything about the mic input.

By axoltl 2024-11-2722:27

I worked on this feature for Apple Macbooks around 2014 as the security architect. All Macbooks since then have a camera indicator LED that is (barring the physical removal of the LED) always on at least 3 seconds. This feature is implemented in gates in the power management controller on the camera sub-board.

There's a LOT of pitfalls still (what if you manage to pull power from the entire camera sub-assembly?), this was a fun one to threat-model.

By TZubiri 2024-11-2720:501 reply

A minimum light duration seems pretty trivial to physically engineer.

For one the energy to take a picture is probably enough to power a light for a noticeable amount of time.

And if it isn't, a capacitor that absorbs energy and only allows energy through once it's full would allow the light to remain on for a couple of seconds after power subsides.

By perching_aix 2024-11-2720:592 reply

Wasn't arguing that it's difficult, just that it's needed (and that I'm not expecting it to be done in practice. Because the indicator LED on my laptop doesn't do it either, despite being enterprise grade).

By homebrewer 2024-11-2721:081 reply

JIRA is "enterprise grade", I wouldn't place too much faith into that term.

By perching_aix 2024-11-2721:111 reply

Trust me, I was using it semi-sarcastically too. This thing is slower than my old Pentium 4 would be, yet has a fast enough 30% to 3% battery discharge rate that it would make the speed of light itself blush.

By xxs 2024-11-282:522 reply

The main culprit is that anyone estimating battery life in percentages. It's about voltage and current draw. The battery voltage can be read directly.

About being slow, I suppose it does run windows and its infamous 'defender'

By jmb99 2024-11-284:121 reply

> The main culprit is that anyone estimating battery life in percentages.

I thought this was a solved problem, like, decades ago? At least I remember even the first gen MacBooks having accurate battery percentages, and it’s a more vague memory but my PowerBook G4 did too I think.

By xxs 2024-11-288:21

The "accurate" charging level mostly happens with specific amount of charge cycles (i.e. new). Laptop batteries suffer from higher temperature (over 60C), overcharging (over 4.22 per Li-Ion for most chemistries).

By perching_aix 2024-11-287:241 reply

No, I think it's fairly easy to see that a third of the charge suddenly disappearing is a fairly uncommon behavior.

Same for your Windows idea...

By xxs 2024-11-288:191 reply

"A third" is again fraction/percentage - it's still a representation stuff that depends on charge and charge cycles... and likely previous over charging and heat (Li-Ion doesn't like heat).

To put it simply: the charge level, usually, is just a lookup table for voltage (not under load).

By perching_aix 2024-11-2815:27

In case it was somehow magically unclear, it's not that I don't understand how batteries work, but that either that exact charge approximation mechanism is working exceptionally incorrectly, making it appear as if the battery suddenly lost so much charge, or the battery is a bust.

I do not know whether the battery is actually experiencing that sudden loss in charge, nor do I care, because in practice the end result is the same...

By cthalupa 2024-11-280:161 reply

My 2023 MBP webcam light stays on for nearly 3 seconds after the webcam itself turns off.

By dhosek 2024-11-282:15

Which is part of the design (see comments from the security architect elsewhere in the discussion).

By akira2501 2024-11-2723:201 reply

LEDs are diodes. So you can run power _through_ them. Power Supply -> LED -> Camera.

By xxs 2024-11-282:471 reply

While true, the amount of power would be too low, LEDs also have quite high forward voltage (~3V for blue ones) and they are current driven devices. That suggestion would require pass all the current through the LEDs. LEDs don't like to be reverse biased either. Overall, it's a rather appalling idea. On top of the fact that LEDs can fail short.

More also you'd want a hold up time for the light (few seconds at least), as taking pictures would flash them for 1/60 of a second or so.

By akira2501 2024-11-284:032 reply

They have high forward voltage /drop/ which is a useful property. You drive them with constant current for constant brightness and improved lifespan which is most pertinent for LED light bulb replacements than it is for a simple signal status light. Fixed delay before standby isn't hard to enforce either.

Even so this whole attack vector isn't solved with this. How long should the light stay on for after the camera is put in standby before a user considers it a nuisance? 5 seconds? So if I turn my back for longer than that I'm out of luck anyways.

The anti-TSO means would be a hardware serial counter with a display on the camera. Each time the camera is activated the number is incremented effectively forming a camera odometer. Then if my previous value does not match the current value I know it's been activated outside of my control.

By xxs 2024-11-288:23

I meant the forward voltage (also not a constant one) in series with the actual load.

By perching_aix 2024-11-287:40

As long as you remember the previous number correctly at least... :)

By pesus 2024-11-2720:291 reply

I might be out of the loop, but I thought that was only for some machines - I remember the LED being wired that way being a selling point for MacBooks at some point, as a privacy feature. It definitely should be the standard, though!

By wodenokoto 2024-11-2720:364 reply

[flagged]

By naming_the_user 2024-11-2721:042 reply

At least half of your comment is wrong as the latest model MBP has an ambient light sensor, a camera, and an LED, I'm looking at them.

Maybe the Air?

By bilbo0s 2024-11-2721:151 reply

Doesn’t matter if it’s true. It only matters that they spell your name right.

Threads filled with inaccurate posts like that are a large part of the reason that educating the general populace on security issues is so difficult.

By cruffle_duffle 2024-11-2721:20

And it all goes right into your friendly LLM training data and then spewed right back out again!

By pesus 2024-11-2720:42

They removed the LED? My 2023 model pro still has it. Google is failing me trying to find information about it, though.

By bayindirh 2024-11-2721:08

I don't know whether 2024 models has the LED or not, but there's an unmaskable/global overlay warning for Webcam / Microphone / Location services, and I think they are controlled at Kernel level. You can't bypass these indicators when any software accesses these devices.

These warnings have hysteresis and logging. They don't disappear the moment you close the device, and you can see which app is using which device.

...and no, ambient light sensor handles the true tone and brightness. It's not the camera.

By subjectsigma 2024-11-2720:42

Can you point me to a link? This is very disturbing to me as I thought they were wired together. I can’t find any source confirming or denying newer than like 2022…

By m463 2024-11-2723:59

There was a school district that took pictures of the kids at home.

They briefly saw the LED flash.

But it was not on for any length of time and you could miss it.

This stuff should be completely in hardware, and sensible - stay on for a minimum time, and have a hardware cutoff switch.

By criddell 2024-11-2720:501 reply

I can't find it now, but recently I read how one company's design team added this feature to their laptops. A subsequent review by the team responsible for manufacturing found that they could change the circuit to cut down on the part count to save money. The light was still there, but it was no longer hardwired. The company continued to advertise the camera light as being hardwired even though it wasn't.

By ortusdux 2024-11-2722:081 reply

That fact pattern would setup a solid fraud case against the company and necessitate a recall at a minimum.

By kergonath 2024-11-286:56

Which makes me doubt the anecdote, besides the lack of any specifics or reference.

By qingcharles 2024-11-282:081 reply

I stumbled on a forum once where it was just filled with people trying to modify the software for various laptops to disable the "tally lamp" (as it is called). There were people selling the mods and one guy claiming he was selling his cracks to three-letter agencies. The people on there seemed to be using this to extort people (mostly women) by being able to record videos without the owner knowing. Some really dark shit.

By Nursie 2024-11-282:12

Yeah the first day I read about RATers... jesus. The camera LED seemed to be a major thing for them, because if they could bypass it then the chance their RAT would be discovered was much lower.

Really nasty world they've made for themselves, blackmailing, extorting and generally controlling other people (mostly women and girls, but some men too) with threats of releasing compromising material.

By moritzwarhier 2024-11-2721:501 reply

Since some sort of firmware is required, this seems like a "turing tarpit" security exploit from my laymans perspective.

There's no standard that I know, that, like "Secure EFI / Boot" (or whatever exact name it is), locks the API of periphery firmware and that would be able to statically verify that said API doesn't allow for unintended exploits.

That being said: imagination vs reality: the Turing tarpit has to be higher in the chain than the webcam firmware when flashing new firmware via internal USB was the exploit method.

By axoltl 2024-11-2722:321 reply

No firmware is required. Macbooks manufactured since 2014 turn on the LED whenever any power is supplied to the camera sensor, and force the LED to remain on for at least 3 seconds.

(Source: I architected the feature)

By moritzwarhier 2024-11-2722:481 reply

Thanks for your reply — yourself as the Source can only make me feel flattered then for you responding to me.

> Macbooks manufactured since 2014 turn on the LED whenever any power is supplied to the camera sensor, and force the LED to remain on for at least 3 seconds.

That convinced me originally I think, good old days! I'd almost forgotten about it. The way you phrased it, it sounded like 50% OS concern to me.

But if cam & LED rly share a power supply, and the LED is always on without any external switch, Good then!

By axoltl 2024-11-2723:101 reply

I was not very popular with the camera firmware folks for a while. They had to re-architect a bunch of things as they used to occasionally power on the camera logic without powering the sensor array to get information out of the built-in OTP. Because the LED now came on whenever the camera was powered they had to defer all that logic.

By ProfessorLayton 2024-11-2723:231 reply

What does OTP stand for in this case? The camera PROM??

By axoltl 2024-11-2723:50

Apologies. OTP is One-Time-Programmable. The physical implementation of this varies, in this specific case it was efuses (anti-fuse, actually). It's used for things like calibration data. For a camera it contains information about the sensor (dead pixels, color correction curves, etc.).

By WiSaGaN 2024-11-281:261 reply

That's why many ThinkPads have physical covers over their cameras. You don't even need to worry about whether the LEDs are hardwired - relying on any electronic indicator is already a half-baked security measure. If you want real security, just go with a physical solution.

By DaiPlusPlus 2024-11-285:301 reply

…until it isn’t: my ThinkPad P1 Gen 6 has the camera cover, yes - but it doesn’t have a cover for the depth-sensing camera, only the RGB cam, even though userland applications can get imaging data from that camera just as easily - which is potentially a bigger security issue: I imagine you could reconstruct my facial shape from the data and build a dummy head to get into my iPhone/iPad via FaceID.

(No, I’m not actually worried about this, I’m far too unimportant for anyone to make a targeted attack against)

By bigbacaloa 2024-11-286:03

[dead]

By wutwutwat 2024-11-2722:002 reply

In the past I've used microsnitch on macos which tells you when the mic or camera are activated, but macos seems to have support for this baked into the os now. In zoom calls the menu bar shows what is active. If this can be sidestepped and avoided in software, and the camera can be activated without any indicator, I do not know. If direct access can be done, and you don't need to go through some apple api to hit the camera, maybe.

edit: looks easily bypassed https://github.com/cormiertyshawn895/RecordingIndicatorUtili...

By endigma 2024-11-2723:15

Using this tool requires disabling SIP, so not "easily bypassed" at least from a malware perspective.

By 0xDEAFBEAD 2024-11-2722:151 reply

Did it ever snitch on anything interesting?

By wutwutwat 2024-11-2722:31

idk, but maybe you know! it was probably easily bypassed anyway. hardware disconnects are the only thing that can ever be trusted imo

By ortusdux 2024-11-2720:332 reply

I'd like a law to this effect.

By bluGill 2024-11-2721:38

We may already have this law. If the manufactures makes claims about this LED, then that this attack is possible mean a lawyer can force them to recall and fix everything.

By pooper 2024-11-2721:152 reply

We have to be realistic though. We can't even get a law requiring right to replace a battery on our own iPhones...

By Aaargh20318 2024-11-2721:51

We can’t? Then what is this? : https://environment.ec.europa.eu/news/new-law-more-sustainab... ?

By CharlesW 2024-11-2721:32

Go to https://www.ifixit.com/Device/iPhone, then search for your iPhone's battery replacement guide.

By TZubiri 2024-11-2720:481 reply

The idea has been around for quite some time. But it is always dropped.

My guess is that, assuming the most basic and absolute physicial design, the light would flash for silly things like booting, upgrading firmware, checking health or stuff like that.

By greenthrow 2024-11-2720:511 reply

Flashing is easily fixed with a capacitor and also not a bad thing if it turns off when it loses power immediately. The only explanation that makes sense to me is it being separately controlled is a feature not a bug.

By TZubiri 2024-11-2722:27

I agree on the capacitor fix for flashing, I pointed it out in another post.

In this case I was referring to false positives to the user.

This would mean we can't update the firmware without causing the user some paranoia.

Also. Would an app requesting permission to use camera itself send some power to the camera to verify it is available? In a similar vein, what about checking if the camera is available before even showing the user the button to use the camera?

Maybe there's solutions to this, I'm just pointing out some reasons they may have gone the software route instead of the hardware route.

By agumonkey 2024-11-2720:421 reply

same... i'm also surprised that having a software controlled led would be cheaper ..

By lxgr 2024-11-2721:021 reply

It could be something very simple, such as requiring less USB hub complexity for a camera that can be woken up via a command on the USB bus instead of needing to connect/disconnect the USB power rails (wired in parallel with the LED) to it.

Somebody here has also mentioned Apple using the camera for brightness and maybe color temperature measurement, for which they wouldn't want to enable the LED (or it would effectively always be on).

That doesn't automatically make that a good tradeoff, of course; I'd appreciate such a construction.

By kergonath 2024-11-287:03

> Somebody here has also mentioned Apple using the camera for brightness and maybe color temperature measurement, for which they wouldn't want to enable the LED (or it would effectively always be on).

That is not true. MacBooks have separate light sensors. And the camera physically cannot activate without the LED lighting up and a notification from the OS. People say a lot of stupid things in the comments…

By adolph 2024-11-2720:51

It isn't clear to me that webcam firmware ever powers down a typical camera module. See below for data about how the Sony IMX708 sensor is an I2C device with start and stop streaming commands.

https://github.com/Hermann-SW/imx708_regs_annotated?tab=read...

By orbital-decay 2024-11-2721:36

It's probably done to keep it in a low powered state and reduce the initialization delay. Maybe also to prevent the Windows USB plugging sound from playing upon turning the camera on, as it would seem weird to the user ("I don't have any USB devices plugged in...")

Likely UX over security and privacy.

By ajsnigrutin 2024-11-2721:16

Most business class thinkpads have a physical cover in the screen that covers the camera with a piece of plastic.

Led, no led, who cares, plastic is blocking the lens. Move the cover away, say hi on zoom, wave, turn the camera back off, cover on, and stay with audio only, as with most meetings :)

By riedel 2024-11-2816:53

Actually astound about the same thing with the microphone mute LED and the speaker mute LED. Even without any attack they are sometimes malfunctioning. None of those seem remotely hardwired on my ThinkPad Z13.

By jiggawatts 2024-11-2720:381 reply

"Add an LED next to the camera, our customers demand it!"

"Job done boss!"

That's it. That's what happens. Nobody ever reviews anything in the general industry. It's extremely rare for anyone to raise a stink internally about anything like this, and if they do, they get shouted down as "That's more expensive" even if it is in every way cheaper, or "We'll have to repeat this work! Are you saying Bob's work was a waste of time and money!?" [1]

[1] Verbatim, shouted responses I've received for making similar comments about fundamentally Wrong things being done with a capital W.

By bluGill 2024-11-2721:421 reply

Lawyers after the fact review this. I expect one to start a class action - they will make millions, and everyone else who has this laptop will get $1. The real point is the millions means every other company is on notice that these mistakes hurt the bottom line and so the industry starts to review these things. So long as it doesn't hurt they won't review.

I feel really dirty calling lawyers the good guy here, but ...

By daedrdev 2024-11-2722:071 reply

What law as been broken by not implementing this feature?

By bluGill 2024-11-281:571 reply

If they promise a feature they don't have that is falwe advertising.

By jiggawatts 2024-11-289:211 reply

The feature is an LED light next to the camera. They delivered it.

By bluGill 2024-11-2813:54

The exact words matter. If they call it a led they are maybe fine. If they call it a camera on led they are sunk. Even if they just call it a led, the implication that it is about camera on is an arguement the courts will not toss out - though how they rule is not as clear

By TheRealPomax 2024-11-2720:46

It wasn't. Only responsible manufacturers wired them up that way.

By geor9e 2024-11-2720:45

Sure, for a brand headquartered in Cupertino they might design it that way. But this one is a Beijing brand.

By red-iron-pine 2024-11-2816:31

Enterprise organizations want to be able to watch their employees without them knowing.

Other organizations like law enforcement, are also ambivalent about this.

The easy solution, of course, is a folded business card or piece of tape. But tbh I'm not surprised they didn't implement that approach, and likely deliberately.

By itslennysfault 2024-11-2720:29

Yeah, my understanding is that is how the light on MacBooks works, but I'm not sure about any other makes/models. Obviously, if this is possible that Thinkpad model doesn't do that.

By esprehn 2024-11-281:49

Yeah, on Chromebooks and MacBooks the LED is hardwired to ensure it's always on when the camera is enabled.

By Anna3321AQ 2024-11-2814:55

[dead]

By Shekelphile 2024-11-2721:57

Only apple does this properly.

By TacticalCoder 2024-11-2723:281 reply

> I thought the whole point of these camera LEDs was to have them wired to/through the power to the camera, so they are always on when the camera is getting power, no matter what.

This definitely happened too on Mac in the past, then they went in damage control mode. Not only had Apple access to turn off the LED while the camera was filming, but there was also a "tiny" company no-one had ever heard off that happened to have the keys allowing to trigger the LED off too. Well "tiny company" / NSA cough cough maybe.

After that they started saying, as someone commented, that it requires a firmware update to turn the LED off.

My laptop has a sticker on its camera since forever and if I'm not mistaken there's a famous picture of the Zuck where he does the same.

I've got bridges to sell to those who believe that the LED has to be on for the camera to be recording.

By samatman 2024-11-280:29

I believe every paragraph of this besides the personal anecdote is completely made up. Care to change my mind?

By epistasis 2024-11-2720:3612 reply

I can see why some people might be concerned about the camera, but I'm far more concerned by the microphone. There's far more sensitive and actionable information that can be gathered from me that way! I'm glad that macOS started putting a light in the menubar when the microphone is in use, but I'd prefer to have unhackable hardware for that instead.

By 3eb7988a1663 2024-11-2721:334 reply

I believe it is possible to turn a speaker into a microphone. Found a paper which claims to do just that[0]. So, there is no safety anywhere?

  SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profit
  It is possible to manipulate the headphones (or earphones) connected to a computer, silently turning them into a pair of eavesdropping microphones - with software alone. The same is also true for some types of loudspeakers. This paper focuses on this threat in a cyber-security context. We present SPEAKE(a)R, a software that can covertly turn the headphones connected to a PC into a microphone. We present technical background and explain why most of PCs and laptops are susceptible to this type of attack. We examine an attack scenario in which malware can use a computer as an eavesdropping device, even when a microphone is not present, muted, taped, or turned off. We measure the signal quality and the effective distance, and survey the defensive countermeasures.

[0] https://arxiv.org/abs/1611.07350

By orbital-decay 2024-11-2721:451 reply

This only works on audio chipsets that allow pin retasking. Which is, coincidentally, all Realtek chipsets that are present in every PC...

(you also need to plug the speaker directly, mostly limiting it to headphones and laptop speakers)

By bluGill 2024-11-2721:542 reply

Even where it works, speakers are much worse microphones that dedicated microphones, and so the amount of data that can be gathered is low. Why bother when you probably have a microphone on the same PC that can capture far more sound?

By KeplerBoy 2024-11-289:04

This isn't about audio fidelity, this just about getting audible spoken words, which is definitely possible even with the worst microphone.

By bobthebutcher 2024-11-2723:01

I think there was a long period where a proper PC would frequently have only the cheap stereo speakers which are small enough to far outperform raw microphone leads. But I'm not sure this works that well in >=HDMI even if some monitor speakers might otherwise be ideal.

By lynndotpy 2024-11-2723:173 reply

Despite this being a 2016 paper, it's worth noting that this is true in general and has been common(ish) knowledge among electrical engineers for decades. Highschoolers and undergrads in electrical engineering classes often discover this independently.

What's notable about this paper is only that they demonstrate it as a practical attack, rather than just a neat fun fact of audio engineering.

As a fun fact, an LED can also be used as a photometer. (You can verify this with just a multimeter, an LED, and a light source.) But I doubt there's any practical attack using a monitor as a photosensor.

By Anechoic 2024-11-283:231 reply

and has been common(ish) knowledge among electrical engineers for decades.

Not only is it common knowledge it's how drive-thru kiosks work!

Source: I used to test microphone/speakers for a kiosk OEM.

By ycombinatrix 2024-12-041:57

Is it really a single unit that acts as both the speaker and mic? Can it do both simultaneously? Is that why it sounds so trash?

By nurple 2024-11-282:33

Yes! LEDs as photometers is something that you don't really see around much anymore, but it is really cool. Even an LED matrix can be used as a self-illuminating proximity sensor with the right setup.

https://www.youtube.com/watch?v=GaAtpAuNN_o

By NTARelix 2024-11-2722:131 reply

I recall in the early or mid 2000s using some cheap earbuds plugged into the microphone port of my family computer as a pair of microphones in lieu of having a real microphone nor the money for one. Then I used Audacity to turn the terrible recording into a passable sound effect for the video games I was making.

Not knowing much about how soundcards work, I imagine it would be feasible to flash some soundcards with custom firmware to use the speaker port for input without the user knowing.

By megraf 2024-11-2722:291 reply

This is common at nightclubs (or was) - a DJ can use their headphones as a microphone, speaking into one channel and listening to another

Example https://m.youtube.com/watch?v=1NNP6AFkpjs

:-)

By lelandfe 2024-11-2815:02

You will still see DJs do this in NYC! Old school flavor. You can also see Skepta rapping into a pair on the the music video for That's Not Me: https://www.youtube.com/watch?v=_xQKWnvtg6c

I've seen some theatrical DJs bring a cheap pair, snap them in half, and then use them like a "lollipop." Crowd eats it up. Even older school: using a telephone handset: https://imgur.com/a/1fUghXY

By ohhnoodont 2024-11-281:383 reply

Yup it's wild to me how much anxiety there is about cameras while no mind is given to microphones. Conversations are much more privileged than potentially seeing me in my underwear.

That said the most sensitive information is what we already willingly transmit: search queries, interactions, etc. We feed these systems with so much data that they arguably learn things about us that we're not even consciously aware of.

Covering your camera with tape seems like a totally backwards assessment of privacy risk.

By LadyCailin 2024-11-2810:441 reply

I’m just going to assume you’re a man, and don’t generally worry about things like revenge porn. Because that is a bigger concern to me than you, it seems. Sure, I don’t want my sound to be recorded either, but that’s why I put a cover on the webcam AND turn off the physical switch on my (external) microphone. They are both easy things to do.

By hackernewds 2024-11-2817:42

> Conversations are much more privileged than potentially seeing me in my underwear.

Depends on how you look in underwear.

By JCharante 2024-11-2811:231 reply

> Yup it's wild to me how much anxiety there is about cameras while no mind is given to microphones. Conversations are much more privileged than potentially seeing me in my underwear.

It depends on the person, I don't think you could gain much from me? I don't say credit card numbers out loud, I don't talk about hypothetical crimes out loud. I don't say my wallet seed phrases out loud. I also don't type in my passwords. Yes you could probably find out what restaurant I'm ordering delivery for, but other than that I suppose my conversations are really boring.

By hackernewds 2024-11-2817:43

The cost of feeding your entire years speech to an LLM will be $0.5/person. I'm sure summarized and searchable your conversation will be very very valuable.

By curun1r 2024-11-2721:252 reply

The microphone also can't be covered with a $1 plastic camera cover off Amazon. It's so easy to solve the camera issue if you care about it, but there's really nothing you can do about the mic.

By elevaet 2024-11-2818:53

You can do it even cheaper with some painter's tape!

For the mic, perhaps you could disable it by plugging in an unconnected trrs plug into the audio jack. I'm not sure how low level the switching of the microphone source is when you do this, so maybe it's not a good method.

By 71bw 2024-11-2812:322 reply

I went the "batshit insane" route and my microphone hole is plugged in with some clay.

It did most likely physically damage it forever, but at least I now know it's OFF for good.

By 4k93n2 2024-11-2820:13

i tried that with some sugru on an old phone (samsung s10e) and it does a really good job of blocking the microphone.

if you have a case on your phone its a lot less destructive too since you can just stuff the sugru into the microphone hole in the case. the case i was using was soft rubber so it was easy enough to pop out the corner of the case to be able to use the microphone for a call.

that wasnt my daily phone at the time though so im not sure how well it would work in reality. i could see myself forgetting to pop out the case when i get a call and the other person just handing up before i realised what was going on.

it also doesnt work on every phone. i tried the same thing on a pixel 5 but blocking the mic hole did nothing, but that phone uses an under screen speaker so maybe there is something similar going on with the mic

By mass_and_energy 2024-11-2813:462 reply

Why not shut it off in the bios?

By epistasis 2024-11-2817:30

If it can be software controlled, that doesn't really protect against the route documented for cameras in the original post

By 71bw 2024-11-297:12

As if there's an option to do so...

By 542458 2024-11-2720:572 reply

FWIW, modern Macbooks also hardware disable the mic when the lid is closed.

https://support.apple.com/en-ca/guide/security/secbbd20b00b/...

By ryanisnan 2024-11-2721:522 reply

How is that true? I use my macbook mic occasionally with the lid closed, and an external monitor.

By bennyg 2024-11-2722:031 reply

Plus one-ing this - I think the external monitor may be the kicker to keeping the mic active. This drives me up the wall when Google Meet decides to just default to the closed Macbook next to me instead of my already connected Air Pods when joining work meetings.

By Gigachad 2024-11-289:17

The closed macbook next to you has infinitely better sound quality than the airpods mic which will sound like you are underwater.

By dagmx 2024-11-2722:09

Are you sure it’s the MacBook (T2 or Arm) mic? I imagine you’d sound super muffled if you were trying to use it while closed anyway, so I can’t imagine it’s very usable to yourself?

By bluSCALE4 2024-11-280:391 reply

I just tested this with Voice Memo and can confirm it works at least in that scenario. The recording didn't stop, the mic was just disconnected then reconnected when lid was opened. Using Amphetamine w/ script installed on M1.

By pjot 2024-11-280:52

Just to point it out, but there’s a native terminal command `caffeinate` that does the same as Amphetamine.

I use the -disu flags

By wutwutwat 2024-11-2721:57

Miclocks are a thing, or any chopped 3.5mm 3 prong plug should do the trick

https://mic-lock.com/products/copy-of-mic-lock-3-5mm-metalli...

This still doesn't stop a program from switching the input from external back to the internal mics though afaik

By andix 2024-11-2723:04

I'm not sure if an attacker could get some additional sensitive information from me with access to the microphone or the camera, if they already have full access to my PC (files, screen captures, keylogger). Most things they would be interested in is already there.

By chgs 2024-11-2720:421 reply

Hardware switch in line with the microphone. Can’t be turned on behind my back.

By ASalazarMX 2024-11-2721:261 reply

Wireless noise-cancelling headphones. Oh no, the microphone is back through bluetooth.

By kibwen 2024-11-2721:52

If you're half-serious about this sort of opsec, you already have bluetooth disabled. Ideally your hardware wouldn't have support for it at all. Same for wifi.

By fsflover 2024-11-2816:09

My Librem 14 has a microphon+camera kill switch.

Also, on Qubes OS, everything runs in VMs and you choose explicitly which one has the access to microphone and camera (non by default). Admin VM has no network.

By catlikesshrimp 2024-11-2720:443 reply

Soldering iron to the rescue. Locate the microphone and unsolder it.

I haven't seen any microphone integrated in the processor.

Yet

By ferbivore 2024-11-2721:402 reply

M2 and newer MacBooks have an IMU on-board, which is just a funny way of spelling microphone. Admittedly a very low quality one; I'm not sure if you could pick up understandable speech at the 1.6kHz sample rate Bosch's IMUs seem to support.

By nullhole 2024-11-285:451 reply

> M2 and newer MacBooks have an IMU on-board, which is just a funny way of spelling microphone. Admittedly a very low quality one; I'm not sure if you could pick up understandable speech at the 1.6kHz sample rate Bosch's IMUs seem to support.

Are there examples of using IMUs to get audio data you could point to? A quick search didn't reveal anything.

By ferbivore 2024-11-288:59

There's this paper, which made the news at the time I think: https://crypto.stanford.edu/gyrophone/files/gyromic.pdf

And there's this post, which includes an audio clip: https://goughlui.com/2019/02/02/weekend-project-mma8451q-acc...

By internetter 2024-11-281:37

> M2 and newer MacBooks have an IMU on-board

Why?

By fph 2024-11-2721:372 reply

Going into full paranoid mode, I wonder if some other sensors / components can be used as a makeshift microphone. For instance, a sufficiently accurate accelerometer can pick up vibrations, right? Maybe even the laser in a CD drive? Anything else?

By meindnoch 2024-11-2721:501 reply

Camera + bag of chips: https://people.csail.mit.edu/mrub/VisualMic/

By goodpoint 2024-11-289:201 reply

Impossible with normal cameras.

By meindnoch 2024-11-2818:26

"We also explore how to leverage the rolling shutter in regular consumer cameras to recover audio from standard frame-rate videos, and use the spatial resolution of our method to visualize how sound-related vibrations vary over an object’s surface, which we can use to recover the vibration modes of an object."

By bluGill 2024-11-2721:57

A condenser microphone is just a capacitor. Your computer is full of them.

They are very low level input and generally need a pre-amp just to get the signal outside the microphone. However conceptually at least they are there and so maybe someone can get it to work.

By ansgri 2024-11-2720:551 reply

Well it doesn’t need to be visible to work in contrast to camera. Seriously though, no technological and almost no economic barrier preventing embedding a mic into every wireless communication chip.

By yjftsjthsd-h 2024-11-2721:29

Sure, but that requires the manufacturer to be intending to spy, in contrast to someone compromising after the fact.

By rocqua 2024-11-287:201 reply

How will microphone access be monetized?

For video, it is extortion. For microphone, it's much harder.

By sunsetonsaturn 2024-11-287:561 reply

Record, produce transcript, look for keywords, alert the puppeteer when something interesting is picked up - trade secrets, pre-shared keys, defense sector intelligence, etc.

By goodpoint 2024-11-289:171 reply

And even record keystroke sound to extract passwords.

By hackernewds 2024-11-2817:45

Only works if there's labeled data for your prior keystrokes as training data. Unless, there's some uniform manufacturing defect per key in a widely available keyboard like Macbook Air

By salutis 2024-11-2720:497 reply

macOS is a proprietary binary blob, remotely controlled by Apple. So, the light in the menu bar is not a reliable indicator of anything. There is no privacy on macOS, nor any other proprietary system. You can never be 100% sure what the system is doing right now, as can be anything it is capable of. Apple is putting a lot of money to "teach people" otherwise, but that is marketing, not truth.

By lxgr 2024-11-2720:583 reply

> There is no privacy on macOS, nor any other proprietary system.

Nor is there on any free system for which you didn't make every hardware component yourself, as well as audit the executable of the compiler with which you compiled every executable. (You did self-compile everything, hopefully?)

By lmm 2024-11-283:20

> Nor is there on any free system for which you didn't make every hardware component yourself, as well as audit the executable of the compiler with which you compiled every executable.

If the components follow standards and have multiple independent implementations, you can be reasonable confident it's not backdoored in ways that would require cooperation across the stack. At least you raise the cost bar a lot. Whereas for a vertically integrated system, made by a company headquartered in a jurisdiction with a national security law that permits them to force companies to secretly compromise themselves, the cost of compromise is so low that it would be crazy to think it hasn't been done.

By kergonath 2024-11-287:101 reply

> You did self-compile everything, hopefully?

Including the compiler, of course.

By lxgr 2024-11-2814:55

That's where things get circular, which is why I wrote "audit the compiler". But then, how much can you really trust your hex editor... :)

By ndjdjddjsjj 2024-11-289:09

[flagged]

By joemag 2024-11-2721:011 reply

The root of all trust is eventually some human, or group of humans. See "Reflections on Trusting Trust." At least so far, Apple has convinced me that they are both willing and competent enough to maintain that trust.

By salutis 2024-11-2721:471 reply

Myself, I stopped trusting Apple. There are now too many dark patterns in their software, especially once one stops using their services. And, DRM was re-instantiated, when iTunes started streaming as Apple Music. On top of that, their lies, such as those about the Butterfly keyboards being fixed, cost me a fortune. They fuck up the keyboard design, and then they buy the computer back for 40% of its original price, due to a microscopic scratch nobody else could see. And that happened twice to me. They put a lot of money into advertising themselves as being ethical, but that is only marketing. These, of course, are my personal opinions.

By vanchor3 2024-11-280:54

> DRM was re-instantiated, when iTunes started streaming as Apple Music

Purchased music is DRM free. Streaming music was never DRM free, since you arguably do not "own" music that you have not purchased. Though I'm sure record labels would love if they could get DRM back on purchased music again.

By TZubiri 2024-11-2720:522 reply

I get it, free software take, nothing new.

But this is a pretty extremist take. Just because a company doesn't push source code and you can't deterministically have 100% certainty, doesn't mean you can't make any assertions about the software.

To refuse to make any claims about software without source is as principled as it is lazy.

Imagine an engineer brought to a worksite, and they don't have blueprints, can he do no work at all? Ok, good for you, but there's engineers that can.

By salutis 2024-11-2721:54

Yes, I think all devices packed with sensors that live in our homes should be transparent in what they do, that is their code should be available for everyone to see. And yes, it is extremist take, given where we ended up today.

By kasey_junk 2024-11-2721:01

It’s even dumber than that because the people that do assurance work don’t rely solely on source even when it’s available.

Reversing the software is table stakes for assurance work already so suggesting source is a requirement just doesn’t match reality.

By perching_aix 2024-11-2720:561 reply

> There is no privacy on macOS, nor any other proprietary system.

Which is to say, every system in actual widespread use. All such CPUs, GPUs, storage devices, displays, etc. run closed microcode and firmware. It'd be funny if it wasn't so profoundly sad.

And even if they didn't, the silicon design is again, closed. And even if it wasn't closed, it's some fab out somewhere that manufactures it into a product for you. What are you gonna do, buy an electron microscope, etch/blast it layer by layer, and inspect it all the way through? You'll have nothing by the end. The synchrotron option isn't exactly compelling either.

By salutis 2024-11-2721:502 reply

Yes, ultimately, I want everything to be open. This is not a bag of rice. These are devices packed with sensors, in our homes. As for inspection, I do not have a problem trusting others. I just do not trust big corporations with remotely controlled binary blobs, no matter how much money they put into the safety and security ads. This is a personal opinion, of course.

By perching_aix 2024-11-2722:112 reply

> As for inspection, I do not have a problem trusting others. I just do not trust big corporations with remotely controlled binary blobs

I'll just highlight this excerpt of your own words for you, and usher you to evaluate whether your position is even internally consistent.

By j16sdiz 2024-11-287:101 reply

(not OP) Don't think that is inconsistent.

Trusting someone doing the right thing when you purchase is different from trusting them not tampering things remotely in the future. Companies can change management, human can change their mind. The time factor is important

By perching_aix 2024-11-287:29

Hardware can be and is implemented such that it changes behavior over time too, or have undisclosed remote capabilities. There are also fun features where various fuses blow internally if you do specific things the vendor doesn't fancy.

There sure is a difference in threat model, but I don't think the person I was replying to appreciates that, which is kind of what triggered my reply.

By salutis 2024-11-287:421 reply

Why do you think my stance is internally inconsistent?

For example, I completely trust Emacs maintainers, as I have yet to see any malice or dark patterns coming from them. The same applies to other free and open source software I use on a daily basis. These projects respect my privacy, have nothing to hide, and I have no problem trusting them.

On the other hand, I see more and more dark patterns coming from Apple, say when signed out of their cloud services. They pour millions into their privacy ads, but I do not trust them to act ethically, especially when money is on the table.

Does this not make sense?

By perching_aix 2024-11-287:571 reply

Thinking about it, I might have misunderstood what you wrote a bit. What I read was that you trust people, but then you also don't. That's not really a fair reading of what you wrote.

That being said, I have seen "patterns" with open source software as well, so I'm hesitant to agree on trusting it. But that's a different problem.

I also know how little hardware, microcode and firmware can be trusted, so that doesn't help either.

By salutis 2024-11-309:08

Thank you for the clarification. I certainly could have worded my comment better. I agree with you on that we should never trust open-source software blindly. That said, we can at least audit it, along with every new patch, which is impossible with binary blobs. That is why, I personally think, open-source should be preferred, for free and non-free software alike.

By kergonath 2024-11-287:15

> I just do not trust big corporations with remotely controlled binary blobs

Only outstanding individuals such as Jia Tan.

By epistasis 2024-11-2723:58

Once malware is installed, the proprietary blobs from my hardware vendor are the least of my concerns. Thus my request for hardware.

By james_marks 2024-11-2720:582 reply

You can watch network traffic for data leaving the device. Trust but verify.

By 3eb7988a1663 2024-11-2721:36

For something as compressible as voice, I do not know how you would feel confident that data was not slipping through. Edge transcription models (eg Whisper) are continuing to get better, so it would be possible for malware to send a single bit if a user says a trigger word.

By lxgr 2024-11-2721:171 reply

Good luck auditing even just a single day of moderately active web browsing.

By kube-system 2024-11-2722:281 reply

It's easier than reading all of the code in Ubuntu.

By lxgr 2024-11-2723:201 reply

But still entirely impossible. So does it matter?

By perching_aix 2024-11-280:031 reply

Network traffic monitoring is routinely done at enterprises. It's usually part-automated using the typical approaches (rules and AI), and part-manual (via a dedicated SOC team).

There are actual compromises caught this way too, it's not (entirely) just for show. A high-profile example would be Kaspersky catching a sophisticated data exfiltration campaign at their own headquarters: https://www.youtube.com/watch?v=1f6YyH62jFE

So it is definitely possible, just maybe not how you imagine it being done.

By lxgr 2024-11-283:401 reply

I do believe that it sometimes works, but it's effectively like missile defense: Immensely more expensive for the defender than for the attacker.

If the attacker has little to lose (e.g. because they're anonymous, doing this massively against many unsuspecting users etc.), the chance of them eventually succeeding is almost certain.

By perching_aix 2024-11-287:35

All cyberdefenses I'm aware of are asymmetric in nature like that, unfortunately.

By mrb 2024-11-2721:083 reply

On a ThinkPad X1 Carbon Gen 8, it's easily possible record video with the webcam LED off. I did not verify newer generations of the X1 Carbon.

Lenovo put a little physical switch—they call it "ThinkShutter"—that serves to physically obstruct the webcam lens to prevent recording. It's supposed to have only two positions: lens obstructed or not. But if the user accidentally slides it halfway, you can still record video with the lens unobstructed but somehow the webcam LED turns off. It's because the ThinkShutter actually moves 2 pieces of plastic: 1 to cover the lens, 1 to cover the LED. But the piece covering the LED blocks it first, before the other piece of plastic blocks the lens. I discovered this accidentally yesterday while toying with a X1 Carbon... I am reporting it to Lenovo.

By unglaublich 2024-11-2820:091 reply

This tells you a lot about Lenovo's engineering.

They fail to develop a reliable webcam indicator, and patch that with some half-assed attempt at physical view obstruction. The whole approach is a demonstration of bad engineering and unreliability. And that's just the part that became public.

By IanGabes 2024-11-2820:26

I think that its easier to compare the shutter to airplane windows.

The windows are there just to make the humans inside more comfortable, similar to how many people would be more comfortable without a camera pointed at them.

Flashing firmware is a big hill to climb for bad guys in most peoples worlds.

By wmlhwl 2024-11-2722:201 reply

In Yoga C740 it only blocks the shutter. Covering the LED doesn't make sense to me

By mrb 2024-11-287:511 reply

I suppose covering the LED is a less expensive way to provide the same user experience as hooking an electrical switch to the ThinkShutter to electrically turn off the LED when it's in the "blocked" position.

By wmlhwl 2024-11-2816:00

But if we're talking about privacy, I would like to know if something is using the camera even when it's obstructed

By IshKebab 2024-11-288:321 reply

How does malware move the plastic?

By cnity 2024-11-2811:58

The malware posts comments like OP to lots of hacker oriented message boards, prompting all curiously minded ThinkPad X1 Carbon Gen 8 owners to verify that the comment tells the truth by trying it for themselves.