I thought the whole point of these camera LEDs was to have them wired to/through the power to the camera, so they are always on when the camera is getting power, no matter what.
Having the LED control exposed through the firmware completely defeats this.
They are hardwired on Macbooks. From Daring Fireball, quoting an email from an Apple engineer.
> All cameras after [2008] were different: The hardware team tied the LED to a hardware signal from the sensor: If the (I believe) vertical sync was active, the LED would light up. There is NO firmware control to disable/enable the LED. The actual firmware is indeed flashable, but the part is not a generic part and there are mechanisms in place to verify the image being flashed. […]
> So, no, I don’t believe that malware could be installed to enable the camera without lighting the LED. My concern would be a situation where a frame is captured so the LED is lit only for a very brief period of time.
An indicator light hardwired is nice but I apparently can't trust hardware manufacturers to design it properly. My work laptop (HP Dragonfly) has a physical blocker that closes over the camera when I haven't explicitly pressed the button that enables the camera. The blocker is black and white stripes so it's very obvious when it's covering the sensor. This should absolutely be the security standard we all strive for with camera privacy.
For what it's worth, you could just power on the camera, take a pic, then turn it back off instead. Provided you can do this fast enough, an indicator LED is rendered worthless. So you'd need to make the indicator LED staggered, to stay lit for a minimum amount of time.
There's also the scenario where the LED or the connections to it simply fail. If the circuit doesn't account for that, then boom, now your camera can function without the light being on.
Can't think of any other pitfalls, but I'm sure they exist. Personally, I'll just continue using the privacy shutter, as annoying as that is. Too bad it doesn't do anything about the mic input.
I might be out of the loop, but I thought that was only for some machines - I remember the LED being wired that way being a selling point for MacBooks at some point, as a privacy feature. It definitely should be the standard, though!
I can't find it now, but recently I read how one company's design team added this feature to their laptops. A subsequent review by the team responsible for manufacturing found that they could change the circuit to cut down on the part count to save money. The light was still there, but it was no longer hardwired. The company continued to advertise the camera light as being hardwired even though it wasn't.
I stumbled on a forum once where it was just filled with people trying to modify the software for various laptops to disable the "tally lamp" (as it is called). There were people selling the mods and one guy claiming he was selling his cracks to three-letter agencies. The people on there seemed to be using this to extort people (mostly women) by being able to record videos without the owner knowing. Some really dark shit.
Since some sort of firmware is required, this seems like a "turing tarpit" security exploit from my laymans perspective.
There's no standard that I know, that, like "Secure EFI / Boot" (or whatever exact name it is), locks the API of periphery firmware and that would be able to statically verify that said API doesn't allow for unintended exploits.
That being said: imagination vs reality: the Turing tarpit has to be higher in the chain than the webcam firmware when flashing new firmware via internal USB was the exploit method.
That's why many ThinkPads have physical covers over their cameras. You don't even need to worry about whether the LEDs are hardwired - relying on any electronic indicator is already a half-baked security measure. If you want real security, just go with a physical solution.
In the past I've used microsnitch on macos which tells you when the mic or camera are activated, but macos seems to have support for this baked into the os now. In zoom calls the menu bar shows what is active. If this can be sidestepped and avoided in software, and the camera can be activated without any indicator, I do not know. If direct access can be done, and you don't need to go through some apple api to hit the camera, maybe.
The idea has been around for quite some time. But it is always dropped.
My guess is that, assuming the most basic and absolute physicial design, the light would flash for silly things like booting, upgrading firmware, checking health or stuff like that.
It isn't clear to me that webcam firmware ever powers down a typical camera module. See below for data about how the Sony IMX708 sensor is an I2C device with start and stop streaming commands.
It's probably done to keep it in a low powered state and reduce the initialization delay. Maybe also to prevent the Windows USB plugging sound from playing upon turning the camera on, as it would seem weird to the user ("I don't have any USB devices plugged in...")
Most business class thinkpads have a physical cover in the screen that covers the camera with a piece of plastic.
Led, no led, who cares, plastic is blocking the lens. Move the cover away, say hi on zoom, wave, turn the camera back off, cover on, and stay with audio only, as with most meetings :)
Actually astound about the same thing with the microphone mute LED and the speaker mute LED. Even without any attack they are sometimes malfunctioning. None of those seem remotely hardwired on my ThinkPad Z13.
"Add an LED next to the camera, our customers demand it!"
"Job done boss!"
That's it. That's what happens. Nobody ever reviews anything in the general industry. It's extremely rare for anyone to raise a stink internally about anything like this, and if they do, they get shouted down as "That's more expensive" even if it is in every way cheaper, or "We'll have to repeat this work! Are you saying Bob's work was a waste of time and money!?" [1]
[1] Verbatim, shouted responses I've received for making similar comments about fundamentally Wrong things being done with a capital W.
Enterprise organizations want to be able to watch their employees without them knowing.
Other organizations like law enforcement, are also ambivalent about this.
The easy solution, of course, is a folded business card or piece of tape. But tbh I'm not surprised they didn't implement that approach, and likely deliberately.
Yeah, my understanding is that is how the light on MacBooks works, but I'm not sure about any other makes/models. Obviously, if this is possible that Thinkpad model doesn't do that.
I can see why some people might be concerned about the camera, but I'm far more concerned by the microphone. There's far more sensitive and actionable information that can be gathered from me that way! I'm glad that macOS started putting a light in the menubar when the microphone is in use, but I'd prefer to have unhackable hardware for that instead.
On a ThinkPad X1 Carbon Gen 8, it's easily possible record video with the webcam LED off. I did not verify newer generations of the X1 Carbon.
Lenovo put a little physical switch—they call it "ThinkShutter"—that serves to physically obstruct the webcam lens to prevent recording. It's supposed to have only two positions: lens obstructed or not. But if the user accidentally slides it halfway, you can still record video with the lens unobstructed but somehow the webcam LED turns off. It's because the ThinkShutter actually moves 2 pieces of plastic: 1 to cover the lens, 1 to cover the LED. But the piece covering the LED blocks it first, before the other piece of plastic blocks the lens. I discovered this accidentally yesterday while toying with a X1 Carbon... I am reporting it to Lenovo.
Arguably a much, much bigger problem are the (many) microphones of modern devices.
These usually get neither an LED nor a switch, and unlike cameras can't easily be covered, nor pointed away from potentially sensitive topics/subjects.
After GCHQ was discovered doing this back in 2014 with their 'Optic Nerve' program[0], I have tried to avoid computers with integrated webcams for use as my personal devices (exceptions are mobile devices).
An exception to that rule is if they have hardware switches for turning off the power supply to the camera and microphone.
Currently, I am very happy with my Framework, where the LED is hardwired into the power supplied to the camera[1].
I assumed that most if not all of these webcam LEDs are wired in series with the power to the camera itself. Which then makes it impossible to disable them. Who designs this LED to be software addressable?
Production of the ThinkPad X230 stopped 10 years ago in 2014.
Would be more interesting to read something about a RECENT model.
In late 2014 was the last big webcam vulnerability "hype" I remember [1], which led to a wave of media attention, webcam covers, vendor statements that LED-control is / will be hard-wired etc.
I'm more interested how this big attention impacted future designs of laptops (like my cheap HP here, which has a built-in camera cover)
Just tried to programatically take a picture on my MacBook Pro 2012. Managed to take a picture in sub second. The LED flashes briefly and you could easily miss it .
Would be good to keep that LED ON well after the Camera switches off (Not sure what that minimum would be without causing an inconvenience - but how about 15 minutes ? - Long enough to educate the users to worry about their privacy and perhaps take breaks between making video calls !) - Just a thought.
I like the thought, but if it becomes an "oh, that light's always on, just ignore it" kind of experience, that might train people to think it is not an important signal.
For what it's worth, my Lenovo laptop has a manuel shutter slider button on the side that actually physically covers the camera (and it must also does something driver wise because windows considers it unplugged). It's so easy and convenient that I always use to off the camera.
Many of lenovo have that even included their gaming laptop line (it's actually even better and more convient on that one, thanks to the larger size available).
Doesn't solve the problem this article talks about, but if that's something that worries you I would still trust that more than most (and it's a lot less weirdo looking than taping your camera).
Note, that someone somewhere made a decision not to hardwire the led to the camera enable line. This to me is far more of a scandal than the fact another person decided to exploit it.
I am not a hardware engineer or anything of the sort. My laptop has a slide shutter over the webcam, but this obviously does nothing about the microphone. How difficult/error prone would it be for the power signals to the microphone and camera to be individual wires/traces and have a physical switch that breaks the power or data connection physically? Surely these are very low voltage so the switch could be like the iphone mute switch?
This is why I like a self built PC over laptops. Now I'm sure there's still some way to spot on me via a PC with no built in camera or microphone but I bet it's more difficult.
I do have a laptop and it have a physical cover I can slide into place. Short of black blutack I've not got a decent option for the mic though.
this is so widespread and simple that i basically don't have any respect for laptop manufacturers who refuse to add a simple webcam shutter onto their laptop designs
what would be even better is PHYSICAL HARDWARE POWER SWITCHES for microphones, speakers, and webcam
this ought to be a manufacturer regulation, no more ridiculousness
Can we not require physical, electromechanical switches (like an old-fashioned light switch) for each of the following: camera, mic, cell/LTE, gps, bluetooth, wifi?
Each should have their own switch, otherwise they will group them all into one "privacy mode" switch that also includes something you basically can't live without. Like the keyboard doesn't work in privacy mode or something. Plus, I'd like to be able to leave some of these off by default, only switching them on when I want to use that feature.
I imagine a company good at design (e.g. Apple) could make these small, elegant and easy to use.
The top part of a sticky note, found in most offices, works great with having to take off and put back on. Always assume that the company's provided laptop is a RAT with voice and video recording with notice is a norm.
Don't even understand why laptops have cameras and microphones. If you're serious about video meetings you'll want an external camera anyway.
I keep covering them up with bits of paper (because like most people, I don't trust LEDs or switches) that look ugly and invariably get blown off by a gust of wind and have to be reapplied when moving.
It just seems like at some point around 2010 some cabal decided that every device with a screen needs to have a camera facing the user and a microphone.
When I was covering my webcam on a ThinkPad some 15 years ago, my coworker was laughing at me. Until he read about the Snowden revelations. We learned that everything can be compromised. Bioses, chips, compilers, everything. And just because something should not be the case, doesn’t mean it won’t ever happen.
We should always assume that everything is possible in the digital world. And act accordingly.
[+] [-] sbarre|1 year ago|reply
Having the LED control exposed through the firmware completely defeats this.
[+] [-] 542458|1 year ago|reply
> All cameras after [2008] were different: The hardware team tied the LED to a hardware signal from the sensor: If the (I believe) vertical sync was active, the LED would light up. There is NO firmware control to disable/enable the LED. The actual firmware is indeed flashable, but the part is not a generic part and there are mechanisms in place to verify the image being flashed. […]
> So, no, I don’t believe that malware could be installed to enable the camera without lighting the LED. My concern would be a situation where a frame is captured so the LED is lit only for a very brief period of time.
https://daringfireball.net/2019/02/on_covering_webcams
[+] [-] connicpu|1 year ago|reply
[+] [-] perching_aix|1 year ago|reply
There's also the scenario where the LED or the connections to it simply fail. If the circuit doesn't account for that, then boom, now your camera can function without the light being on.
Can't think of any other pitfalls, but I'm sure they exist. Personally, I'll just continue using the privacy shutter, as annoying as that is. Too bad it doesn't do anything about the mic input.
[+] [-] pesus|1 year ago|reply
[+] [-] m463|1 year ago|reply
They briefly saw the LED flash.
But it was not on for any length of time and you could miss it.
This stuff should be completely in hardware, and sensible - stay on for a minimum time, and have a hardware cutoff switch.
[+] [-] criddell|1 year ago|reply
[+] [-] qingcharles|1 year ago|reply
[+] [-] moritzwarhier|1 year ago|reply
There's no standard that I know, that, like "Secure EFI / Boot" (or whatever exact name it is), locks the API of periphery firmware and that would be able to statically verify that said API doesn't allow for unintended exploits.
That being said: imagination vs reality: the Turing tarpit has to be higher in the chain than the webcam firmware when flashing new firmware via internal USB was the exploit method.
[+] [-] WiSaGaN|1 year ago|reply
[+] [-] wutwutwat|1 year ago|reply
edit: looks easily bypassed https://github.com/cormiertyshawn895/RecordingIndicatorUtili...
[+] [-] ortusdux|1 year ago|reply
[+] [-] TZubiri|1 year ago|reply
My guess is that, assuming the most basic and absolute physicial design, the light would flash for silly things like booting, upgrading firmware, checking health or stuff like that.
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] agumonkey|1 year ago|reply
[+] [-] adolph|1 year ago|reply
https://github.com/Hermann-SW/imx708_regs_annotated?tab=read...
[+] [-] orbital-decay|1 year ago|reply
Likely UX over security and privacy.
[+] [-] ajsnigrutin|1 year ago|reply
Led, no led, who cares, plastic is blocking the lens. Move the cover away, say hi on zoom, wave, turn the camera back off, cover on, and stay with audio only, as with most meetings :)
[+] [-] riedel|1 year ago|reply
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] jiggawatts|1 year ago|reply
"Job done boss!"
That's it. That's what happens. Nobody ever reviews anything in the general industry. It's extremely rare for anyone to raise a stink internally about anything like this, and if they do, they get shouted down as "That's more expensive" even if it is in every way cheaper, or "We'll have to repeat this work! Are you saying Bob's work was a waste of time and money!?" [1]
[1] Verbatim, shouted responses I've received for making similar comments about fundamentally Wrong things being done with a capital W.
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] TheRealPomax|1 year ago|reply
[+] [-] geor9e|1 year ago|reply
[+] [-] red-iron-pine|1 year ago|reply
Other organizations like law enforcement, are also ambivalent about this.
The easy solution, of course, is a folded business card or piece of tape. But tbh I'm not surprised they didn't implement that approach, and likely deliberately.
[+] [-] itslennysfault|1 year ago|reply
[+] [-] esprehn|1 year ago|reply
[+] [-] Anna3321AQ|1 year ago|reply
[deleted]
[+] [-] Shekelphile|1 year ago|reply
[+] [-] epistasis|1 year ago|reply
[+] [-] mrb|1 year ago|reply
Lenovo put a little physical switch—they call it "ThinkShutter"—that serves to physically obstruct the webcam lens to prevent recording. It's supposed to have only two positions: lens obstructed or not. But if the user accidentally slides it halfway, you can still record video with the lens unobstructed but somehow the webcam LED turns off. It's because the ThinkShutter actually moves 2 pieces of plastic: 1 to cover the lens, 1 to cover the LED. But the piece covering the LED blocks it first, before the other piece of plastic blocks the lens. I discovered this accidentally yesterday while toying with a X1 Carbon... I am reporting it to Lenovo.
[+] [-] lxgr|1 year ago|reply
These usually get neither an LED nor a switch, and unlike cameras can't easily be covered, nor pointed away from potentially sensitive topics/subjects.
[+] [-] MrDresden|1 year ago|reply
An exception to that rule is if they have hardware switches for turning off the power supply to the camera and microphone.
Currently, I am very happy with my Framework, where the LED is hardwired into the power supplied to the camera[1].
[0]: https://en.wikipedia.org/wiki/Optic_Nerve_(GCHQ)
[1]: https://community.frame.work/t/how-do-the-camera-and-microph...
[+] [-] larusso|1 year ago|reply
[+] [-] rickdeckard|1 year ago|reply
In late 2014 was the last big webcam vulnerability "hype" I remember [1], which led to a wave of media attention, webcam covers, vendor statements that LED-control is / will be hard-wired etc.
I'm more interested how this big attention impacted future designs of laptops (like my cheap HP here, which has a built-in camera cover)
[1]: https://www.usenix.org/conference/usenixsecurity14/technical...
[+] [-] muzster|1 year ago|reply
Would be good to keep that LED ON well after the Camera switches off (Not sure what that minimum would be without causing an inconvenience - but how about 15 minutes ? - Long enough to educate the users to worry about their privacy and perhaps take breaks between making video calls !) - Just a thought.
[+] [-] canadaduane|1 year ago|reply
[+] [-] nolok|1 year ago|reply
Many of lenovo have that even included their gaming laptop line (it's actually even better and more convient on that one, thanks to the larger size available).
Doesn't solve the problem this article talks about, but if that's something that worries you I would still trust that more than most (and it's a lot less weirdo looking than taping your camera).
[+] [-] Roark66|1 year ago|reply
[+] [-] unglaublich|1 year ago|reply
[+] [-] WalterBright|1 year ago|reply
Cameras and microphones and write enable must have physical switches, not software ones. When will people learn?
Never.
Me, I unplug the camera and mike when not in use.
[+] [-] Eavolution|1 year ago|reply
[+] [-] ghjfrdghibt|1 year ago|reply
I do have a laptop and it have a physical cover I can slide into place. Short of black blutack I've not got a decent option for the mic though.
[+] [-] albert_e|1 year ago|reply
Privacy and security risks of the future loom big.
[+] [-] stainablesteel|1 year ago|reply
what would be even better is PHYSICAL HARDWARE POWER SWITCHES for microphones, speakers, and webcam
this ought to be a manufacturer regulation, no more ridiculousness
[+] [-] Nifty3929|1 year ago|reply
Each should have their own switch, otherwise they will group them all into one "privacy mode" switch that also includes something you basically can't live without. Like the keyboard doesn't work in privacy mode or something. Plus, I'd like to be able to leave some of these off by default, only switching them on when I want to use that feature.
I imagine a company good at design (e.g. Apple) could make these small, elegant and easy to use.
[+] [-] yndoendo|1 year ago|reply
[+] [-] okasaki|1 year ago|reply
I keep covering them up with bits of paper (because like most people, I don't trust LEDs or switches) that look ugly and invariably get blown off by a gust of wind and have to be reapplied when moving.
It just seems like at some point around 2010 some cabal decided that every device with a screen needs to have a camera facing the user and a microphone.
[+] [-] submeta|1 year ago|reply
We should always assume that everything is possible in the digital world. And act accordingly.
[+] [-] cjaackie|1 year ago|reply