Honestly, I don’t understand why it’s so difficult to create a camera chip not susceptible to any software hack. The camera sensor needs electrical current to work. Simply place the LED inline or in parallel to the camera and you are done. Any time current is sent to the camera sensor, the LED cant help it but light up. My knowledge of electronics is limited, but I know for a fact that this can be achieved without the use of any reprogrammable microchips, with the use of a simple electrical circuit.
> Simply place the LED inline or in parallel to the camera and you are done. Any time current is sent to the camera sensor, the LED cant help it but light up.
So, upon (my incorrectly) presuming this was how it's already done in hardware and reading the headline of the article before I got to the text, I assumed they were turning it on and taking a single frame and turning it off fast enough that the LED was only on for a short enough time for the user not to be able to see it (or not notice).
Turns out the article claims they just reprogrammed the microcontroller to not turn it on in the first place. Of course that's a bad design, but you do need some more logic in there - the light needs to stay on for a minimum time when the camera is functioning so that the user can notice it.
This, too, is simple enough that it can be achieved without a microcontroller, but please don't presume that it's a simple fix. It's not just "put it in parallel".
Having an inline LED is still a bit over-engineered in my opinion.
The earliest standalone webcams, for instance Logitech models and the IndyCam that came with the Silicon Graphics 'Indy' workstation, had a 'door' that you could slide over the lens when not in use. Lenovo had this on their all in one PC's a few years ago but I don't think they kept that feature.
What was wrong with the slide-across lens cover?
You would think it would be an essential feature for some.
Now all you have to do is warn users that the one LED is important and means something. Not like all the other LEDs that are on all the time and are mostly pointless.
> When the school district investigated the case, it found other incidents of webcam spying, and notified the students involved, including Levin. According to the lawsuit, filed in Eastern Pennsylvania District Court, Levin's younger brother commented on a light near the webcam that appeared to go on and off at odd times. His mother "dismissed the idea as absurd," but it appears he was right.
It's not difficult, but it makes the system unflexible, The vendors, not worried about the privacy implications, choose what makes the system more flexible.
I've heard that this was a serious flaw in Google's opinion, and they went through great efforts to ensure that the LED for the chromebook pixel was actually hard-wired into the camera's electronics. Which if true, shows that it's indeed possible.
I thought the same as well. An LED in series with the circuit powering the CMOS sensor is all that would be needed. No amount of reprogramming is going to bypass a physical circuit.
This is disappointing, and I expect Apple will redesign the cameras because of it.
Story time .... a while ago I had a similar discussion with someone because I said I have a thick black tape on my Macbook's webcam and I rest easy knowing I cannot be spied on using that camera unless the laws of physics change.
Of course many people made fun of it and mentioned "blah blah you are paranoid the LED cannot be manipulated and will always turn on ...".
Well ... here you go. Where are you now?
I wouldn't be surprised if someone-cough-you-know-who-cough had influenced the design for this to become a possibility. We know they are actively looking for opportunities like this. Go ahead, call me a paranoid again ... and next month when the story about how they did just that hits hacker news, I'll have an even better story to tell.
IIRC, in my old Macbook (early 2008) the led is actually inlined. Some machines had a weird hardware bug that shorted this area and sometimes the led would go on... and the camera would be useless until next reboot (mine was one of these, didn't realise until ~after 6 months of owning it
I am not an electrical engineer, I can't really judge the appropriateness or feasibility of various solutions.
But in the research paper cited by the Wash Post[1], there's a whole section where the authors discuss their recommendations, see under "VIII. SECURE CAMERA DESIGNS". Including some specific suggestions of how you would implement this design in hardware.
One of the best ways is to have a dedicated "Chip Enable" pin on the camera module. You then connect an LED to the state of this pin and when the Chip Enable pin is "Hight" the LED is turned on. However, there needs to be additional circuitry (an extra pin) and some work to ensure proper voltage levels are met for both the pin and the LED (extra cost).
Another option is to enable the LED when power is turned onto the module.
> The same technique that allows us to disable the LED, namely
reprogramming the firmware that runs on the iSight, enables
a virtual machine escape whereby malware running inside a
virtual machine reprograms the camera to act as a USB Human
Interface Device (HID) keyboard which executes code in the host operating system.
Seems that way. It wasn't too long ago there was a post about new breeds of malware that target various microcontrollers throughout a PC, able even to "hide out" in something like an optical drive to avoid detection or removal.
I would be more concerned about the microphone. I can easily cover the camera with tape. Also, random pictures of me programming or reading HN are probably less damaging audio recordings of conversations I might be having.
My current Thinkpad has a physical switch to disable radios. I'd like to have a physical 'privacy' switch that cut the power to internal microphones and cameras.
To be security aware, this has to be an auditable hardware power switch, and not just an interrupt/driver/bios combination that could be bypassed. It's also prefereable for security to have a an off-by-default switch, than an activity light you might not notice...
Same here. Even nude photos would be embarrassing, but audio recordings could have effects far worse than some prude shame.
Especially since there is no LED to signal the microphone is active, it doesn't need to point anywhere. If it could be activated while the laptop is closed (force wake up a part of the OS for just a few minutes here and there for instance) it would be a really tough problem.
I use a cut-out piece of postit note for the camera, and a small piece of etape for the microphones -- seems stable, and both are pretty easy to take off without leaving too much spooge behind.
Also note that a speaker can be used as microphones as well. (In physics terms they are the same device, which can convert sound to electricity or vice versa.) With modern sound cards having reprogrammable inputs and outputs, I wouldn't be surprised if even a laptop with no microphone installed could record audio.
(My friend once had to record herself for a foreign language homework, but her microphone broke. I instructed her to plug her headphones into the microphone jack and ust them instead. It worked, but she had to talk loudly to make them work.)
The RSA acoustic key recovery hack is particularly terrifying in this instance. Turning on the microphone on the computer can furnish an attacker with everything they need to recover encryption keys stored on the computer.
Some hardening guides suggest having the camera and microphone removed by an apple tech. I'm considering having this done on my next laptop - I just don't use them that often.
One of my friends always keeps her MacBook open, and had Skype set up to auto-answer video calls. (Until I fixed that for her.) She's a very educated professional woman who teaches at a university you've heard of.
In other words, HN readers might come up with defensive hacks, but 99% of the population is completely vulnerable to all kinds of spying, whether government or stalker, and the situation can only get worse as wireless electronics pervade every part of our lives. Books? Internet-enabled. Fridge? Internet-enabled. Car? Internet-enabled. Our own bodies? Carry wireless-connected smartphone 24x7.
And I thought I was clever for turning the light on for only a tiny split-second to take a picture... (I wasn't writing malware. I put the program on my own laptop before I sent it in to be serviced. http://ecritters.biz/applecarefacility/)
It actually is clever. I like this "go around instead of breaking" approach very much. Two similar cases:
A car magazine claimed they discovered a serious weakness in a particular brand of a steering wheel lock. The company made a series of improvements to the lock and challenged the magazine to demo their hack. The magazine guy approached the new lock, gave it a good hard yank and it came off the steering wheel.
Another one was the Flash fullscreen mode. Flash used to (probably still does) display a hard-coded warning after the app went full screen - obviously to prevent Flash apps from impersonating browsers, OSes and so on. I've seen a demo that took advantage of the fact that the text was an overlay over what the app displayed.
The demo app just went full screen and printed lots of messages in the same font as the Flash warning, all over the screen. The overlay was still visible (Flash made it impossible to hide or cover) but it was basically impossible to read. The demo then pretended it did a Windows restart - it was pretty scary :-)
Split second as in actually significantly under a second? I've never been able to get mine to take a picture without lighting up for very nearly a full second.
... The voice came from an oblong metal plaque like a dulled mirror ... The instrument (the telescreen, it was called) could be dimmed, but there was no way of shutting it off completely. (1.1.3)
Oceanians live in a constant state of being monitored by the Party, through the use of advanced, invasive technology.
It was terribly dangerous to let your thoughts wander when you were in any public place or within range of a telescreen. The smallest thing could give you away. A nervous tic, an unconscious look of anxiety, a habit of muttering to yourself – anything that carried with it the suggestion of abnormality, of having something to hide. In any case, to wear an improper expression on your face (to look incredulous when a victory was announced, for example) was itself a punishable offense. There was even a word for it in Newspeak: facecrime, it was called. (1.5.65)
What's aggregated about you? Are you against this monitoring that protects us from fear and terrorism? Did you state that in some online devious hacker forum?
I really would hate to taint my MBP with ugly duct tap on the camera, but I may have to in the future.
Months ago I read about a company that rented laptops for people to make payments on and eventually own. They installed spy software so they could locate the laptops had the user not made a monthly payment. Employees were spying on users while they were having sex and other things. This wasnt on MBPs but they still managed to not notify the user.
I want hardware on/off switches for camera, microphone, wifi, bluetooth, and maybe even external speakers. These should be power switches, not switches that make a polite request to firmware for the firmware to act as if the devices are off.
Although I haven't looked into it in detail, yet, the T430 I have at the moment has a physical switch for WiFi and Bluetooth functionality.
I want the same for the built-in camera and mic. A little physical "red switch" that no amount of coding can defeat.
I agree with others, here. I'm worried at least as much about the microphone as I am about the camera. I can always physically block the camera -- and control what it is pointed at.
Further, I'm not comfortable with plugging in a microphone to "override" the built-in microphone. Physical design alone leaves me certain (although without proof) that this "override" is controlled by code. And a bit of experience with software that overrides such defaults to allow simultaneous input over multiple, "normally" orthogonal channels leaves me convinced that such can likely be done with the internal microphone of most devices.
On early Macbook webcams it was electrically impossible to turn on the webcam without activating the light next to it. I'll see if I can find a source.
Edit: the story refers to precisely these early Macbooks. Yikes.
Any ideas why they changed it? Surely the circuit would be simpler like this rather than having the LED hooked up to the microchip and software controlling it.
Notes from the article: they demonstrate it on a black macbook from 2008. They don't have a "modern" version of their disable-webcam-LED exploit.
The victim they talked to mentioned "she never saw the light on her laptop go on" — that doesn't mean it didn't, it just means she could have just not been looking for it.
Ideally, your webcam LED will be wired with your webcam itself. For your webcam sensor to be powered up, the LED will be powered up as a physical requirement of sending power to the webcam sensor. Many lesser-engineered webcams have software controlled LEDs (kinect bar, generic egg-shaped webcams) that don't even take "hacks" or "malware" to disable LEDs—you just run "turn led off."
The obvious solution is of course a bit of tape, but that's less convenient when you do actually want to use the camera.
I notice that the EFF have some nifty little 'ultra-removable adhesive' stickers[1] that might do better, but what would be better is some sort of low-profile adhesive backed sliding cover.
...
It appears I spoke too soon, there are already plenty out there, with mixed reviews. The 'iPatch'[2] looks interesting.
There is a freely-available kernel extension[1] to make this firmware hack accessible to root only. The exploit depends on modding the camera firmware from userspace.
The kext is created by the same authors of the paper[2] this article is talking about. Search the paper for "iSightDefender".
I own a Logitech C920 Pro and a software called webcam settings allows me to easily turn off the lights. If this software can do this, so can a malware.
Also, a malware can be designed to click quick snaps when there is no keyword or mouse activity for a specific period. This can help the malware go unnoticed without controlling the light. Want to take it to the next level? You can use the mic anytime to estimate the user's distance from the system and then enable webcam accordingly. I know this would not be very accurate, but possible.
It is about the Macbook iSight. There is definitely no (official, known) software that allows you to turn off the privacy light. The Apple engineers intended it to be impossible to disable, and believed it was.
Interesting to note: iPhone and iPad and a lot of Android devices don't have a camera indicator LED. While it is difficult to distribute iOS Apps outside the AppStore (where Apple would hopefully reject an App accessing camera information without informing the user) this totally could happen with Android Apps distributed outside of App Stores.
A while ago I wrote a component for the iPad that emulates the proximity sensor of the iPhone by measuring the brightness of images the the front camera captured. There was no way for the user to detect that I was actually capturing images.
FBI had knowledge about this security vulnerability for years, yet they traded the security of innocent for an increased attack capability.
This is of course nothing new. They used Firefox zero day vulnerabilities before. It just highlights the priority that exist today. Their job is no longer to serve and protect, but to create news article where they can gain glory of taking down bad people.
I'm just playing devil's advocate here... Your argument for "open software/hardware" doesn't apply here. There was an exploit found in almost 6+ year old hardware/software. Has nothing to do with the fact if it is open or not. "Open" != "non-exploitable" || "flawless".
Also applies to crypto-accelerated CPU instructions.
With OSS and OSH, at least there's a chance of auditing what one has is what was released, and a chance to audit that there's no funny business going on.
[+] [-] x0054|12 years ago|reply
[+] [-] wmeredith|12 years ago|reply
[+] [-] sneak|12 years ago|reply
So, upon (my incorrectly) presuming this was how it's already done in hardware and reading the headline of the article before I got to the text, I assumed they were turning it on and taking a single frame and turning it off fast enough that the LED was only on for a short enough time for the user not to be able to see it (or not notice).
Turns out the article claims they just reprogrammed the microcontroller to not turn it on in the first place. Of course that's a bad design, but you do need some more logic in there - the light needs to stay on for a minimum time when the camera is functioning so that the user can notice it.
This, too, is simple enough that it can be achieved without a microcontroller, but please don't presume that it's a simple fix. It's not just "put it in parallel".
[+] [-] Theodores|12 years ago|reply
The earliest standalone webcams, for instance Logitech models and the IndyCam that came with the Silicon Graphics 'Indy' workstation, had a 'door' that you could slide over the lens when not in use. Lenovo had this on their all in one PC's a few years ago but I don't think they kept that feature.
What was wrong with the slide-across lens cover?
You would think it would be an essential feature for some.
[+] [-] DanBC|12 years ago|reply
http://www.wired.com/threatlevel/2010/10/webcam-spy-settleme...
http://www.pcmag.com/article2/0,2817,2386599,00.asp
> When the school district investigated the case, it found other incidents of webcam spying, and notified the students involved, including Levin. According to the lawsuit, filed in Eastern Pennsylvania District Court, Levin's younger brother commented on a light near the webcam that appeared to go on and off at odd times. His mother "dismissed the idea as absurd," but it appears he was right.
[+] [-] Arelius|12 years ago|reply
I've heard that this was a serious flaw in Google's opinion, and they went through great efforts to ensure that the LED for the chromebook pixel was actually hard-wired into the camera's electronics. Which if true, shows that it's indeed possible.
[+] [-] milhous|12 years ago|reply
This is disappointing, and I expect Apple will redesign the cameras because of it.
[+] [-] borplk|12 years ago|reply
Of course many people made fun of it and mentioned "blah blah you are paranoid the LED cannot be manipulated and will always turn on ...".
Well ... here you go. Where are you now?
I wouldn't be surprised if someone-cough-you-know-who-cough had influenced the design for this to become a possibility. We know they are actively looking for opportunities like this. Go ahead, call me a paranoid again ... and next month when the story about how they did just that hits hacker news, I'll have an even better story to tell.
[+] [-] RBerenguel|12 years ago|reply
[+] [-] jrochkind1|12 years ago|reply
But in the research paper cited by the Wash Post[1], there's a whole section where the authors discuss their recommendations, see under "VIII. SECURE CAMERA DESIGNS". Including some specific suggestions of how you would implement this design in hardware.
[1] https://jscholarship.library.jhu.edu/bitstream/handle/1774.2...
[+] [-] proee|12 years ago|reply
Another option is to enable the LED when power is turned onto the module.
[+] [-] qbrass|12 years ago|reply
[+] [-] elwell|12 years ago|reply
[+] [-] jrochkind1|12 years ago|reply
Here's the research paper linked to in the story, if anyone wants to see what the researchers have to say. I haven't taken a look yet myself: https://jscholarship.library.jhu.edu/handle/1774.2/36569
Ah, there it is right in the abstract, yep:
> The same technique that allows us to disable the LED, namely reprogramming the firmware that runs on the iSight, enables a virtual machine escape whereby malware running inside a virtual machine reprograms the camera to act as a USB Human Interface Device (HID) keyboard which executes code in the host operating system.
Ooh, neat.
[+] [-] Zikes|12 years ago|reply
[+] [-] justin|12 years ago|reply
[+] [-] StringyBob|12 years ago|reply
[+] [-] hrktb|12 years ago|reply
Especially since there is no LED to signal the microphone is active, it doesn't need to point anywhere. If it could be activated while the laptop is closed (force wake up a part of the OS for just a few minutes here and there for instance) it would be a really tough problem.
[+] [-] greglindahl|12 years ago|reply
[+] [-] rcthompson|12 years ago|reply
(My friend once had to record herself for a foreign language homework, but her microphone broke. I instructed her to plug her headphones into the microphone jack and ust them instead. It worked, but she had to talk loudly to make them work.)
[+] [-] 11001|12 years ago|reply
[+] [-] XorNot|12 years ago|reply
[+] [-] philip1209|12 years ago|reply
[+] [-] auctiontheory|12 years ago|reply
In other words, HN readers might come up with defensive hacks, but 99% of the population is completely vulnerable to all kinds of spying, whether government or stalker, and the situation can only get worse as wireless electronics pervade every part of our lives. Books? Internet-enabled. Fridge? Internet-enabled. Car? Internet-enabled. Our own bodies? Carry wireless-connected smartphone 24x7.
[+] [-] eurleif|12 years ago|reply
[+] [-] praptak|12 years ago|reply
A car magazine claimed they discovered a serious weakness in a particular brand of a steering wheel lock. The company made a series of improvements to the lock and challenged the magazine to demo their hack. The magazine guy approached the new lock, gave it a good hard yank and it came off the steering wheel.
Another one was the Flash fullscreen mode. Flash used to (probably still does) display a hard-coded warning after the app went full screen - obviously to prevent Flash apps from impersonating browsers, OSes and so on. I've seen a demo that took advantage of the fact that the text was an overlay over what the app displayed.
The demo app just went full screen and printed lots of messages in the same font as the Flash warning, all over the screen. The overlay was still visible (Flash made it impossible to hide or cover) but it was basically impossible to read. The demo then pretended it did a Windows restart - it was pretty scary :-)
[+] [-] bentcorner|12 years ago|reply
It's actually kind of amusing to see pictures of you and notice your hair growing over several weeks :)
[+] [-] Bakkot|12 years ago|reply
[+] [-] headgasket|12 years ago|reply
What's aggregated about you? Are you against this monitoring that protects us from fear and terrorism? Did you state that in some online devious hacker forum?
INFORM and VOTE
[+] [-] wil421|12 years ago|reply
Months ago I read about a company that rented laptops for people to make payments on and eventually own. They installed spy software so they could locate the laptops had the user not made a monthly payment. Employees were spying on users while they were having sex and other things. This wasnt on MBPs but they still managed to not notify the user.
http://www.wired.com/threatlevel/2012/09/laptop-rental-spywa...
[+] [-] SiVal|12 years ago|reply
[+] [-] pasbesoin|12 years ago|reply
I want the same for the built-in camera and mic. A little physical "red switch" that no amount of coding can defeat.
I agree with others, here. I'm worried at least as much about the microphone as I am about the camera. I can always physically block the camera -- and control what it is pointed at.
Further, I'm not comfortable with plugging in a microphone to "override" the built-in microphone. Physical design alone leaves me certain (although without proof) that this "override" is controlled by code. And a bit of experience with software that overrides such defaults to allow simultaneous input over multiple, "normally" orthogonal channels leaves me convinced that such can likely be done with the internal microphone of most devices.
[+] [-] pavel_lishin|12 years ago|reply
[+] [-] nodata|12 years ago|reply
Edit: the story refers to precisely these early Macbooks. Yikes.
[+] [-] lucaspiller|12 years ago|reply
[+] [-] seiji|12 years ago|reply
The victim they talked to mentioned "she never saw the light on her laptop go on" — that doesn't mean it didn't, it just means she could have just not been looking for it.
Ideally, your webcam LED will be wired with your webcam itself. For your webcam sensor to be powered up, the LED will be powered up as a physical requirement of sending power to the webcam sensor. Many lesser-engineered webcams have software controlled LEDs (kinect bar, generic egg-shaped webcams) that don't even take "hacks" or "malware" to disable LEDs—you just run "turn led off."
[+] [-] shabble|12 years ago|reply
I notice that the EFF have some nifty little 'ultra-removable adhesive' stickers[1] that might do better, but what would be better is some sort of low-profile adhesive backed sliding cover.
...
It appears I spoke too soon, there are already plenty out there, with mixed reviews. The 'iPatch'[2] looks interesting.
[1] https://supporters.eff.org/shop/laptop-camera-cover-set
[2] http://www.virtualspaceindustries.com/theipatch/
[+] [-] unspecified|12 years ago|reply
The kext is created by the same authors of the paper[2] this article is talking about. Search the paper for "iSightDefender".
[1] https://github.com/stevecheckoway/iSightDefender
[2] https://jscholarship.library.jhu.edu/bitstream/handle/1774.2...
[+] [-] mathhead|12 years ago|reply
I own a Logitech C920 Pro and a software called webcam settings allows me to easily turn off the lights. If this software can do this, so can a malware.
Also, a malware can be designed to click quick snaps when there is no keyword or mouse activity for a specific period. This can help the malware go unnoticed without controlling the light. Want to take it to the next level? You can use the mic anytime to estimate the user's distance from the system and then enable webcam accordingly. I know this would not be very accurate, but possible.
[+] [-] jrochkind1|12 years ago|reply
It is about the Macbook iSight. There is definitely no (official, known) software that allows you to turn off the privacy light. The Apple engineers intended it to be impossible to disable, and believed it was.
[+] [-] toomuchtodo|12 years ago|reply
[+] [-] Ben-G|12 years ago|reply
A while ago I wrote a component for the iPad that emulates the proximity sensor of the iPhone by measuring the brightness of images the the front camera captured. There was no way for the user to detect that I was actually capturing images.
[+] [-] joshfraser|12 years ago|reply
https://launchpad.net/isight-firmware-tools/+download
[+] [-] samolang|12 years ago|reply
[+] [-] belorn|12 years ago|reply
This is of course nothing new. They used Firefox zero day vulnerabilities before. It just highlights the priority that exist today. Their job is no longer to serve and protect, but to create news article where they can gain glory of taking down bad people.
[+] [-] uptown|12 years ago|reply
"NSA recommends physically removing iSight webcam from Apple laptops for security reasons"
http://endthelie.com/2013/08/20/nsa-recommends-physically-re...
[+] [-] auctiontheory|12 years ago|reply
Embrace Big Brother, folks, 'cos he's here.
[+] [-] nexttimer|12 years ago|reply
There's really only 1 solid solution to this:
Open software and open hardware.
[+] [-] millerm|12 years ago|reply
Edited for bad boolean.
[+] [-] midas007|12 years ago|reply
Also applies to crypto-accelerated CPU instructions.
With OSS and OSH, at least there's a chance of auditing what one has is what was released, and a chance to audit that there's no funny business going on.