JollyPieFedMalware can turn off webcam LED and record video, demonstrated on ThinkPad X230
cross-posted from: https://lemmy.bestiver.se/post/121053
43 Comments
Comments from other communities
Why the fuck isn’t there just a simple status LED that is on the same circuit as the camera? If the camera is on, the LED is on. Period.
Dave.Why the fuck isn’t there just a simple status LED that is on the same circuit as the camera?
Because cameras aren't simple on-off devices powered by a single wire, that's why. It's always got power, and it's turned "on" (send image data over the data bus) and "off" (do not send data) by software commands over the same data bus.
So the most convenient solution is then have the camera IC have an output that can drive an indicator light. And as camera ICs are basically full computers in their own right, they can be reprogrammed so that they don't turn on that output.
End result is that you are much better off either having a physical cover over the camera lens, or having a USB camera that you can unplug.
Framework laptops solve this by having physical switches for the camera and microphone at the top of edge of the screen. Can’t get safer than that except for physical removal.
Note that these switches mainly trigger a magnetic sensor to switch the power to the camera
It's not physically disconnecting it.
And in theory you can move the bezel away from the display a bit to activate the camera, if you have physical access (although you'd probably notice if something bulges the bezel)
ZerushFor this the best AV (100% proof)
(A piece of tape also works fine)
I use a small band-aid - no gummy glue on the lens!
Anyway I think that a Webcam cover should be a default on webcams, not only for privacy, but also for th same reason why Cams and binoculars have caps by default, to protect the lens. If you use a tape, to avoid glue on the lens, you can cover the intern part which is over the lens with a piece of paper
My ASUS Vivobook has a slider that blocks the camera physically. It is bright red so I can easily see it is closed.
Lights Out
The problem here is that the led was software controlled which always struck me as more of a bandaid then a solution.
A proper hardware switch solution would mean the led and webcam are wired so if the webcam receives any power the led jumps on. The computer shouldn't even know that led exists. Not sure how many devices actually do this though.
The tape on cam solution works on video but might still record sound which is in many cases more dangerous for sensitive information.
Of course one also has to wonder how much it matters having typed this on a phone with cam and microphone uncovered and no indicators.
Yeah, this is exactly the problem. Never should have been software controlled.
And yes, it's getting harder and harder to control for these privacy issues with the number of devices we routinely carry with microphones and cameras.
I believe Framework has their webcam LED setup like this. At a minimum the physical switch cuts power to the whole webcam assembly.
And the Framework Laptop also has a switch for the mic. So even the mic can be completely turned of on the hardware level.
That is exactly how the webcam light is setup in a Framework. The light is wired up to the camera sensors power, so whenever the camera has power, so does the light. The switch also fully disconnects it from the computer itself. At least in Linux, you can verify it using
lsusb. You can see the camera indicated asRealtek Semiconductor Corp. Laptop Camera. Whenever the switch is flipped though, it disappears all together from the list.I believe apple has the led hardwire in MacBooks webcams.
Used to, but not anymore. I recall a similar exploit for MacBooks a few years back.
The problem with that is a USB device is powered even if it's not being used. You can't communicate with it to identify it as a webcam without powering it. So the light will be on any time it's plugged in.
The camera module itself can be powered off if properly designed and the led should be powered from the same source.
Yeah, but that's additional design complexity, and most consumers, given the choice, would pick the cheaper option.
It's more complex and expensive to have it controlled by software though.
Hardware controlled would be the equivalence of using a splitter to add a second lamp on an outlet attached to a light switch. (would only require a change in a trace or two and a transistor/resistor or two.)
Software controlled is the equivalence having to buy smart outlets and programming them yourself to have the two lamps turn on at the same time. (requires the same as a hardware switch, plus a more expensive or even an extra controller chip along with the need to write and program it.)
Could be interesting to have a law that made this cheaper option illegal as it is more dangerous to society
That's the USB-controller, not the actual cam. It's certainly possible to couple a LED with the power state of the camera chip and it was already done before.
Both android and crapple phones have mic & cam indicators nowadays, tho, and if a piece of software has a level of access high enough to bypass those, you kinda have bigger issues... Also, the webcam receives power by default currently; as the repo mentions, it's just another USB device (well, it's 3v3, and not 5v, but it doesn't really matter here)
IMHO both camera and microphone should have a physical switch disconnecting them.
And you know, the led shouldn't be fucking firmware controlled!
It's a really good idea, but to work reliably, it should be HARDWIRED to light up when the cmos is receiving power.
It feels intentional to fuck this one up.
On phones and tablets as well.
Framework laptops do this- and the switch that kills the camera also slides a shutter over the lens as well.
Oh, mine only seems to physically disconnect the camera and not slide anything in front of the lens. Do you have the 16?
That lens cover also seems unnecessary to me. A physical disconnect for the camera and microphone is a nice touch of Framework's laptops...
Most laptops have a physical slider that can mask the camera. But I don't know of any tablets or phones that offer this feature.
I have a thin stick-on slider for my laptops. It'd look clunky, but you can stick it on any tablet or phone.
Deleted by author
That hole in the screen is always black, so covering up the hole (and only the hole) won't make you miss a thing.
Deleted by author
or get a phone that you can trust
Those pretty much don't exist.
Here are the list of phones I trust, in order:
I'm on 3, because 1 & 2 don't function well enough as phones (need reliable MMS, better audio, and better battery life). The first two have hardware switches, the last is controllable by software I somewhat trust. All three have significant caveats. Once 1 or 2 work properly as phones (don't even need Android apps), I'll switch.
Deleted by moderator
there used to be phones with pop-up cameras for a year or two.
The Librem 5 offers hardware killswitches on the side of the phone, and the Pinephone offers hardware killswitches in the rear of the device after removing the backplate.
It can't turn off electrical tape.
Anyone else ever join large conference calls from the shower?
Shower? No.
Naked? More times than clothed.
This is why so many laptops, including Lenovo laptops, have webcam covers. You could always put a piece of tape over it lol
I just use some gaffers tape to cover the camera.
One complaint I have is a lot of laptop manufacturers who do put a camera slider in, paint the slider red when it's closed and black when it's open. It should be the opposite. Red is dangerous live.
I fix it just using some enameled nail polish. But it seems opposite of what it should be
They have it that way because it reduces the support calls from idiots who can't figure out why their webcam won't work.
What about the mic?
Plug in a dummy headphone jack. But some microphones are not disabled in hardware when that happens.
The framework laptop does have a hardware switch for that, which is nice
That's not possible, because the sensor is black (or at least very dark).
Right, but the ring around the sensor is plastic. That plastic could be red. To indicate that the camera is uncovered
Most Thinkpad's have a slidy cover not sure about the mics though