https://github.com/Hermann-SW/imx708_regs_annotated?tab=read...
> All cameras after [2008] were different: The hardware team tied the LED to a hardware signal from the sensor: If the (I believe) vertical sync was active, the LED would light up. There is NO firmware control to disable/enable the LED. The actual firmware is indeed flashable, but the part is not a generic part and there are mechanisms in place to verify the image being flashed. […]
> So, no, I don’t believe that malware could be installed to enable the camera without lighting the LED. My concern would be a situation where a frame is captured so the LED is lit only for a very brief period of time.
https://support.apple.com/en-ca/guide/security/secbbd20b00b/...
[0] https://shop.eff.org/products/laptop-camera-cover-set-ii
SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profit
It is possible to manipulate the headphones (or earphones) connected to a computer, silently turning them into a pair of eavesdropping microphones - with software alone. The same is also true for some types of loudspeakers. This paper focuses on this threat in a cyber-security context. We present SPEAKE(a)R, a software that can covertly turn the headphones connected to a PC into a microphone. We present technical background and explain why most of PCs and laptops are susceptible to this type of attack. We examine an attack scenario in which malware can use a computer as an eavesdropping device, even when a microphone is not present, muted, taped, or turned off. We measure the signal quality and the effective distance, and survey the defensive countermeasures.
There's just a valid an argument to do the same for phones. How many phones ship with camera covers and how many users want them?
You can get a stick on camera cover for $5 or less if you want one. I have them on my laptops but not on my phone. They came in packs of 6 so I have several left.
Which reminds me, to strengthen your point, it doesn't have 100% keystroke recognition, but there are works[1] on keylogging via audio, and 93% via Zoom-quality audio streams is concerning enough for me.
https://mic-lock.com/products/copy-of-mic-lock-3-5mm-metalli...
This still doesn't stop a program from switching the input from external back to the internal mics though afaik
edit: looks easily bypassed https://github.com/cormiertyshawn895/RecordingIndicatorUtili...
A custom PMIC for what's known as the forehead board was designed that has a voltage source that is ALWAYS on as long as the camera sensor has power at all. It also incorporates a hard (as in, tie-cells) lower limit for PWM duty cycle for the camera LED so you can't PWM an LED down to make it hard to see. (PWM is required because LED brightness is somewhat variable between runs, so they're calibrated to always have uniform brightness.)
On top of this the PMIC has a counter that enforces a minimum on-time for the LED voltage regulator. I believe it was configured to force the LED to stay on for 3 seconds.
This PMIC is powered from the system rail, and no system rail means no power to the main SoC/processor so it's impossible to cut the 3 seconds short by yoinking the power to the entire forehead board.
tl;dr On Macbooks made after 2014, no firmware is involved whatsoever to enforce that the LED comes on when frames could be captured, and no firmware is involved in enforcing the LED stay on for 3 seconds after a single frame is captured.
0: https://www.usenix.org/system/files/conference/usenixsecurit...
Example https://m.youtube.com/watch?v=1NNP6AFkpjs
:-)
> no firmware is involved in enforcing the LED stay on for 3 seconds after a single frame is captured.
Personally I didn't think Lenovo's later keyboards were too bad. The one on my T490s was wonderful. However since my work moved to the T14s series, the keyboards have become terrible. The key movement range is too low now, and the feel is crap. It's too bad because Lenovo was the last holdout which still had decent keyboards. The T14s is also bad in other ways, the body got thinner but the screen got a lot thicker and heavier so it's actually worse to carry than the T490s.
Anyway, ontopic: I'm not surprised these cam controller firmwares can be hacked. It's very specific to the controller though.
However, most people I know that care about privacy close the cam door anyway, or put a sticker over it. I use the SpyFy. https://spy-fy.com/collections/webcam-covers . Good luck hacking that.
What worries me a lot more is the microphone. It doesn't have a light, and it's really hard to block. A simple sticker won't do much. These things are super sensitive. I can literally hear myself talking in the other room with the right boost settings.
There are actual compromises caught this way too, it's not (entirely) just for show. A high-profile example would be Kaspersky catching a sophisticated data exfiltration campaign at their own headquarters: https://www.youtube.com/watch?v=1f6YyH62jFE
So it is definitely possible, just maybe not how you imagine it being done.
EDIT: It’s not just a capacitor, it’s a full custom chip, that can’t be software-modified, that keeps the light on for 3 seconds. >>42260379
[1] https://support.apple.com/guide/security/hardware-microphone...
[1] https://www.businessinsider.com/lenovo-thinkshutter-laptops-...
"I saw something in the news, so I copied it. I put a piece of tape — I have obviously a laptop, personal laptop — I put a piece of tape over the camera. Because I saw somebody smarter than I am had a piece of tape over their camera."
https://www.npr.org/sections/thetwo-way/2016/04/08/473548674...
Is there anyone who doesn't do this?
https://www.tomsguide.com/phones/iphones/iphone-16s-a18-chip...
An exception to that rule is if they have hardware switches for turning off the power supply to the camera and microphone.
Currently, I am very happy with my Framework, where the LED is hardwired into the power supplied to the camera[1].
[0]: https://en.wikipedia.org/wiki/Optic_Nerve_(GCHQ)
[1]: https://community.frame.work/t/how-do-the-camera-and-microph...
My current notebook, manufactured in 2023, has very thin bar on top of screen with camera, so I need a thin, U-like attachment for the switch, which is hard to find.
[1]: https://www.printables.com/model/2479-webcam-cover-slider
And there's this post, which includes an audio clip: https://goughlui.com/2019/02/02/weekend-project-mma8451q-acc...
https://www.youtube.com/watch?v=k6AsIqAmpeQ&t=1145s
And adding 2+2, the man being interviewed (Nirav Patel) is the same man who replied to my comment (HN user nrp), i.e. the man who actually did the overengineering.
If you rewind to 17:03, he talks about the changes of what the switch does (previously: USB disconnection, now: as he described in grandparent comment).
In late 2014 was the last big webcam vulnerability "hype" I remember [1], which led to a wave of media attention, webcam covers, vendor statements that LED-control is / will be hard-wired etc.
I'm more interested how this big attention impacted future designs of laptops (like my cheap HP here, which has a built-in camera cover)
[1]: https://www.usenix.org/conference/usenixsecurity14/technical...
Of course, if everyone does that, attackers will just start pulsing Thinklights and seeing if anything enumerates, I suppose.
This.
Some of the linux webcam drivers drivers have had the option to specify the behavior of the LED via a parameter since way back, including turning it completely off.
I remember this was the case ~20 years ago.
One example (look for the led-option) https://www.kernel.org/doc/html/v5.1/media/v4l-drivers/phili...
This is straight from the documentation:
"But with: `leds=0,0`the LED never goes on, making it suitable for silent surveillance"
I've seen some theatrical DJs bring a cheap pair, snap them in half, and then use them like a "lollipop." Crowd eats it up. Even older school: using a telephone handset: https://imgur.com/a/1fUghXY
There are some of these out there, from major brands (HP?). Asus seems to have more. ( https://rehack.com/reviews/best-laptops-without-webcams/ ) They tend to be workstation grade, sometimes gaming, machines at higher price points. For new laptops, see if you can customize it out on their site.
While searching for one on amazon/ebay stinks, you can find ones without webcam (doublecheck for integrated microphone status in product details too though) by looking manually for terms like "no webcam"... vendors usually don't want returns due to surprises so it will be mentioned in the product title.
links: https://laptopwithlinux.com/laptops-without-webcam/?currency...
it sounds like Apple is doing something similar to what you suggest.