Macbook webcams CAN spy on you - and you simply CAN'T TELL Security researchers have confirmed that MacBook webcams can spy on their users without the warning light being activated. Apple computers have a “hardware interlock” between the camera and the light that is supposed to ensure the camera can't be activated without alerting the user by lighting a tell-tale LED above the screen …
So, as usual, if there is programmable logic involved, all bets are off. This is something my Asus 1225B mini laptop gets right: Next to the built-in camera there is a all-mechanical slider, which puts an opaque shutter in front of the lens. The user-facing side of the shutter is light-colored so I can immediately see its state. Hack that!
Apple owners can emulate this advanced security feature with a piece of duct tape.
No need to be that drastic, your friends at 3M now offer electrical tape in over 30 designer colors that aid in the identification of wires and look great with any decor and when applied to consumer electronics. Visit your local home improvement store or find them online at 3M.com.
'3M, protecting your privacy with residue free surveillance management products for over 50 years'.
Why not simply wire an LED (including the appropriate resistor) in parallel with the camera's power supply? No stupid fancy logic; just a friggen wire.
This assumes that the computer turns off the camera's power supply when not in use. Which should be SOP anyway.
You've identified for yourself why they aren't done like that at the factory. Manufacturing costs don't calculate straightforward, at all. A part that costs $.04 might end up costing $.65 cents by the time it's installed especially if it's wired up (the wiring will probably be done manually, it's really hard to route wire by machine). That doesn't sound like much until you consider the tens of millions that will be produced every year. Reducing parts count by just one or two $.04 components equals many millions of dollars saved per year.
If you want to do it yourself go for it. It won't be hard unless you're wanting to offer it as a service for a few million of your friends :)
Some of them work in studios, so a scalpel, some tin foil and a wee touch of SprayMount will provide a very neat (though semi-permanent) solution.
Otherwise, this stuff http://www.maplin.co.uk/p/3-multi-purpose-magnetic-tape-19mm-x-5m-n77gb makes it very easy to make a opaque sliding mechanism.
"To defend against these and related threats, we build an OS X kernel extension, iSightDefender, which prohibits the modification of the iSight’s firmware from user space."
Whoa, you can reprogram the iSight firmware from userspace, that's a bit mad, I assume the next security update from Apple will plug that.
If I would expect to become a target of such shenanigans, frankly I'd be WAY more concerned about the built-in mic laptops tend to have these days - as noted, any cover takes care of the webcam, but there's no such guarantee about the mic, and that one doesn't even come with a warning light in the first place! Unless you expect to capture people constructing bombs in plain sight or counting suitcase-loads of money or evidence of some "adult action" or something, I'd think images won't do you all that much good. Listening to conversations, on the other hand...
I have discovered a 3.5mm jack plug inserted in the appropriate orifice disables the built in mike. Of course, it is pointless if you have a mike connected to the aforementioned 3.5mm jack. Personally I use aluminium foil over the webcam and an empty plug in the socket. Unobtrusive and aesthetic is the fruity orchard way.
Quite possibly. Mechanical switching for a microphone socket is just like that used for an earpiece - the tip of the plug displaces a contact in the socket to physically disconnect the onboard device. PC motherboards tend to do it with logic though - it's not so easy mechanically switching a 5.1 output using only the front panel jack. :-)
"...your sarcasm tag is ineffective because there is no opening one."
The point was a thing called humour. Maybe you should do a little research.
And I was not trying to write code that would parse in a compiler. I was saving it as a punchline to a joke. Punchlines are normally made at the end, not at the start.
Or are you claiming you typed <sarcasm> once in a post and still haven't turned it off yet?
can anyone shed light on why they'd design the LED to be programmable like that ?
I mean, sure the basic way you'd engineer a power LED, is to connect it in line with the power (in this case to the webcam). webcam gets power, led on. job done.
why on earth would you both to design electronics to make the two independent of each other UNLESS you wanted to be able to do such a thing ?
I can't say why it was designed that way but the generic reasoning would be to give more capabilities, and more flexible options, than a simple LED across the camera power supply gives.
For example the LED can be PWM controlled allowing it to be dimmed or brightened depending on ambient light levels, it can be flashed to indicate status, such as drawing attention to it if a physical shutter were closed and you were trying to use it. If taking still shots, the camera can be kept on and the LED flashed as each shot is taken.
Should the LED be on when the power is on or on only when the camera is in use? We can argue that all day long and not have a universal consensus. Arguably the best solution is that which allows either and that's likely what the designer decided to do.
Done this way the manufacturer or designer of the camera part doesn't have to worry about how the system integrator wants to use it or what they chose to use; they have all options available to them. If they want it to behave differently it's simply a firmware mod not a hardware redesign. In fact it allows old product to be upgraded to new functionality simply by uploading firmware to it. This would usually be seen as an advantage though in this case it also creates a problem.
All true. In that case... 2 LEDs, one programmable and one linked physically, in different colours? Surely that's not going to be a big cost overrun? Even in terms of styling/visibility, you could have one 'pinhole' with the 2 LEDs behind it so aesthetically it looks like 1 LED, but functionally you get the best of both security and convenience.
"I mean, sure the basic way you'd engineer a power LED, is to connect it in line with the power (in this case to the webcam). webcam gets power, led on. job done.
why on earth would you both to design electronics to make the two independent of each other UNLESS you wanted to be able to do such a thing ?"
Apple colluded with the NSA!
> why on earth would you both to design electronics to make the two independent of each other UNLESS you wanted to be able to do such a thing ?
Good answer from Jason above, but there's an even simpler answer: supply chain and manufacturing flexibility.
A combined LED & camera unit has to be custom manufactured to Apple's design so that the LED can be placed at the right distance from the camera. This makes the camera unit more specialised and less likely to be re-usable in another product, therefore more expensive.
Separate components can be sourced independently and are standard, off the shelf, therefore cheaper.
Supply chain was my reaction too. They sourced a camera. They sourced a LED. They sourced an MCU to link them together, job done.
What people seem to be glossing over here is that reprogramming the firmware is possible from USER SPACE. In any operating system this is a *massive* fail and is exactly the sort of system-wide damage that running in user space is designed to prevent. I would expect an OS patch to be forthcoming post haste.
I mean - hardware interlock?
Because, clearly there is no hardware interlock if it can be bypassed by any means not involving wire clippers and a soldering iron and Apple is then clearly vulnerable to a law suit for deceptive and misleading advertising or something similar.
Right, so this 'exploit' requires reprogramming of the microchip controller, and how exactly is anyone going to do that remotely? presumably thats going to take some pretty extensive OS compromise to allow, if its even possible through the OS exposed API's and you don't actually have to remove the chips from the laptop to do this! Hardly a problem for the average user.
Maybe I read the article incorrectly but I thought it said that the two proof of concepts showed how they could remotely reprogram the firmware to allow the camera to be on while the light was off....
Yep, just went back and re-read it and it clearly says they used two different ways to modify it remotely
It will require exploiting an OS vulnerability in that case, its not like you can just remote ask the OS to send data to programme the chips. The problem doesn't lie in the camera, once the OS is compromised then pretty much anything can be done firmware change wise. This just gets a story, where as a new OS exploit does not.
"Right, so this 'exploit' requires reprogramming of the microchip controller, and how exactly is anyone going to do that remotely? presumably thats going to take some pretty extensive OS compromise to allow, if its even possible through the OS exposed API's and you don't actually have to remove the chips from the laptop to do this! Hardly a problem for the average user."
Your beloved shiny is FLAWED, get over it and move on!
This post has been deleted by its author
be sure to design the $199* i-piece™ to be non-reuasble or the plebes will just be buying them. you know the type, the ones who put opened packs of designer ice back in the fridge.**
* $199 does not include delivery to your estate by our fleet of designer helicopters.
** how tacky, not opening a new pack of designer ice when having the servants mix you, or a guest, a fresh drink.
That's why something like this really should have been done with pure hardware, so it was literally impossible to power on the camera but not the LED, without physically modifying the device. As well know from Chernobyl, misleading indicators are worse than none at all.
The thing with security is everyone wants it till it costs them, whether that is Money, Time, Aesthetics or any of the above then it goes out the window.
For instance my company does the design and implementation of a large UK companies websites etc.
We had a chat with their new Information Services Developer the other day and he asked us why certain things had been done the way they had, I said they didnt want to pay.
He said thats ridiculous, I said wait till you try to get the bean counters to cough for anything, he rang me this morning apologising for his attitude and asked how we could work with such a bunch of numpties. Simple it pays the bills
One steps out onto the public street to encounter cameras everywhere, on every pole on every building and street corner. Drive down the public road; a passing plod-car has just OCR'd your license tag and accessed the central database. Step into the back yard and wave to Google or the overhead satellite or the circling drone.
Connect to the telephone system; the connection is recorded, possibly monitored. Connect to the internet, the IP is noted, cookies track the connections, and contents passed over the trunk are captured and archived.
Go to the market; plastik transactions are tracked and archived. Surveillance cameras record your movements.
Any use of links or terminals or pathways or byways exposes one to monitoring. Everything is available for capture. What is surprising is that we still get exercised when yet another fragment of supposed "privacy" is chipped away. So you've got a camera/microphone on your device. Is it truly surprising that our 'protectors' won't make use of them?
Lock yerself away in yer bedroom, mates. Then only the parabolic microphone or the laser mic focused on your windows, or the infrared viewers probing through your walls can sense yer frustration.
Yes it is bloody surprising! But you get an upvote anyway.
I've often thought about the possibility of these surveillance techniques, but never thought it could be in any way legal. I thought that we were protected by laws. Laws that require a warrant to survey actions of an individual. I'm BLOODY surprised, that, as an Australian, an Australian company (Telstra) was obliged to share data about Australian's, just so they could do business with the all-mighty fucking USA!
Okay, hacked Laptop/Desktop cameras and microphones are bad enough. Unfortunately, I think there is a MUCH larger problem with Smartphone's being hacked as the damn things are always with us and are probably easier to hack.
The NSA already has backdoors to most if not all communication devices and systems and once you add the GPS, Bluetooth, Acceleration, Compass and other built-in sensors to the cell phone cameras and mikes, you have a truly scary piece of very portable surveillance technology. The fact that batteries can't be removed from many cellphones is likely deliberate. Wanna bet they can read body temp, heartbeat, respiration rate too?
BTW, Gray, you should know that various "Video Management Software" companies are currently working on solutions to connect personal cell phone cameras in a sort of "crowdsourced" video surveillance system.
That way we can all become unwilling unknowing partners in police/government surveillance. They already have systems that use remote mikes to triangulate the position of gunshots, add some facial recognition & and Orwells Big Brother looks tame by comparison.
"I think perhaps you need to realise there are other phones on the market other than ones made by Apple and a good number of them do indeed have normal removable batteries."
I think perhaps you need to realise that companies OTHER than Apple are building phones with permanent batteries. Recent phones from the likes of HTC and Motorola spring to mind. Indeed, due to a demand for more battery life (and, if you're paranoid, a desire to steal control away from users), more phone manufacturers are doing this. I personally don't trust this (I insist on being able to yank a battery in case of a sleeplock or wakelock), but consumers aren't the only voice in the matter, and the consumer doesn't always win in this market.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
