
Research shows how MacBook Webcams can spy on their users without warning - clint
http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/18/research-shows-how-macbook-webcams-can-spy-on-their-users-without-warning/
======
x0054
Honestly, I don’t understand why it’s so difficult to create a camera chip not
susceptible to any software hack. The camera sensor needs electrical current
to work. Simply place the LED inline or in parallel to the camera and you are
done. Any time current is sent to the camera sensor, the LED cant help it but
light up. My knowledge of electronics is limited, but I know for a fact that
this can be achieved without the use of any reprogrammable microchips, with
the use of a simple electrical circuit.

~~~
Theodores
Having an inline LED is still a bit over-engineered in my opinion.

The earliest standalone webcams, for instance Logitech models and the IndyCam
that came with the Silicon Graphics 'Indy' workstation, had a 'door' that you
could slide over the lens when not in use. Lenovo had this on their all in one
PC's a few years ago but I don't think they kept that feature.

What was wrong with the slide-across lens cover?

You would think it would be an essential feature for some.

~~~
oneeyedpigeon
Macbooks already have this: it's called the keyboard and it "slides over the
lens" when you close the laptop when it's not in use. Much easier to do
automatically than remember to slide a 'door' across. Or do people really
leave their laptops open when not in use?

~~~
cfreeman
That doesn't prevent spying when you are using your computer, which could be
really embarrassing if you are for instance looking at porn. Also, sometimes
you want to leave it one when you aren't using it, like when you're
downloading something.

~~~
oneeyedpigeon
No; I don't think any of the suggestions here can solve the 'someone might be
spying on me whilst I'm already using my camera' problem - that's a very
difficult one to cater for.

On the whole, I think this discussion focuses on the wrong 'problem'. If
someone can gain access to your computer, taking control of the camera is just
one of a whole host of nasty activities they could get up to - the real
problem is securing against remote access in the first place.

------
jrochkind1
So their proof of concept malware... actually changes the firmware in the
camera micro-controller? Do I have that right?

Here's the research paper linked to in the story, if anyone wants to see what
the researchers have to say. I haven't taken a look yet myself:
[https://jscholarship.library.jhu.edu/handle/1774.2/36569](https://jscholarship.library.jhu.edu/handle/1774.2/36569)

Ah, there it is right in the abstract, yep:

> The same technique that allows us to disable the LED, namely reprogramming
> the ﬁrmware that runs on the iSight, enables a virtual machine escape
> whereby malware running inside a virtual machine reprograms the camera to
> act as a USB Human Interface Device (HID) keyboard which executes code in
> the host operating system.

Ooh, neat.

~~~
Zikes
Seems that way. It wasn't too long ago there was a post about new breeds of
malware that target various microcontrollers throughout a PC, able even to
"hide out" in something like an optical drive to avoid detection or removal.

------
justin
I would be more concerned about the microphone. I can easily cover the camera
with tape. Also, random pictures of me programming or reading HN are probably
less damaging audio recordings of conversations I might be having.

~~~
StringyBob
My current Thinkpad has a physical switch to disable radios. I'd like to have
a physical 'privacy' switch that cut the power to internal microphones and
cameras. To be security aware, this has to be an auditable hardware power
switch, and not just an interrupt/driver/bios combination that could be
bypassed. It's also prefereable for security to have a an off-by-default
switch, than an activity light you might not notice...

~~~
smsm42
Great idea. Must be a physical switch that just cuts all physical links
between the camera/microphone and the rest of the system, so that no
reprogramming is possible. Unfortunately, little chance to see it in Apple
products, as such switch would probably not look "slick" and would probably be
considered "confusing for the user" and as such not suitable for implementing.

~~~
sneak
> Unfortunately, little chance to see it in Apple products, as such switch
> would probably not look "slick" and would probably be considered "confusing
> for the user" and as such not suitable for implementing.

That was my first thought, but then I realized the absolutely ridiculous
extent to which Apple goes to build secure devices, and how "slick" the mute
switch is on iPhones and iPads.

I wouldn't bet against it.

------
auctiontheory
One of my friends always keeps her MacBook open, and had Skype set up to auto-
answer video calls. (Until I fixed that for her.) She's a very educated
professional woman who teaches at a university you've heard of.

In other words, HN readers might come up with defensive hacks, but 99% of the
population is completely vulnerable to all kinds of spying, whether government
or stalker, and the situation can only get worse as wireless electronics
pervade every part of our lives. Books? Internet-enabled. Fridge? Internet-
enabled. Car? Internet-enabled. Our own bodies? Carry wireless-connected
smartphone 24x7.

~~~
Zikes
One could argue that devising an effective privacy strategy to build into new
device categories would be a waste of time until the devices are sufficiently
popular enough to warrant the effort.

Now that we've reached that tipping point there should be sufficient interest
from an adequate number of skilled and educated people to begin to work on
solving this problem.

~~~
bithive123
Display-mounted cameras should have a sliding lens cap built in which can
close (but not open) itself after a configurable period of non-use.

~~~
indrax
Which then nearly ruins the use case of theft recovery software. Sometimes you
want to turn on the camera in software.

~~~
bigiain
I wonder where the balance of good things vs bad things that've happened due
to software-enableable laptop cameras currently sits?

I strongly suspect that the number of stolen laptops recovered thanks to the
owner being able to use the camera to "invade the privacy and potentially take
creep-shots" of the unauthorized current user, is way way smaller than the
number of people who've had their privacy invaded and potentially had
creepshots taken by their laptops unauthorized "p0wners".

------
eurleif
And I thought I was clever for turning the light on for only a tiny split-
second to take a picture... (I wasn't writing malware. I put the program on my
own laptop before I sent it in to be serviced.
[http://ecritters.biz/applecarefacility/](http://ecritters.biz/applecarefacility/))

~~~
praptak
It actually _is_ clever. I like this "go around instead of breaking" approach
very much. Two similar cases:

A car magazine claimed they discovered a serious weakness in a particular
brand of a steering wheel lock. The company made a series of improvements to
the lock and challenged the magazine to demo their hack. The magazine guy
approached the new lock, gave it a good hard yank and it came off the steering
wheel.

Another one was the Flash fullscreen mode. Flash used to (probably still does)
display a hard-coded warning after the app went full screen - obviously to
prevent Flash apps from impersonating browsers, OSes and so on. I've seen a
demo that took advantage of the fact that the text was an overlay over what
the app displayed.

The demo app just went full screen and printed lots of messages in the same
font as the Flash warning, all over the screen. The overlay was still visible
(Flash made it impossible to hide or cover) but it was basically impossible to
read. The demo then pretended it did a Windows restart - it was pretty scary
:-)

~~~
dec0dedab0de
Do you have sources? They seem like interesting stories.

~~~
damoncali
Don't know, but I've seen The Club circumvented by cutting the steering wheel
with what looked like gardening shears. Literally took less than two seconds
to remove the device.

------
headgasket
... The voice came from an oblong metal plaque like a dulled mirror ... The
instrument (the telescreen, it was called) could be dimmed, but there was no
way of shutting it off completely. (1.1.3) Oceanians live in a constant state
of being monitored by the Party, through the use of advanced, invasive
technology. It was terribly dangerous to let your thoughts wander when you
were in any public place or within range of a telescreen. The smallest thing
could give you away. A nervous tic, an unconscious look of anxiety, a habit of
muttering to yourself – anything that carried with it the suggestion of
abnormality, of having something to hide. In any case, to wear an improper
expression on your face (to look incredulous when a victory was announced, for
example) was itself a punishable offense. There was even a word for it in
Newspeak: facecrime, it was called. (1.5.65)

What's aggregated about you? Are you against this monitoring that protects us
from fear and terrorism? Did you state that in some online devious hacker
forum?

INFORM and VOTE

------
wil421
I really would hate to taint my MBP with ugly duct tap on the camera, but I
may have to in the future.

Months ago I read about a company that rented laptops for people to make
payments on and eventually own. They installed spy software so they could
locate the laptops had the user not made a monthly payment. Employees were
spying on users while they were having sex and other things. This wasnt on
MBPs but they still managed to not notify the user.

[http://www.wired.com/threatlevel/2012/09/laptop-rental-
spywa...](http://www.wired.com/threatlevel/2012/09/laptop-rental-spyware-
scandal/)

~~~
daeken
> I really would hate to taint my MBP with ugly duct tap on the camera, but I
> may have to in the future.

A tiny piece of black electrical tape blends in nicely and won't leave gunk on
your bezel.

~~~
Don_
>All these tape/paper/etc advices to cover the webcam

Jesus Christ, guys. Do you use Linux?

Just blacklist the webcam module to preventing it from loading whenever the
system boots. Want to use the webcam? Load the module manually.

# modprobe uvcvideo

Want to unload the camera again? Easy.

# modprobe -r uvcvideo

Generally, it's the uvcvideo module, but it might change from system to
system.

A malicious code would need root access to your system to load/unload the
webcam module. If someone has root access to your computer/to execute code in
your computer, you're in MUCH, much deeper shit than if you let someone film
you. Seriously. Specially if you use your computer for money transactions or
talk about important stuff to people.

~~~
adsr
The same thing is possible on OS X with kextload/unload and kextutil. Moving
the extension to a "disabled" folder and so on, and you have a camera without
a driver.

I would say that it's still notable even if it relies on root access, since
it's been previously believed that this was not possible with software at all.

------
SiVal
I want hardware on/off switches for camera, microphone, wifi, bluetooth, and
maybe even external speakers. These should be power switches, not switches
that make a polite request to firmware for the firmware to act as if the
devices are off.

~~~
pavel_lishin
I'd pay someone $10 if I could figure out a way to make sure that my macbook
never plays the "I AM NOW TURNING ON" sound.

~~~
switz

        sudo nvram SystemAudioVolume=0
    

If this works for you, please donate the $10 to Archive.org.

~~~
oneeyedpigeon
If that works for me on my Mac Mini, I'll donate $10 to Archive.org too.

~~~
oneeyedpigeon
Actually, it worked even better than I expected - it still chimes, but almost
inaudibly, which means it won't wake anyone up but I can still tell I've hit
the power switch - so $10 duly donated. Thanks v. much.

------
nodata
On early Macbook webcams it was electrically impossible to turn on the webcam
without activating the light next to it. I'll see if I can find a source.

Edit: the story refers to _precisely_ these early Macbooks. Yikes.

~~~
lucaspiller
Any ideas why they changed it? Surely the circuit would be simpler like this
rather than having the LED hooked up to the microchip and software controlling
it.

~~~
kyzyl
If you have the LED hooked up in parallel with the chip, then you can't really
do any fancy indication things like blink the LED, change colour (voltage
level) etc. It's possible that the engineers wanted to maintain that
flexibility.

Second, if the LED fails to a short your camera won't get any power. That
means an expensive component appears to be broken when it's only a very cheap
component, and you have no way to knowing that w/o opening up and inspecting
or replacing parts. In contrast, if an isolated LED fails, one can still
verify that the camera works via software, and choose not to send it in for
repair.

Also, LEDs have a very small leakage current even in their off state. If
somebody is hyperoptimizing power consumption they might choose to put the LED
on a high impedence controller output rather than feeding off a power rail or
similar.

Finally, the desired led might work off a configurable controller output, but
that might not be the same as the output driving the chip enable pin. So you
could require extra circuitry to convert to a compatible voltage/current
level.

That's my guess.

~~~
lake99
> Second, if the LED fails to a short your camera won't get any power.

One never puts an LED on the power line directly. That will certainly blow up
most LEDs. Power rails are typically 5V or 3.3V. LED drop is about 1V (+/\-
0.3, varies between part numbers). There is always a resistor in series with
the LED, to drop the rest of the voltage, and limit the current. So, LED
getting shorted is not a problem. This is the case even when we're driving
LEDs from an o/p pin. Besides, Hobbyists often blow up LEDs because they're
still learning. But how often have you seen these tiny LEDs fail in
professionally designed products? I have never ever seen it happen. Degrade
and lose brightness over the years? Sure. Fail? Never.

> LEDs have a very small leakage current even in their off state.

Are you talking about reverse bias? That makes no sense in this context. When
you don't supply any power to it, there is nothing to leak.

> the desired led might work off a configurable controller output

That is what has led to this mess of surreptitious filming, in the first
place. It's time they went back to the old ways.

~~~
kyzyl
Sorry I didn't check back here for a couple days.

> There is always a resistor in series with the LED

Sure, almost always. But there are many different voltage level, forward drop,
forward current combinations for a given application. There's no guarantee,
even with a ballast resistor, that the a shorted LED won't result in an
effective short to the power rail (not a real short, but drawing close to the
power supply's current sourcing limit). A resistor with a shorted LED results
in a useless current sink, in any case.

> But how often have you seen these tiny LEDs fail...I have never ever seen it
> happen.

What you've seen or not seen has very little bearing on the reality that parts
fail. Period. Things should be designed in a cost effective way that minimizes
the possibility/effects of failures. FWIW, I had a laptop recently that had a
dead LED on the front panel :-/

> There is always a resistor in series with the LED

I just meant that if your "power rail" is actually just a signal line (or
whatever) for some other purpose, and the led is there to indicate activity,
then even in "low" signal states where the LED isn't fully conducting yet
there is a small leakage current.

------
seiji
Notes from the article: they demonstrate it on a _black macbook from 2008._
They don't have a "modern" version of their disable-webcam-LED exploit.

The victim they talked to mentioned "she never saw the light on her laptop go
on" — that doesn't mean it didn't, it just means she could have just not been
looking for it.

Ideally, your webcam LED will be wired with your webcam itself. For your
webcam sensor to be powered up, the LED will be powered up as a physical
requirement of sending power to the webcam sensor. Many lesser-engineered
webcams have software controlled LEDs (kinect bar, generic egg-shaped webcams)
that don't even take "hacks" or "malware" to disable LEDs—you just run "turn
led off."

------
shabble
The obvious solution is of course a bit of tape, but that's less convenient
when you do actually want to use the camera.

I notice that the EFF have some nifty little 'ultra-removable adhesive'
stickers[1] that might do better, but what would be better is some sort of
low-profile adhesive backed sliding cover.

...

It appears I spoke too soon, there are already plenty out there, with mixed
reviews. The 'iPatch'[2] looks interesting.

[1] [https://supporters.eff.org/shop/laptop-camera-cover-
set](https://supporters.eff.org/shop/laptop-camera-cover-set)

[2]
[http://www.virtualspaceindustries.com/theipatch/](http://www.virtualspaceindustries.com/theipatch/)

~~~
a3n
Why don't they just build a damned slider right into the laptop?

------
unspecified
There is a freely-available kernel extension[1] to make this firmware hack
accessible to root only. The exploit depends on modding the camera firmware
from userspace.

The kext is created by the same authors of the paper[2] this article is
talking about. Search the paper for "iSightDefender".

[1]
[https://github.com/stevecheckoway/iSightDefender](https://github.com/stevecheckoway/iSightDefender)

[2]
[https://jscholarship.library.jhu.edu/bitstream/handle/1774.2...](https://jscholarship.library.jhu.edu/bitstream/handle/1774.2/36569/camera.pdf?sequence=1)

~~~
sehugg
Once you're in userspace it's a short hop to root.

~~~
unspecified
But short of any hardware changes (including taping over the camera), this
kext as far as you can go in software.

I'd MUCH rather see an admin password prompt come up, instead of nothing all.

------
mathhead
Nice.

I own a Logitech C920 Pro and a software called webcam settings allows me to
easily turn off the lights. If this software can do this, so can a malware.

Also, a malware can be designed to click quick snaps when there is no keyword
or mouse activity for a specific period. This can help the malware go
unnoticed without controlling the light. Want to take it to the next level?
You can use the mic anytime to estimate the user's distance from the system
and then enable webcam accordingly. I know this would not be very accurate,
but possible.

~~~
jrochkind1
This story is not about a Logitech camera.

It is about the Macbook iSight. There is definitely no (official, known)
software that allows you to turn off the privacy light. The Apple engineers
intended it to be impossible to disable, and believed it was.

~~~
mathhead
Yes, I do understand the story is about Macbook iSight. Was just sharing what
happens with another vendor as this is relevant and related.

------
Ben-G
Interesting to note: iPhone and iPad and a lot of Android devices don't have a
camera indicator LED. While it is difficult to distribute iOS Apps outside the
AppStore (where Apple would hopefully reject an App accessing camera
information without informing the user) this totally could happen with Android
Apps distributed outside of App Stores.

A while ago I wrote a component for the iPad that emulates the proximity
sensor of the iPhone by measuring the brightness of images the the front
camera captured. There was no way for the user to detect that I was actually
capturing images.

------
joshfraser
Since this is HN, a link to some related code seems appropriate.

[https://launchpad.net/isight-firmware-
tools/+download](https://launchpad.net/isight-firmware-tools/+download)

------
samolang
It would be nice if there was a physical switch to disable the webcam and
microphone.

------
belorn
FBI had knowledge about this security vulnerability for years, yet they traded
the security of innocent for an increased attack capability.

This is of course nothing new. They used Firefox zero day vulnerabilities
before. It just highlights the priority that exist today. Their job is no
longer to serve and protect, but to create news article where they can gain
glory of taking down bad people.

------
uptown
Interesting in light of this:

"NSA recommends physically removing iSight webcam from Apple laptops for
security reasons"

[http://endthelie.com/2013/08/20/nsa-recommends-physically-
re...](http://endthelie.com/2013/08/20/nsa-recommends-physically-removing-
isight-webcam-from-apple-laptops-for-security-reasons/)

------
auctiontheory
I always cover the camera with a Post It sticky. But the mic might be
listening in on me.

Embrace Big Brother, folks, 'cos he's here.

------
nexttimer
As usual - what's possible to exploit will be exploited.

There's really only 1 solid solution to this:

Open software and open hardware.

~~~
millerm
I'm just playing devil's advocate here... Your argument for "open
software/hardware" doesn't apply here. There was an exploit found in almost 6+
year old hardware/software. Has nothing to do with the fact if it is open or
not. "Open" != "non-exploitable" || "flawless".

Edited for bad boolean.

~~~
jdiez17
Open doesn't mean it's flawless. Open means you get more eyeballs on your
designs, increasing the chance of catching a mistake.

------
vezzy-fnord
I've always sealed the webcam opening with a strip of black tape on my laptop,
personally.

------
herbig
No one has mentioned cellphone camera/microphone. I assume it's feasible to do
the same remote operation with those?

~~~
lignuist
They usually don't even have indicator leds and most smartphone have cameras
on both sides. It is almost as if these devices are built to spy on their
owners.

------
troubledwine
There's quite a bit of alarm here and in the wording of the article. But no
mention of HOW this exploit is applied. I mean surely they're not saying you
send someone an e-mail and if they open it their webcam firmware is changed?
Or visit a web page or have a flash banner ad run?

You'd have to get the user to download and run a package installer that
prompts for an admin password RIGHT?

In other words; this isn't just something that can happen without end user
interaction.

~~~
evan_
> You'd have to get the user to download and run a package installer that
> prompts for an admin password RIGHT?

In theory; but a motivated party with sufficient resources could simply
("simply") author a fake OS update and deliver it to you over a compromised
ISP and you'd never know the difference.

~~~
joshfraser
You would just chain multiple exploits. For the right price you can buy a
zero-day exploit for anything you want -- for the browser, OS & root access.
If you have the money, installing the camera exploit in place is trivial.

------
kayoone
That the victim in this case didn't see the light, doesn't mean that it wasn't
on. She might just not have noticed it. If the older models required so much
effort to hack, i doubt it got easier with the newer models, especially since
we are talking about Apple here.

Obv. its still a problem, even if the light turns on. Taking a quick picture
doesnt requite the light to be on for long, so it could go by unnoticed.

------
datums
I'm not crazy, yes. When I first purchased a laptop with a camera (MBP 2008) I
put tape on it. I did some research and found that the NSA had published a
report that stated they could not confidently secure the iSight camera from
external access. trying to find it now.

------
lucb1e
TL;DR firmware flash disables LED on some webcams, particularly Macbooks'.

We already knew this:
[http://security.stackexchange.com/q/6758/10863](http://security.stackexchange.com/q/6758/10863)

------
boon
Does anyone know of how to secure against this type of thing (other than
tape)?

~~~
nexttimer
Buy hardware and software you, as the paying customer, remain allowed to
control.

~~~
superuser2
I'm assuming this is a dig at Apple. Care to show that any other laptop
manufacturer's webcams are impervious to having their firmware overwritten?

~~~
nexttimer
It's a dig at anything closed.

~~~
superuser2
Why would open source hardware not be vulnerable to this sort of attack?

~~~
jdiez17
Two reasons:

First: peer review. If your design documents are readily available,
researchers don't have to reverse engineer them. Also, by open sourcing
hardware design you lower the bar for critique: you might get feedback from an
experienced electrical engineer who might not know how to write and upload a
custom firmware for a USB controller.

Second: you can easily change it because it's not a black box.

------
bananacurve
While this is theoretically possible with some firmware hack on 2008 machines
you are far more likely to be compromised on any Android device that has side
loaded apps.

~~~
collyw
It isn't going to be possible on mine, as it doesn't have a front facing
camera.

------
tehwalrus
There was an article about this before - with a case where a hacker in
California tried to blackmail students who he'd spied on having webcam-sex
during a long term relationship.

Since I read that, I've been keeping a piece of post-it note on my Macbook Air
camera, although it does fall off occasionally (and I need to remove it, very
rarely, to actually use the camera.)

I've just upgraded it to a proper piece of card with real tape. ugly, but
effective.

------
pepijndevos
Where can I get the code? I want to try it on my 2007 Intel Mac and use it as
a signal light, much like caps lock, but for Vim insert mode.

------
sneak
What's said in my office is of a lot more value than how much my beard has
grown.

There's no light that indicates an active audio input channel.

------
andyjohnson0
Ars Technica has a good explanation of the workaround [1], including a circuit
diagram that I found helpful in understanding it.

[1] [http://arstechnica.com/security/2013/12/perv-utopia-light-
on...](http://arstechnica.com/security/2013/12/perv-utopia-light-on-macbook-
webcams-can-be-bypassed/)

------
krosaen
Don't existing theft recovery programs already do this?

I can't find the link right now but I remember a couple of triumphant "nerd
recovers macbook pro" stories where they show photos taken of the thief using
their macbook - presumably using this very trick to take a photo without
turning on the indicator light.

------
TheLML
Reminds me a lot of this: [http://arstechnica.com/tech-policy/2013/03/rat-
breeders-meet...](http://arstechnica.com/tech-policy/2013/03/rat-breeders-
meet-the-men-who-spy-on-women-through-their-webcams/)

------
slr555
We had friends over the other night whose daughter goes to an elite private
high school in nyc. She said one of her classmates had gotten bounced from
school for executing the same hack described on fellow classmates. Kids these
days.

------
dewyatt
I don't understand why webcam indicator LEDs would ever need to be controlled
by software.

I know of one Logitech USB webcam that has this issue. Turning the indicator
off is as simple as:

    
    
      $ uvcdynctrl -s 'LED1 Mode' 0

------
FollowSteph3
I still don't understand why laptops don't have a physical slider for the
webcam that goes overtop. Unless it's open no problem. Sure u still have to
deal with audio but at least the video is taken care of...

------
mixmastamyk
How can software directly access microcontrollers in order to reprogram them?
I thought the days of DOS/System7 were long behind us... or are we talking
about kernel drivers that must be installed by root?

------
kro0ub
So, is this rooted in the firmware and hardware of the macbook itself, or does
it only apply to those running OS X?

In other words, would this work while the machine is off or running Linux?

------
wepple
The flashing of the firmware to create a VM escape (Also in the research
paper) is 100% cooler than being able to switch off the Webcam light

------
wowaname
> conventional wisdom said there was at least no way to deactivate the warning
> light. New evidence indicates otherwise.

I thought this was old news.

------
charris5
...um, FYI, this hack has been avail for several years now... welcome to a
Brave New World.

------
adamconroy
The web cam on the inferior computer I use doesn't work if I don't plug it in.

------
nelmaven
That's why I disable the webcam in the device manager

~~~
wowaname
Small chance that the driver can be installed remotely.

------
zbthomas
This is not news.

------
downer88
Welcome to 1984.

WEAKNESS IS STRENGTH

