
Vendors must start adding physical on/off switches to devices that can spy on us - jrepinc
https://larrysanger.org/2019/04/vendors-must-start-adding-physical-on-off-switches-to-devices-that-can-spy-on-us/
======
rudolfwinestock
Janie Crane: “An off switch?”

Metrocop: “She'll get years for that. Off switches are illegal!”

—Max Headroom, season 1, episode 6, “The Blanks”
[https://www.maxheadroom.com/index.php?title=Episode_ABC.1.6:...](https://www.maxheadroom.com/index.php?title=Episode_ABC.1.6:_%22Blanks%22)

~~~
rolph
a real life blank reg here. I live in an RV operate a MESHNET and do everthing
i can to foster a common persons free decentralized infrastructure.

As mentioned elsewhere ive been taping cameras and stabbing microphones for
years now.

~~~
e9
Tell me more about how I can get involved

~~~
acct1771
Explore and evaluate meshnet projects, find one that you like, and educate
others about them.

Set up the hardware, link up with existing mesh if you're in a dense enough
area.

Push federated services like Matrix and ActivityPub based services like
Mastadon, so when it's time to go mesh, people don't laugh when you say "It
doesn't reach Facebook/Insta".

~~~
rolph
and check out the Project-Byzantium.

[https://github.com/Byzantium/Byzantium](https://github.com/Byzantium/Byzantium)

[https://project-byzantium.org/](https://project-byzantium.org/)

[https://hackaday.com/2015/04/28/meshing-pis-with-project-
byz...](https://hackaday.com/2015/04/28/meshing-pis-with-project-byzantium/)

~~~
squarefoot
Uses kernel 3.x and latest commit is dated 2014 though. I believe there are
more actively maintained mesh networking options in OpenWrt.

~~~
rolph
The important part is the configs, other than that is just another distro. a
very small niche group serviced this distro, and it seems to be derelict. The
useful part of BZ mesh is USB bootup. so any machine can become and unbecome a
node. sometimes something is finished and nothing further is done then a new
way pops up. the advantage to porteus is its pared down for rapid boot up, to
reestablish a node while walking about on the fly.

" Major changes include: Kernel 4.16.3 Core is based on Slackware current 7
desktop options to choose from!
[http://www.mirrorservice.org/sites/dl.porteus.org/"](http://www.mirrorservice.org/sites/dl.porteus.org/")

i believe its OLSR you may like.[https://wiki.dd-
wrt.com/wiki/index.php/Mesh_Networking_with_...](https://wiki.dd-
wrt.com/wiki/index.php/Mesh_Networking_with_OLSR)

------
HALtheWise
Am I the only one who has far more sensitive content visible on the screen and
filesystem of my computer than through its camera? I feel like, at least for
the threat models that I consider likely, if someone manages to hack my laptop
and get (for example) microphone access, the thing I am most worried about is
that they will use acoustic analysis of keystrokes to recover my banking
password, not that they will hear me... singing in the shower, I guess? Based
on my understanding of current laptop OS's, just directly making a key-logger
the straightforward way is easier anyway, so I'm not that concerned.

I fear that the sense of security people feel from putting tape over their
webcam might be hiding much more realistic threats.

~~~
craftyguy
> Am I the only one who has far more sensitive content visible on the screen
> and filesystem of my computer than through its camera?

Am I the only one who realizes that I may not be the one who may benefit the
most from having a way to physically turn off the camera/mic device?

~~~
ncmncm
I.e.

All you people who insist on carrying eavesdropping devices near me are a
threat to my privacy.

All of you people who persist in posting to FB and tagging pics I might be in
are a threat to my privacy.

Yes. It is a problem.

------
walterbell
Thanks to Purism laptops and phone for taking the lead on kill switches for
sensors, [https://puri.sm/learn/hardware-kill-
switches/](https://puri.sm/learn/hardware-kill-switches/)

~~~
btashton
Why do I trust my WiFi cards disable pin, but not the "soft button" on my
laptop that triggers it via the OS? I get that there is more software when it
goes through the OS, but I trust that a whole lot more than the firmware on
the WiFi card.

This is from the same group that tries to explain how they don't use
proprietary firmware blogs by using the Redpine chips just because the blog is
already flashed on it rather than loaded into RAM on boot.

I wish they would just say it how it is rather than overselling.

~~~
cmrx64
At least in the case of Purism’s Librem 5 (unreleased), it’s not a disable
pin, it’s removing power entirely from the wifi peripheral. Which is a step up
for sure.

~~~
btashton
If it is the same as the laptop they are using the W_DISABLE pin not power.

~~~
cmrx64
Yeah, according to the devkit schematics the switch controls W_DISABLE- their
blog post talks about the virtues of "removing power"...

------
narrator
TVs and other gadgets that have no microphones or video cameras embedded in
them should have a certification like "organic". "NoSpy Certified" or a
similar trademark would be appropriate right next to the UL and CE marks.

~~~
monocasa
Well, 'organic' as a certification doesn't really mean anything. And UL was
kind of a joke from having dealt with them personally.

~~~
yayadarsh
This is absolutely untrue. "Organic" is a regulated term by the USDA,
requiring verification from an accredited certifying agency.

~~~
monocasa
USDA organic allows non organic pesticides and herbicides. It's a joke of a
standard.

~~~
BenjiWiebe
Really? Growing up on a farm, and having friends/acquaintances who were either
organic or interested in going organic, I don't recall that pesticides and
herbicides were allowed. The so-called "organic pesticides" and "organic
herbicides" I've seen are mostly just all natural snake oil...

~~~
tgb
Here's the list of non-organic substances allowed by USDA [1] and hopefully it
means more to you than it does to me.

[1] [https://www.ecfr.gov/cgi-bin/text-
idx?c=ecfr&SID=06b088e611c...](https://www.ecfr.gov/cgi-bin/text-
idx?c=ecfr&SID=06b088e611c5f18a4d02ca9945a1c3dd&rgn=div8&view=text&node=7:3.1.1.9.32.7.354.2&idno=7)

------
zw123456
Note that a physical switch can be overridden just as easy as a soft switch,
the vendor can just put a soft switch in parallel with it and you would never
know it. The hard switch could turn off the display, speaker etc. while the
processor and radio can stay on.

~~~
cobbzilla
Hopefully this would easily be detected, and the brand damage from the
resultant public shaming should be enough of a deterrent. But maybe it's
really well hidden and eludes detection, or people just don't care and there
is no brand damage, or maybe even there's no "real" brand to damage (OEM
crapware).

~~~
snaky
What's the _brand damage from the resultant public shaming_ of e.g. Google
Nest Guard' 'hidden' microphone?

~~~
meowface
That's different. While still very bad, one is omission, and one is full-on
deceit.

~~~
amelius
How meaningful is brand damage when a company has a quasi monopoly in multiple
markets?

~~~
mises
Nest Guard is a monopoly? Or were you referring to something else? I also
think a lot of this is completely non-essential (e.g. Nest Guard). I do not
have any such "smart devices" at home, and encourage others to do the same.
They provide, in my opinion, very little benefit for a great sacrifice. And
all that aside, they're just too dang expensive. I don't see the point of
spending $600 on a machine-learning toaster.

------
mLuby
To suggest an alternative, all devices capable of internet communication must
allow their traffic to be decrypted by their owner (how that password gets set
is up to the individual device). This would allow owners who care to set up a
man in the middle and confirm that all outgoing (and maybe even incoming)
traffic to the device is what they expect. Any outgoing message that is not
decryptable or not expected would be a red flag (which the vendor could try to
explain if it is a non-spy message like an unusual error code).

Cryptographically I believe it is possible to encrypt a message such that
either the user's key or the vendor's key can decrypt, but I'm not 100% sure.

~~~
NegativeLatency
What you’re describing is possible and is done currently in corporate
environments by forcing devices to accept a self signed cert that allows
companies to spy on their employees traffic.

Haven’t seen anything for the home market yet, and I’m not sure how you’d get
a consumer IOT device to accept your cert.

~~~
userbinator
Whenever the topic of MITM middleboxes comes up, there is usually a vehement
opposition to them from much of the security community... while they bring up
some valid points, I can't help but wonder if there is some deeper agenda
behind that opposition, since these also seem to be the same people who are
pushing the user-hostile walled gardens.

(Personally have been using a MITM proxy on my network for over a decade.
Besides the filtering, it also has a useful side-effect of upgrading all
connections to TLS 1.2, and when 1.3 becomes more common or mandated, I only
need to upgrade the OpenSSL the proxy uses to start using it for all TLS
coming from the network. Even older devices that don't support it will still
use it when communicating outside the network.)

~~~
Gibbon1
One of the ways to deal with IoT spying is with enforced standards so the end
users doesn't rely on an untrusted black boxes in the 'cloud' for the services
provided.

You should be able to firewall your smart toaster so it can only communicate
with a service under your control. In particular a service the manufacturer
has no control over.

Example for automobiles: OBD-II diagnostic ports.

------
kerng
It's interesting that no laptop vendor seems to have made a physical webcam
cover included by default- to me that seems like a no brainer that most
customers would benefit from.

Edit: Thanks for all your comments. It seems that there a few vendors that do
offer webcan covers by default now. Definitely will have to check those out.

~~~
seriousaccount1
My Thinkpad T480s definitely has one. Just needs a switch to also block the
microphone

~~~
maaaats
My Lenovo P1 has a fn button to disable the mic and a light showing if it's
enabled or not. Not as good as a switch, but makes me confident some random
application isn't listening at least.

------
tonto
This doesn't even mention location data from phones which is so persistently
on and hard to disable, yet any usage of maps requires it. I want it off after
that...

~~~
sanbor
Even with data off, wifi off and gps off mobile phones interact with towers
and carriers are often required to keep logs of your location for a while in
case they are required [https://ssd.eff.org/en/module/problem-mobile-
phones#1](https://ssd.eff.org/en/module/problem-mobile-phones#1)

------
jsilence
The USB spec has a part where USB devices can be turned on and off by software
on a USB hub. Unfortunately almost no USB-Hub implementation/device supports
this part of the spec. I have been looking into this for a while with the goal
of watchdogging and powercycling unreliable USB devices. The seemingly only
USB hub at that time was unfortunately not on sale any more, even back at that
time.

Maybe this could be a nice kickstarter, a smart USB hub that can be integrated
into the smart home/IoT world. I'd buy it.

Since it is separate software, not the webcam software, that is switching the
webcam off, we would not have to trust the webcam software maker to fullfill
the promise.

------
tyfon
I wonder if/when the vendors of those home assistants will be required by law
to activate on a list of confidencial sounds like screams, gunshots etc.

Maybe not in one year, but in five.. ten?

If they get proper penetration it would be a tempting target for various
governments for differing reasons.

~~~
Mirioron
And regulation will require that you have one in your home, just like a fire
alarm.

The future is bleak.

------
spzb
Mirror as the site's busy pining for the fjords at the moment:
[https://web.archive.org/web/20190420110129/https://larrysang...](https://web.archive.org/web/20190420110129/https://larrysanger.org/2019/04/vendors-
must-start-adding-physical-on-off-switches-to-devices-that-can-spy-on-us/)

------
tyingq
It's too bad there's not a company with enough funding and incentive to make
equivalents that don't need to phone home. Ones that are competitive in price,
functionality, etc.

The recent HN post about Mozilla's IOT offering was encouraging:
[https://news.ycombinator.com/item?id=19695595](https://news.ycombinator.com/item?id=19695595)

~~~
meowface
While that would be ideal, I don't personally mind the phoning home if it only
happens after the wake word and if the cloud service greatly improves the
response capabilities it might otherwise have. Yes, the word can be heard by
mistake, but that's just the risk trade-off I make.

I think a physical off switch would be good. At the moment I just unplug my
Alexa if I'm particularly concerned it might hear something sensitive.

I know many HN readers are far more privacy-conscious than I am, but that's
just how I think about it. I personally consider cybercriminals and people who
dislike me far greater privacy and security risks to me than tech giants or
even the US government.

~~~
samstave
What about having a home router which had a visual alert to all outbound
traffic from connected devices to their locations.

Super freaking simple to implement.

And if it were a page that you could just toggle the ability of the stream
flow by clicking on it... to create the FW rule instantaneously and stop that
flow.

You pull up a dashboard and see all your threads. If you see a thread from
[phone]-->[Facebook] and you can just disable that stream. (Where [Facebook]
is a list item of all the known FB addresses etc)

------
svrtknst
While physical switches would be nice, and I generally am a fan of them, IMO
they still require trust in the manufacturer.

If I don't trust their software switches, why would I trust their hardware
switches?

~~~
HNKingpin
You should be able to see the effects, no? At least in cameras (the light
won't be flashing).

~~~
Nasrudith
Well the thing is they are absurdly fine electronics. It is trivial to reroute
so that the switch applies to the LED and not the camera itself (and some
other trickery based upon reading its state while keeping it covertly
operational). Said lie could still be detected in other ways of course but it
wouldn't be a simple and complete fix.

~~~
NikkiA
To be fair, if I wanted to build covert surveillance I could also trivially
make the switch _appear_ to turn off the camera to commercial camera software
but not actually disconnect from my covert software that I provide to TPTB.

------
upofadown
>Another “clever” solution is to use a software off switch, like this (for
Windows). But it simply turns your webcam’s driver on and off.

The OpenBSD people have recently made microphone off the default at the kernel
level. You need to have root access to turn it on again and you need to take
an explicit action to have it come on at boot. That is actually sort of secure
as people don't run as root in *nix environments when they are doing things
that can get them cracked (i.e. run web browsers). Turning the microphone on
should really be an admin level thing...

Perhaps what we want isn't a switch but a button. You can activate it but it
is off by default. There really needs to be a obvious light as well...

------
HNKingpin
That should be the standard for every device, regardless if it spies on you or
not. It's so weird how the above article even had to be written.

------
rdl
“Must” according to who? Should, in many cases, sure.

I’d rather physically removable sensors rather than off switches, though.

Cameras on laptops are far from my greatest concern. Microphone on cellphone
is a much bigger concern, as well as perpetual passive metadata plus sensitive
data on third party servers required for normal functioning of most services.

------
polskibus
Such suggestion seems like something that could be whispered to EU
commissioners as a protection for consumers.

------
sudoaza
I would totally buy into this, recently i found two really disturbing facts
that made me uninstall Instagram, \- first that while its open it listens to
what you say and then shows you adds based on that (no i didnt search for the
same thing or could be an expected interest of me) \- second i found that my
location was briefly turning on and back off by itself, on one of those on/off
and instagram notification arrived, after uninstalling that never repeated.

We need control back on our devices. I friend went so far as to add a physical
on/off on he's macbook. I went out of my way to get a mobile i can root
easily. There is a market for this.

~~~
jondumbau
Can anyone else comment or corroborate this? I don't disbelieve you but it's a
gigantic if substantiated and would definitely get me to leave the platform.

------
rurban
So how would do that with routers, which in the UK conveniently pass a copy to
NSA of all communication, with phone baseband devices (qualcomm), with PC
CPU's which all have mandatory "lawful" backdoors?

The webcam and microphone is only half of the story.

------
Hydraulix989
Careful!

It's just as easy to make a faux off switch that actually just triggers it to
disable itself in software. The switch needs to actually cut ALL power going
to the camera hardware.

I remember some webcams having LEDs that were controlled in software so
hackers were able to turn the LED off in code while still recording with the
camera the entire time.

For now, I will still have my physical webcam cover on because hackers can't
stop it from working without physical access to my machine.

That said, there isn't much interesting to watch if you really wanted a live
feed of my webcam (other than frustrated looks on my face while I'm debugging
the work issue du jour).

------
username223
Meh. Houses still have windows, and people still have binoculars, but we seem
to get by fine with blinds. Tape over your webcam, unplug Alexa, or turn off
your phone if you want more privacy.

More importantly, there is a social norm that you don't look through people's
windows with binoculars. Of course police, spies, or creeps might do it, but
that's incredibly rare. Unfortunately, the social norm (and business model) of
the modern web is that companies build ever-more-powerful binoculars to
constantly stare. That's the real problem we need to fix.

~~~
Mediterraneo10
> unplug Alexa, or turn off your phone if you want more privacy.

Fully turning off either means have to wait for the devices to boot up
whenever you want to actually use them. That time adds up. A mic kill switch
would allow the device to be immediately used at the flick of that switch.

------
jtr1
I agree with the author's aims, but for the average person the difference
between a hardware and software switch is likely immaterial. To the
uninitiated, there's not a great reason to trust that Alexa's "mute" button
does what it says.

To gain trust, I think we need tactile physical interventions: a built-in
webcam cover and a slider over the microphone. If it doesn't exist already,
I'd imagine there's a market for a nicely designed phone case that includes
both.

------
rotrux
How do we enforce this? We want the federal government to start investigating
factories & banning imports of electronic devices with X sensor and Y
connectivity capabilities? Do we sue Best Buy unless it changes all its
suppliers immediately? The _precedents_ set by categorizing and condemning
could create more harm than good.

Like so many other privacy articles I read, this one has its heart in the
right place, but it treats reality and implementation as an afterthought.

------
rolph
Its about time this idea has caught some traction, ive been taping over
cameras, and stabbing microphones with a safey pin and stating the absence of
lens covers for years.

------
dwheeler
I would dearly love to have this. If it's controlled by software, then it is
subvertible in a way that pure hardware solutions should be invulnerable to.

------
swiftcoder
The 1st-generation Echo has a hardware microphone cut-off, but I've never seen
confirmation that the Dot (or any later variants of Echo) continue to have a
hardware cut-off.

I'd hazard a guess that once the public seemed relatively unconcerned about
Echo snooping on them, the hardware cut-off would have been removed for cost
reductions (alongside the twist-to-adjust volume control).

------
Tepix
A vendor who doesn't like it could just make it very inconvenient to use the
on/off switch, for example by making it take a very long time until the device
becomes available after it has been turned off using a switch. Thus users
would be strongly discouraged to use the switch.

------
api
It would take a law since as it stands it would defeat the purpose of these
devices: to spy.

~~~
briandear
The purpose of a webcam is to spy?

~~~
snaky
Could we ask any Chinese webcam vendors - which are constantly upload the
stream to some Chinese clouds - what the _main_ purpose of their devices is?

~~~
6nf
Oh it's for convenience so I can log in remotely and view my camera, pay no
attention to the Chinese server farm in the middle.

------
HocusLocus
Frankenstein knife switches ornate polished brass actuators

webcams with closable eyelids (and eyelashes, eyelash mites)

then in hacker movies the eyelid can spring open

------
fwip
In the meantime, unplug your device when you're not using it.

Or spend $3 on an inline-USB switch, so you can be sure that the switch
actually does what it says on the tin.

------
WalterBright
Also a physical switch to enable writing to the flash rom. That way, malware
infections to standalone devices won't survive a reboot.

~~~
Scoundreller
Better yet, some kind of physical flag when a write is being attempted. When
it flags unexpectedly, you know the logs are worth looking at.

Pirates used to install locks on their satellite receivers to prevent
countermeasures, or at least defer problematic updates.

------
amelius
This sounds similar to the "do not track" setting in browsers ... which was
respected by almost no websites. Why would it work this time? (Physical switch
or not)

~~~
lukeschlather
"Do not track" is kind of fundamentally misguided because it's physically
impossible to verify and amounts to just another bit of tracking information.

Physical switches are physical and auditable and if the switch is audited to
work, it works.

------
nilskidoo
How quickly everyone forgets this, and how desperate is the urge to deny how
all-encompassing a thing it is: [https://theintercept.com/2015/08/26/way-gchq-
obliterated-gua...](https://theintercept.com/2015/08/26/way-gchq-obliterated-
guardians-laptops-revealed-intended/)

