First, you have to trust Apple that the indicator _really_ can't be disabled. You also have to trust that there isn't a vulnerability Apple is not aware about that could allow rolling the camera without the light coming on. This has happened in the past  and there are known Apple products that are vulnerable, yet the statement never mentions this making you believe it's impossible.
Second, once the camera light is on, the data has already been captured. The light just told you about it, not prevented it. The plastic cover or a piece of tape does prevent it even if your laptop security is compromised.
Third, in a world where remote conferences are more and more common, more and more software doesn't do a very good job at letting you know when it's about to enable your camera. You might click on a link to an all hands conference to listen in while you're changing only to have the software helpfully enable the camera and broadcast you for the rest of the company. I believe in big conferences organizer may sometimes control other ppl's camera as well. You can totally imagine a scenario when the organizer misclicks and enables the camera for the wrong person instead of a scheduled presenter.
Camera covers solve all of those problems.
I have made this point several times throughout this thread, so I apologize for repeating myself:
Every laptop Apple has manufactured in the last ten years has an LED connected to the same circuit which powers up the camera. You cannot send power to the camera without also sending power to the LED, which will in turn cause the LED to light up. Unless the LED is broken, in which case you will know because it will never light up.
If you manage to find a vulnerability in this system, I don't think I even mind, because you've also broken physics and very possibly found a way to generate unlimited electricity forever.
At the very least, I need a citation or an official statement. Because clearly, this has not always been the case :
We describe how to disable the LED on a class of Apple internal iSight webcams used in some versions of MacBook laptops and iMac desktops.
[..] our investigation of the iSight revealed that it is designed around a microprocessor and a separate image sensor with an indicator LED sitting between them such that whenever the image sensor is transmitting images to the microcontroller, a hardware interlock illuminates the LED. We show how to reprogram the microcontroller with arbitrary, new firmware. This in turn enables us to reconfigure the image sensor, allowing us to bypass the hardware interlock and disable the LED.
[..] iSight webcam [was] found in previous generation Apple products including the iMac G5 and early Intel-based iMacs,MacBooks, and MacBook Pros until roughly 2008
Whatever reason Apple had to design the camera system this way back in 2008, is probably still a valid reason (cost, hardware simplicity, spacial constraints etc.). It means Apple and others have incentives to build camera systems that are easier to compromise. It's enough for me to worry.
reading comprehension is an important skill to develop
Taking a quick photo doesn't illuminate the LED for long enough for a human to reliably notice.
"because you've also broken physics "
Or merely recognized the role of the human element. A shame, Apple was once good at this.
But yeah, I wouldn’t trust a led, because I can’t reverse engineer the circuit that’s in my particular device.
A) trust that in your actual laptop in front of you, this mechanism is correctly implemented.
B) trust that you are not in the vulnerable phase where your LED broke and you did not notice yet. (Especially when you rarely use your camera).
Of course the LED can be installed in a parallel connection on the circuit, but I read the op statement as it is not the case.
Not that the camera never turns on.
I think the point though is that it's not software controlled in any way: powering on the camera lights up the LED, and there's no way to bypass that with only software. Or at least that's the claim.
A manual, physical barrier, especially an aftermarket one, solves those issues. Personally, I use electrical tape.
No, but the OS prevents the camera from turning on without permission from the user.
(There have been bugs/compromises to this in the past, but at the browser level - you still had to give camera permission to the browser)
Besides, if you’ve got some compromised or surreptitious software on your MacBook trying to secretly take photos, you probably have much bigger security problems to worry about than just what it can see through the camera.
I mean, the thing is that I never want to use video on calls, basically. Waste of bandwidth and no worry about broadcasting the wrong thing by mistake.
There is a risk/reward/effort to look at, putting a small piece of tape is low risk / low effort / high reward (if your company actually angers laptops).
I think you are taking this too far.
People who fear to be tracked buy a laptop in a random store and don't use a provided one.
Snowden already showed us the depths that governments will go to, to compromise their victims with hardware swaps and worse. And it's already been 7 years. They're even better at it now.
The realities of modifying hardware. Is it possible? Sure. Is a company going to do it routinely at scale? Highly unlikely, because unlike software modifications, this would be pretty expensive. Are you aware of any companies that routinely do _hardware_ modifications on employee Macbooks?
So I’m assuming if some do it for phones, must be some doing it in laptops.
Again. It’s all about probabilities. 1/ What’s the likelihood of the company doing that? Close to none.
2/ what would be the severity of the issue if they were doing that for me? Very high.
3/ what’s the effort level to prevent that? Very little.
This ratio ultimately tells us what to do.
But obviously this is beyond Apple.
If Apple still cared about beautiful and elegant products, it could surely find a way to incorporate a miniaturized version of that in a Macbook.
But if you had your entire net worth riding on it, would you trust yourself to be infallibly correct or would you trust something along the lines of a post-it note to be completely sure? You know, if your life depended on it on every single possible model of apple laptop in all circumstances imaginable? (Do we include if your laptop was interecepted and altered by a hostile agent? Because we know that happens too...)
There's a scale from dead easy to more difficult to very dificult. Easier to get you is a bigger problem. Cheap & easy to prevent - well why wouldn't you? It's asymetric.
Wouldn't you feel hilariously stupid if someone modified your camera circuit when interecepting your laptop and you actually didn't stick a post-it over it to thwart their dastardly plans.
The point here is making the kind of claims made about LEDs and camera circuits is really, really easy when telling other people what is not a risk. When you carry that risk - ie "all possible models and other threat vectors" suddenly you should not be so sure anymore. A physical cover is better, easier, cheaper and basically infallible for what it is advertised to do. Asymetric payoffs are worth noting. A genunine plausible risk scenarios are all you need to take a /trivial/ mitigation step.
Apple making trivial mitigation steps harder is really, really, really stupid. In fact, beyond merely stupid, it's unwittignly and incompetently user-hostile. (Unless you think they're design process has been infiltrated by the NSA or something, which I guess is at least possible, but I think it unlikely in the face of utterly incompetent idiocy - which Apple do display from time to time).
I don't think I even mind, because you've also broken physics and very possibly found a way to generate unlimited electricity forever.
Unless there is an option to send higher voltage to the camera (control the VRM) and increase the current through the LED wear it off quickly for instance. The statement is incredible condescending, esp. given no link to actual schematics.
Should be noted that was after Apple went to the effort of making a hardware delay to try and force the LED to turn on first, but it was still worked around.
You mean current, right? And it'd have current limit circuit, at a resistor but likely a slow start circuit entirely? Unless you share the schematics, it's an empty argument.
You make multiple assumptions here
1) You assume that the during the time that passes between the LED breaking and the user noticing, there was not a single attack or a single blunder that caused the camera to turn on and record/capture something that was unintended.
2) You assume that the LED breaks deterministically. The LED can break randomly. Maybe it lights up when nothing is being recorded resulting in a false positive. The user has no way of differentiating between a false positive and a true positive which can result in unintended captures.
3) Similarly the LED can break in a way where it sometimes doesn't light up when something is being recorded even though power is always sent to the LED when the camera is on resulting in a false negative. Again, the user has no idea of differentiating between a false negative and a true negative.
Or your LED might be broken.
I can definitely assess a shutter.
In order to accept this argument I need to trust that you, an internet rando I know nothing about, are telling the truth AND that it'll remain so for any future Apple models. I think no matter how confident you're in your assessment of the current Apple hardware, you can't in good faith argue that they will not change course in the future for whatever reason.
Also, again, they already messed it up once in the past. It won't be hard to imagine that they will do it again some time in the future or already doing so.
IMHO layers of security are good.
On my end I worry about the risks of constantly just leaving my Mac, which has filevault enabled, simply protected by a screensaver. Is that less secure than if I put it to sleep? And presumably turning it off completely is safest?
How do I make informed choices about how much "locking" to do when I step away?
These are all things I think about reading an article like this, and I'd love to hear other's thoughts.
It would be very helpful if you could provide some evidence of that
Relying on the light going on after the fact is a much weaker protection, the user may have opted in to always letting an app use a camera and between the 15 or so UIs that the conference apps have the user might miss that it actually turns the camera on unless the button is clicked.
Now if apple were to release an os Level protection that automatically pulls up a screen showing what is shared from the view of the camera and asks for that approval, that would improve this situation.
That doesn’t help for the attack that many people are using here, which is if the software on your machine is compromised.
where they don’t help is accidentally activating the camera and only realizing afterwards. That’s a UX issue with so many different video conference technologies that all behave slightly differently.
Removed the piece of electrical tape I had over the camera to find the image was completely blurry from the glue. Good to know if it ever falls off and I don't have tape to replace immediately.
Our company's video conferencing software has multiple "modes" for a conference call, which the moderator could configure. Hardly anyone ever changed the mode, but at one point while trying to configure something unrelated I ended up switching modes in the middle of the conference call. To my horror the software immediately turned on everyone's camera.
Luckily the strain of streaming 40 video feeds to everyone 40 participants pretty much locked up the call, but for a brief moment I was able to enable approximately 40 cameras from people who were just sitting in their houses, who knows how dressed or what was going on behind them (I tried not to look).
I'm pretty sure we can apply Hanlon's Razor here and assume it was just an innocent bug: it's not hard to see how joe programmer might have overlooked the default settings when the mode is changed during some completely unrelated refactor. But whatever the case, as long as video conferencing remains lucrative vendors will continue to pack features into the software, and as long as they keep adding features, they will continue to create additional edge cases to trigger these incidents.
I'm not disagreeing with your other points nor am I saying that this isn't the case nor am I a fan of any apple products... However designed circuits to implement such functionality is quite common.
The real alternative to a cover would be a physical on/off button next to the camera which would physically connect/disconnect the camera behind the hood.
In this kind of situations you'll see the LED and you'll know what's happening and you'd much prefer to have a physical cover on your webcam.
(1) With a mechanical shutter, the state of blocking can be trivially and reliably inspected. With electrical control, this is not the case.
(2) A mechanical shutter works by making it physically impossible for the camera to see anything, while powered or not. With any electrical control, this is nit the case.
So, either you use a mechanical shutter, or all bets are off.
Regardless of how bad actors are accessing these photos, its eminently obvious that people are getting webcam photos of them taken without their knowledge.
For many people, me included, if you wanted to give me a bunch of money to do something and I bit, not that I would nowadays, that could actually lead to a loss of motivation.
As for vulnerabilities, many open source projects responds to them much quicker that industry. Say for pride in their work. as one motivation.
Or anyone with a basic knowledge of electronics who could verify it.
1. I don't want to broadcast myself during a meeting when I'm not prepared, or perhaps leave a meeting open by accident.
2. If a bad actor does access my camera, I won't necessarily notice the indicator light, especially if I'm not actively using the computer at that moment.
3. I don't trust the indicator light to be permanently unhackable.
Also, if you're using an external display, then how are you supposed to notice the green light on the MacBook sitting next to the display?
That Apple article is nonsense. I put a black tape over the camera and I know nothing including hacks can broadcast unintended scene. It's easy to remove the tape when I actually have to which isn't too often for me.
Not to mention apps that do it "right" like Hangouts that enable the camera for you to preview your video feed before you're actually live. Could be pretty confusing/concerning for someone who isn't used to an app (and when it broadcasts you or not) and sees the light come on. A cover takes that whole thought worry-pitfall out of the possibilities.
I believe it’s only possible with the FaceTime app, which turns the camera on when opening the app.
The sliding covers are fine but it’s just more effort to order one.
Multiple teardowns have confirmed that it's a hardware path that software cannot modify.
Apple is good, but they are not perfect
Can recommend. Physical security > *.
I hope you’re a billionaire with secrets because otherwise this is pure paranoia.
You could copy some data over live, but there are also non-exportable cryptographic keys in the Secure Enclave.
Or as other poster mentioned, just swap whole units.
They have a small slider with the camera protection "glass" build in which can cover the camera and will "show" a red dot if it's covered.
1) Block the camera and hope the microphone is on mute
2) Hope the camera isn't on and home the microphone isn't on
3) Not have the mac at all
Clearly 1 is better than 2.
It seems to be something with a switch that disconnects one of the rings of a 4 pin. Easy enough, but $5 doesn’t seem awful.
Of course it doesn’t disconnect built in microphones, and with modern Apple phones getting rid of 3.5mm jacks it’s value is less.
I'm in a lot of remote meetings, and wouldn't want to be accidentality presenting without expecting to.
I still think the best solution would be to have no builtin camera or microphone. Just have something like the iSight that you manually and thus willingly connect to your thunderbolt. Works with your external monitor as well and you can orient it the way you like. It would also have better overall image and sound quality (low light, more shallow depth of field, etc.). And on the plus side for Apple and its shareholders, it's another $499 essential.
I cover my camera to avoid that 5s mental dance at the start of every meeting.
Also, I am really worried about microphones. I have 2 google homes, 6 siris (iPhones and apple watch), a portal, a number of macbook pros and airs, a PS4, ... any of these devices could be listening to me at all time :/
That way I don't have to worry about my annoying my colleagues by my mechanical keyboard, occasional excess gas events or similar.
If my computer is compromised to the point where an attacker can access my camera and microphone, information from my camera and microphone are the least of my problems.
Sure, someone could grab all my files, email, etc. That would be damaging.
But if I'm having a sensitive conversation in my home/office with someone and the camera and/or microphone come on, that could be damaging as well.
FWIW, I use a camera cover and Oversight to tell me when an application uses the camera or microphone. It doesn't prevent it from happening, but at least I'm aware if something is going on. The weirdest thing I've seen yet is that the iOS Simulator uses the microphone.
But if I was giving a computer to a 12 year old or 16 year old - what else is the hacker going to take? Their online gaming account?
Camera covers have nothing to do with identifying compromise. They are strictly for preventing compromise. This is exactly opposite what a camera indicator light does, and thus the indicator should not be considered a "workaround" for not being able to install a camera cover.
Now what I want is a hardware microphone switch, where the off state actually connects to a noise generator.
The Huawei Matebook has the camera as a hidden popup under one of the F-keys.
The Xiaomi Redmibook goes one step further and omits the camera+mic entirely!
This could be solved in software at the OS-level with a permission dialog that popped up every time the camera was asked to be activated (as opposed to an ongoing website permission). Which would be overly annoying for most, but appreciated by a privacy-conscious minority.
But unless Apple ever did that (doubtful), once you see the green light it's already too late.
It does make me wonder if something like that could ever be done with a kernel extension or similar?
Apart from that, I would be absolutely amazed if there isn't at least one failure mode of the led itself that allows the camera to turn on despite no light being emitted. Probably too rare for most people to worry about, but still.
I really get why people want a cover, and I think Apple are being a bit disingenuous trying to convince people they don't need one.
It's fine they warn about the danger of cracking the screen, but that entire "we protect your privacy spiel" was rather terrible, and also quite misleading as you so clearly pointed out!
I'm a fan of using painters tape.... pretty low profile, easily removed, stays on really well. Also the weird blue glow you get when the camera is on tells you pretty quick "Hey there's a cover on there" where sometimes with the all blackout covers ... I can't tell.
I renew my calls for all devices to have an led indicator (good on Apple here) and a physical switch that cuts power to mics and cameras for all devices with them. With the endless layers of software we have today, I have trouble trusting anything but cutting power.
The cleverest solution I've seen that is 1.) easily toggled, and 2.) harmless to screens is a coworker who built a little vinyl veil that attaches to the top back of their monitor. They can flip it forward to cover the camera, or flip it back to use it. But if you close even the tightest of lids with a couple microns of vinyl in there, it's harmless. Bada-bing, problem solved, and they only used a penny or two worth of materials.
Specifically, this is the webcam cover I was using:
I actually just tested it, and the cover doesn't even make contact with the lower half of the MacBook when closed. The cover fits into the trackpad area, which is recessed. I don't see how it could possibly damage the screen without me putting enough pressure on it where the screen would have been damaged regardless.
Does the 16" have a shallower trackpad or a thinner rubber gasket around the screen than the 13" and 15" models? Even for Apple, it sounds insane that they would create something so fragile it could be broken by a 0.02" piece of plastic.
Also, to be fair, the webcam cover I used was metal (I didn't realize that when I bought it).
One of the photos shows them be about as thick as a credit card.
With many other Laptops in that price range you would either have to use a very fat cover or apply a amount of pressure which might damage your laptop anyway. I just tried it (carefully) with my laptop and the screen has enough "play"/"flex" to handle it just fine.
Fun fact as far as I remember a number of webcams with LED indicator allow (or did allow in the past) anyone using the camera
to switch off the indicator without stopping using the camera...
While this is still true for many laptops, it hasn't been true for MBP for at least the past 5 years (cannot be bothered to find the exact year), even if someone has full root access to the machine. I say that, because the camera LED on MBPs these days is hardware activated, not software. So if the camera is active on hardware level, the LED indicator will go green, no matter what.
It could be, but I wouldn't base it off just Apple having a warning about it.
I'm weird though, I'm one of those people that needs to have their arm twisted to use their camera.
Once I got my mbp back, I added the camera cover again (stupidly). The next day I opened my mbp, and had a line down the center of my screen. That is when I realized what had happened. I then told Apple exactly what I think happened. And to their credit, the replaced it (again) for free.
Over the next weeks, I received 3 different calls from Apple staff, with seemingly increased responsibilities. They all asked detailed questions investigating what I thought happened and in what sequence.
I am not surprised to see this support article.
The latest MBPs are exceedingly fragile, can't run two displays from separate TB controllers without throttling, and have had more DOA batteries than any series I've ever encountered to date. This isn't even getting into other models.
How powerless is their QA that they'd let Operations dictate design unchecked? It feels like externalising their expenses taken a leap too far.
My company provides a ~1.2mm thick plastic cover with a little slider inside. I didn't even trust it enough to be used on a thinkpad, much less a macbook
What I do now is either ripping off a small piece of the sticky top of sticky notes (keep the remainder for later reuse) or a piece of washi tape.
I look forward to getting extorted by hackers threatening to tell the world what my ceiling looks like.
Has anyone torn down the hardware and verified this lately?
It should not be a complicated feature at all. Just ensure you have the same voltage applied to your LED circuit as your camera circuit, and enforce that by having them on the same wire...
A camera cover guarantees that the camera can only work when the camera is uncovered.
A camera light alerts you once the camera is already on.
The LED could still always fail short, and then you're back to having a broken indicator again.
Add more than one if this is a concern, and it can still be compact. This is already done today in "RGB" leds.
> a chip doesn't technically have the right power on it's power rails, but is instead drawing power on the input ports.
What does this mean? The data lines of camera modules are generally differential pair, and it is highly unlikely that significant power is being drawn from them.