I expect you are probably correct, but it doesn't really matter. If you don't want to be filmed, the correct engineering approach is not to have a camera pointed at you 24/7. It is a bit like the gun rule of not pointing a gun at things you don't want to shoot - sure, the trigger should be enough of a control, but accidents happen.
If you spend your entire life with a camera pointed at your face, your face (and activity) will be accidentality filmed by that camera sooner or later. Indicator or otherwise. The indicator light is a good idea but I'm still spiritually on the side of the tape people.
Indeed, I'm a little surprised Apple didn't follow the Thinkpad approach of simply having a sliding piece with an aperture that extremely obviously blocks the camera. Surely Apple can't seriously think their users would be confused by this and complain... I don't think my desktop computer's webcam is likely to get hacked either but I'm still going to unplug it when I'm not using it.
I can see Jony Ive's head exploding: "Sullying my perfect, smooth, invented-new-aluminum-machining-technology-to-make-it-possible masterpiece with some latch?! Why don't you go work for Dell."
It's not irrelevant, it's information that allows any reasonable person to conclude that Apple implemented a solution before and has since decided to exchange that simple and effective failsafe for a marginally thinner product. I can't physically control whether I have a naked camera pointed at me all day but hey, at least my laptop can fit into a manilla envelope, right? Right? Totally worth it.
It’s irrelevant to bring up iSight’s shutter because they are totally different products. It was literally hundreds of times larger than the cameras we’re talking about here; so it makes no sense to expect a shutter on these just because iSight had them more than a decade ago. That’s like saying that a racecar should have folding seats because a minivan might have it and they are both vehicles.
A peace of plastic in front of the camera is really simple to understand and trust - the rest you need to know about tech and trust someone did it correctly.
I'm pretty confident after the 2008 camera exploit they engineered the camera to wire the active light directly to the camera power source, which I think is what you're talking about with #3. #1 and #2 seem kind of irrelevant to me. Unless it manually operated (in that case, why not use a physical switch?) it behaves the same as the green indicator light, relies on #3, and after its turned on it's already capturing.
I wonder, do the ThinkPads with that feature have a thicker lid than Apple laptops? I suspect they be thicker anyway because of the touchscreen, which would then provide a few millimeters more room for a shutter. But I'm completely speculating.
I have a new X1 Carbon, and I don't have a MacBook to compare but I can't imagine needing my laptop to be lighter or thinner. It easily fits into any bag and I can carry it with one hand with no worry.
I will gladly trade a millimeter of thickness for increased functionality. It's the same thing where apple will ruthlessly optimize for thickness to the point where they can't cool the CPUs. They literally prefer form over function, as if the tool I use all day every day is an art piece.
It is the mentality not the thinking. In china no one trust anyone really. Hence security strangely is no 1 priority. Hence the cover is in Lenovo portable, but not apple. You are guilty somehow somewhere and to be checked out, and vice visa.
Like fish said to be the final species to discover water, one mainlander comes to hk and surprise to see us so relax about security. What the law even assume people are innocent until proved otherwise ...
the mentality of hermit in One of the largest population of ... hermits. You just put on your shell.
As now become one of the hermit by force and talked as a hermit, may I suggest they just do it away with the camera. Use a wireless or usb based one. No hacking possible.
Economically (if not ethnically) trust is important as it lower the transaction costs. Chicago school heritage I guess of pre NSO HONG Kong. I switch to my two mac Mini of intel and arm. Unfortunately still have the old 3 cable apple monitor (work well with both 2018 and 2012 MacBook Pro) that have a camera. Guess a cover is ok.
I think you'd have to pay extra to buy a laptop without an integrated camera and microphone, not to mention there likely being no options that are also actually high performance laptops.
Would you notice it if it was one frame every 15 minutes for example?
As for the second point, sure. In theory. If there’s no bugs or vulnerabilities or backdoors
There's a reason Zukerberg's laptop has its mic and camera tapped up. It doesn't matter what device you use unless there's a physical switch to disconnect it'll never be safe. Software can ALWAYS have zero days, just because it hasn't been exploited yet doesn't mean it can't be.
But can't you specifically wire the indicator light to always be lit if the camera has power?
I don't see Apple claiming they've done that but a correct design would make the indicator light work that way and be related to software at all. Meaning you could only disable the indicator light by physically modifying the device.
This has been the case for quite some time (10 years or so). I've torn apart two Macbooks to specifically test this and the LED is enabled when the camera receives power. It's impossible to disable with software.
You can modify the Macbook of course, which is why the paranoid type will still use tape.
Some attacks I've seen will take a photo with the camera as fast as possible so you might not notice, but the light will always turn on.
Oh absolutely, but if I were targeting Zuckerberg this would now be a camera he carries with him and almost always has an available network connection (If I were a billionaire I'd be switching devices near constantly to stave off attacks). You could be carrying around the bug for at least a year if not more.
Your average blackmailer would be better off with the separate camera route (and likely wouldn't be sophisticated enough otherwise) but a state-sponsored attack could probably pull it off.
Not really - there are lots of times when you will not be present with your laptop (think airport security).
It's orders of magnitude easier to get access to a mobile device than to setup a camera in every possible location a target might move to. But they'll helpfully carry the device with them.
even then there probably should be some minimum "flash" time in that if it turns on and off faster than the LED lights up or human eyes can see then it may still take images faster than we can register?
EDIT: a commenter below said
"Macs newer than 4 or so years also have a feature that forces the LED to stay lit for at least 3 seconds after it has been turned on to prevent the single-frame-grab attack."
Frankly, by the time the indicator is noticed, it may be too late. Even with the LED wired in place and a 'feature' (capacitor or software?) forcing it to stay lit for 3 seconds, the damage may be done. It does, at least, let you know an attack occurred.
I really think an LED is barking up the wrong tree. A built-in hardware cover would have the same effect as the LED, and no one would have to trust it, since the camera would just be recording the back of the cover if it was hacked in stealth mode.
Ironically for Americans' wariness China, the "pop-up webcam" in Huawei laptops completely resolves the security and trust issue, by providing a physical way to disable the camera.
The attack most people are worried about is your camera being activated while your laptop is open. Huawei's approach seems worse since you can't just apply a cover to it.
Doesn't that require the same kind of trust in the correctness of the wiring that is at issue in some other comments? I can see that a camera cover works, but I think I couldn't see that a physical switch was actually interrupting the wiring without doing a teardown.
If you don't assume the internal wiring is as described I do not think there is a way for you to guarantee the microphone is not recording. It's even less obvious than a camera lens being covered or not, and taping over the "microphone hole" won't actually block receiving sound at all.
I do physically disconnect or cover cameras. My desktop computer has no microphone unless I plug one in. Laptop and phone though? I definitely remember in the aughts that the police could remotely turn your phone into a bug without any user indication at all. To the best of my knowledge the only way to actually be sure you aren't being recorded with your own equipment is to remove power... of course now the batteries are soldered on, totally a coincidence I'm sure.
Boy, wait until you find about what's possible manipulating PCB or processor designs (the Bloomberg fiction piece "The big Hack" illustrates what would be possible with just PCB manipulation). Or firmware or anything else proprietary running with elevated rights (normal ones are already enough to cause a lot of damage on most systems).
Well, what got it declared fiction was "a broad search doesn't turn up good evidence that this has been done", rather than "experts agree this is obviously impossible". So the reaction to the piece did demonstrate something.
Well, I don't mean to fuel your paranoia, but there are materials opaque to the human eye but not necessarily fully opaque to a CMOS sensor, especially one without infrared/UV filters.
It would be quite possible, trivial even, to design a web camera with a nice built-in black camera cover -- which is transparent to the camera.
That does nothing except switching the default audio source to the blocked channel. Any app that can access the default source can access the still working microphone just as well.
There’s apps (it’s also pretty easy to write one yourself like I did) that monitor when the input source is changed and forces it back immediately. Yes, wish that feature was built into the OS, but I also don’t grant almost any app microphone access.
Depends on the laptop hardware in question, just as it does on which smartphone you’re using, as your link indicates.
If your laptop (or iPad, in the case of the latest gen) is an Apple T2 equipped device, this is somewhat relevant (“somewhat” as it’s not directly related to my original reply)
If the microphone is built into the laptop it should have a hardware switch. That still has problems as you note, but it is far better than the current state of affairs for most devices. And it still requires trust in someone (or opening the device yourself).
A better solution would be to have the microphone be physically removable, but even then it could have an internal power source and storage...
I used one of those (same asin) for a while. Cracked my screen just like TFA says. Thankfully Apple repaired it and looked the other way. I'm guessing they won't be so forgiving now with this article out there.
my laptop has a piece of tape over it, but i can still see the LED lit when it comes on. however, as far as the flash of a quick snap, does the camera on the MacBook take an image faster than the iDevices? the phones always take at least a second after pushing the button, so maybe Apple would be better off putting the same kind of camera in the laptop to ensure it is impossible to take a photo quickly
If an iPhone is displaying the current camera contents on the screen, the software already has access to the camera, and is already "taking photos" in real-time.
This is the only correct design, yet almost nobody does this. One of the challenges is verifying that this was done correctly.
You may be able to verify a design like this once with a teardown, but it's impractical to verify your particular device, and next to impossible to re-verify this every time you leave your laptop unattended.
This isn’t speculation. Opening up hardware to modify the internals is something that covert agencies do, and it’s naive to think that the purpose is equivalent to a simple bug.
As someone who posts to Hacker News you are by almost any definition a potential information source or APT vector.
What he said was that his threat model doesn't include state agencies. Many people use their laptops in bed and they probably don't want random people using their laptop webcam to take random nudes.
And, while I hear the NSA being quoted a lot, let's be fair, how many of us have the opsec to stand up to a genuine NSA attack?
A reasonable goal in thwarting the NSA should be to stop some random bureaucrat from typing on a few keys and getting access to your stuff without a signature. As long as some bureaucrat has to put their signature on a piece of paper and get budget to get my stuff, I'm safe against random trawling.
Besides, if the NSA really wants you, they'll just fabricate the evidence. It's way cheaper.
> > This isn’t speculation.
> He didn't say it was.
They didn’t need to use the word to imply it. I did however assume they’re weren’t so self-centeredly solipsistic as to think that their personal choices were the universal general case, or advisable for a typical participant on this forum.
But then:
> Besides, if the NSA really wants you, they'll just fabricate the evidence. It's way cheaper.
Again, no. That’s another of those “surely this doesn’t happen” comments, and once again, it is flat wrong. Even setting aside that discrediting/compromising someone is likely to be different agency; just as with bugging them, there are still plenty more reasons besides eavesdropping or coercion,
such as industrial espionage, or sabotage, and the main point is that this isn’t theoretical. It happens. Deal with it, don’t deal, up to you, but never assume you can’t be a target.
This is why I only take a disposable laptop and phone across US or Chinese borders. Both have intelligence services with the resources, ability, and inclination toward systematically documenting anyone even remotely interesting.
> As long as some bureaucrat has to put their signature on a piece of paper and get budget to get my stuff, I'm safe against random trawling
If this level of willingness to disregard the entire history of bureaucracy and covert action helps you feel safe, and if you have no direct or indirect ties to any other human being, body of data, or corporate entity that could ever be at any kind of risk, then why not I guess.
I had an Apple on-site support engineer open up a 16” MBP on my kitchen table a couple of weeks ago to replace a cracked screen, and he brought only
a small tool roll, a headlamp, and a anti-static work surface and wrist-strap. Took him only a few minutes to strip it down, longer to rebuild and recommission for use.
I must add, I peeked over his shoulder a few times, and my comment that it looks as good inside as it does out was answered with “yes, it’s like being asked to restore a work of art”.
I was just trying to make a joke. I've actually been very happy with working on my MBP, it was easier to re-paste than a Dell XPS from the same year. The interior of Macbooks I've seen have been laid out remarkably well.
My work laptop (a Thinkpad) has a built-in plastic slider that physically covers the camera. If something activates the camera while that cover is closed, it won't see anything.
I wanted this, but I wanted the WQHD display more.
Lenovo didn't allow you to configure a T480 with both the high-resolution display and the plastic slider, it was either-or. The high-resolution display was their premium option that omitted the slider and added two more IR cameras for Windows Hello support.
So in addition to not getting the slider, I also had to disable the IR cameras.
I'm half tempted to buy the version of the display bezel with the slider and see if it'll fit as a replacement.
Bingo. It's a lot simpler to just allow the user to physically block the lens, which vetoes everything[1], rather than trust or verify that all that stuff is implemented correctly and reliably.
[1] Yes, yes, assuming you can block all frequencies the camera is capable of detecting.
The important thing isn't whether the indicator will be lit or not.
The point is whether you will be able to prevent the camera from taking a video/picture you don't want it to.
Unless you can physically disconnect or block the camera, there's not guarantee that a piece of software can't record.
The best Apple can offer here is that you will know the recording was done (assuming you are looking at your computer, and not looking away or in another room) .
A way to overvoltage/current and burn out the LED. Probability low, but nonzero.
More plausible situation: There are times when the camera is pointed at me, but my head is not pointed at the camera. Perhaps I left the laptop on in the corner of a room while it's playing music, or a myriad of other things.
A cover is a simple, foolproof solution to the camera issue.
Better but not bulletproof; LED's can fail. Manufacturers might consider leaving a shallow recess around the camera to accommodate the paranoid among us.
I think a really large portion of users here would be extremely good attack targets. Developers with privileged access to source code and operations staff with privileged access to systems make up a significant portion of the users here.
Besides: Most people don't accidentally want to show up on a video conference while undressed when they accidentally hit the wrong button in some confusing skeumorphic app specific interface: The LED only warns you after its too late.
100%. The bank I used to work at had a part of the employee handbook dedicated to what happens if you're kidnapped. We're just being naive and casual as we are wont to do. Bro don't worry have another free granola bar.
And in fact one of the devs was poached by a shady bunch of foreign looking suits who would have fit right in with big brother.
In all fairness you have a split second between the light coming on and the video stream initializing to err hide your shame. What are you doing in front of your computer with no pants on? Naked yoga?
120%. I used to work in an industry where a developer was killed in a drive-by shooting, after he reported certain code to the regulatory agency.
Generally speaking - as developers type away on their packet handling or authentication code, they all too naively believe they won't be a target of a new friend or bribe.
Yep. When the Saudi government wanted to persecute dissidents and journalists, they went to the service providers to get compromising info on them. They just paid employees at the companies that didn't play ball to siphon data and target people clandestinely.
The light indicator in modern webcams is a "physical" indicator. Sure, it won't stop it from being hacked, but it will light up whenever it is active. That part can't be hacked, since it's in the hardware.
The irony of this is too much. The guy who pioneered privacy invasion as a philosophy is guarding his own privacy. He should have a Facebook live stream following him 24/7
Seeing that pic was eyeopening for me. I believe he had other ports taped over as well.
At the same time, he's going to be an exclusive target for myriad actors big and small, up to and including entire nations, so extra paranoia is probably warranted.
Testing on my phone at least, tape does nothing to prevent discernable audio from being recorded. I think the device would need to be encased to block the microphone
There are also doctors who are anti-vaccine, financial planners who don't max out 401ks, sysadmins with unpatched home systems, etc. Just because someone could possibly know that the thing they're doing is illogical doesn't mean they act on that knowledge.
> There's a reason Zukerberg's laptop has its mic and camera tapped up
This is an incredibly weakly phrased argument; there's a reason people are flat-earthers as well. The existence of a reason does not automatically make that reason a good one.
I actually take his webcam tape to mean that his security group (which includes people who have serious hardware chops) doesn't think that the investment in a better option is worth it.
Lastly, about that 0day argument. Many camera LEDs are implemented in hardware, which means instead of hardware prevention they have hardware detection. There are reasons for both, and neither is unambiguously better.
Which, as I said, us hardware prevention. It stops someone from recording you, it also stops you from knowing someone tried to record you (i.e. hardware detection).
The hacking consequences I care about are having my bank accounts drained, not having my picture taken.
Google "rootkit". This is a great example of theoretical security vs actual security. In theory, people review logs on their personal machines and hunt for bad guys. In practice, virtually nobody has ever done that. The reality is that personal laptop compromises are discovered through side-effects. Heat, sluggishness, webcam turning on, accounts being hijacked.
Removing components also removes functionality. What if he wants to use it later? I guess he could have another laptop specially for the purpose, he can certainly afford that.
I think the simplest explanation is whoever was staging the scenery around him didn't think anybody would notice the taped laptop. If they did realize that, they probably would have untaped. It wasn't meant to be a detail you notice or centerpiece of conversation. That's my guess.
Or, more accurately, he and his security experts are weighing the challenge of accurately assessing potential hardware failures against the $0.50 of tape which provably prevents them. If you’re a high-value target there is a lot to be said for layered defenses and easily verified safety measures.
For many people the trust in integrated laptop cameras has been thoroughly eroded especially in case of Macs. (From my experience by interacting with people not having much tech experience, limited to Germany, maybe also limited to the social cycle(s) I interacted with.)
The paradox thing is that the same people who often don't trust webcams in Apple Laptops or Apple All-In-One PCs do not bother or even think about weather or not the camera in their iPhone could spy on them or weather or not they microphone in webcams could still spy one them...
I would say you are equally likely to catch someone jacking off through the webcam as to catch valuable information through the microphone. They are therefore equally lucrative
How could it be equally lucrative? The amount of information someone can gather from a camera is much smaller than what you could gather from a microphone in a given room.
If I am in a conference room talking about strategy, an uncovered camera will just pick me up. The microphone will capture everyone’s conversation.
Depends on your tolerance for shaming. I, for one, would probably be a bit pissed off if someone threaten to publish video of me jerking off, but wouldn't care about that enough to pay anyone any money. Listening to a secret conversations in conference room on the other hand, than can be valuable on it's own, no need to blackmail.
Honestly, unless you're cheating on your SO, society is growing increasingly tolerant/indifferent of most of the other things you could see on a webcam
Honestly. I could care less what society thinks. But the scenario where one would have their laptop open and awake in their bedroom while cheating on their spouse and have enough money to make blackmail worthwhile and trust the information won’t get out anyway is slim.
How many people are doing something that is worth the time to blackmail in front of a camera and have the means to pay a substantial sum of money compared to the value of corporate secrets?
Also what are the chances that a microphone wouldn’t overhear something incriminating even if the camera were covered in your bedroom?
And I am really not trying to go down the road of wondering if you are doing something incriminating in your bedroom and your partner is being completely silent what that implies.....
Corporate espionage is potentially more lucrative yes but the opportunities are much less. There are millions of MacBooks out there with significantly more people jacking off in front of them than discussing lucrative corporate secrets
I'm not sure real "jerking face" blackmail is that frequent. If caught the author would face heavy charges. It's probably way easier and less risky to massively scam by pretending you had access to the webcam than to actually bother to hack.
Beside I'm not sure a "jerking face" would be more than awkward if published. A reverse angle in which you could identify what was the video used for the jerking session would be way more compromising.
And in this regard poorly protected IOT surveillance cameras have way more evil potential that webcam in my opinion.
Any story about Apple gets about 50x the hype because it’s a more understandable brand and set of products. The only other OEM that has any story traction is Lenovo, because China. Nobody knows what a Dell Latitude 43675b is.
There’s nothing notable or worse about the Apple issues. If anything, they are probably a lower risk than the average PC.
There where a lot of horror stories about random people spying on "you" through mac webcams. Like in the sense that they hope to capture NSFW material and similar.
Most of this stories where not actually happening, I don't remember exactly but I think they came from a single story of targeted hacker attacks where such a thing actually happened and then people got blackmailed.
But it's was more comparable to some rumors which wildly spread and then many non technical people ended up believing and which somewhat had a truth at it's core somewhere so it's not easy to just put it of as "mad up".
Also it happened like a 5+ years ago, it just stuck with a lot of non tech people somehow. And it (normally) doesn't hurt so tech people aren't that likely to tell people that this isn't quite right. It's often already hard enough to convince them to do any privacy focused actions.
Maybe that's misguided and naive, but I pretty much trust my phone to protect me from bad actors taking over the camera; I'll have to trust the apps I use that have camera access to not spy on me, but those are few.
Until relatively recently, any userspace app on my computer could freely access the camera and microphone, including background processes and malware, so that feels a lot riskier. There seems to be a permission for this that must be granted in the newer macOS versions, but I assume there might be ways around that.
My thoughts exactly. On my phone, I have to trust Apple. On my laptop, I have to trust everyone who wrote code I downloaded. That’s two quite different crowds.
Then you haven't seen all the malware and spyware on phone apps that have been approved by Apple and Google right? I don't trust anyone regarding my tech as far as I can throw them.
I could have a System 76 machine with latest xyz hacker proof Linux distro and I'd still assume all was heard and listened to through that device. Just makes no sense to trust any mass production device.
This might be true for yourself as a technical savvy person. Camera covers are particularly important to people who are self-aware enough to realize they don't have the tech skills to keep bad actors from gaining access to their camera
As a tech-savvy person, I definitely don't have the skills to make sure of that on a laptop. I might be one brew install obscure-util-from-random-HN-comment (or npm install ...) away from inadvertently giving away all my privacy.
I'd also add that my laptop camera is pointed at me[1], and has a decent view of most of my room, whereas the vast majority of the time my phone's camera is pointed directly at my desk or straight up at the ceiling. I'd find my laptop's camera being compromised far more intrusive.
[1] Or least _was_, until I disconnected it - I needed to replace the screen anyway, and I _never_ used the camera, so I just popped the camera out at the same time
Is your point that because these issues have been fixed there will never be a new camera exploit in the future?
I don't see how what you're saying supports that. If your point is simply that Apple has resolved camera vulnerabilities in the past, that's nice, but doesn't exactly give me much peace of mind about future vulnerabilities.
No, the point is that old light indicators were done in software (and were open to exploits), whereas newer indicators have all since moved to being wired right in the hardware. The power of the webcam lights up the indicator.
If the sensor is physically getting power, the light is too, unless the wire is broken. They are on the same circuit. It is not a firmware thing, its basics circuits Physics 101. The light could be burnt out, yes. The wire could break sure. But it can't be hacked (minus pulse modulation, not giving the light enough time to light up). But if you power up the camera, and something isn't physically broke... the light comes on. I know the privacy incident has already happened, separate argument. I think people are missing the hardwired point. This discussion should be focusing on the fact that if the camera has powered on, and we see it, it's already too late.
I have personally turned on the camera without the indicator light coming on on a 2012 Macbook Pro 15" with double-digit percent success rate, meaning someone with more time / expertise could probably do it consistently. I have been unable to do it on newer 15" pros or other models (Air / pro 13").
Because Apple said so? I simply don't have this level of trust.
Because someone disassembled their MacBook and reverse engineered things? And that person is trustworthy and competent? That is better, but even if it was true for the MacBook they reverse engineered, suppliers make tweaks to parts all the time. Can I be sure that my MacBook still has the exact same camera?
Because you opened up your MacBook to confirm? Maybe then you can trust it.
But you just moved the goal-posts from a discussion about whether the implementation was faulty (and Apple was misleading their product owners) to one about whether the design compromises are right.
Apple claims that the LED comes on when the camera is active, which it claims helps protect your privacy. That seems to be true, and certainly no-one seems to have any contradictory examples that are not 12+ years old.
I can argue that when one uses a sliding cover, one can easily forget to reset it after a video chat. The design is bad. The right solution is simply not to have a camera. It's just a different design compromise.
The question is whether this is a firmware implementation that's just waiting for a 0-day or if the +V for the CMOS sensor is literally wired to the LED. If the latter I'd like to see a picture of it.
I was the security architect for this feature on recent Macs. The LED is wired to the camera PMIC and is powered by the voltage rail that powers the camera. The PMIC will always remain on if the system has power. Macs newer than 4 or so years also have a feature that forces the LED to stay lit for at least 3 seconds after it has been turned on to prevent the single-frame-grab attack.
Ah, good. Is the microphone similarly protected? Sometimes I feel I must be the only person on earth who doesn't use their laptop while naked and couldn't care less if the imager was watching me. The microphone, however, could be an actual security threat. Phone calls, muttered passwords, etc.
There is a little LED that lights up when they open. The door latch is controlled via software and so is the light, though I would assume in the case of power failure they'd unlock for fire safety reasons.
I know where you were going with that, but the situation is different than what you’re trying to show. On Macs the light is on the path of the camera: if it is on the camera is, if it is not then the camera is not. Whereas with the door you might think that if it was latchless someone could just push it open when the light was off. The camera light is really a door alarm, not a door latch. (And as I just mentioned, doors with an alarm but no lock often do exist, usually for fire safety reasons).
A door without a latch does not prevent
an unauthorized person from trespassing.
A camera without a cover does not prevent
an unauthorized person from trespassing.
So you have to perpetually watch out for the LED indicator to see if it ever randomly turns on for 3 seconds? And what if it does come up unexpectedly? At this point it's too late and you've already been captured. A mechanical cover that can slide on and off the camera seems like much better security.
The point is that the hardware has been designed properly. Combined with the OS-level permissions, it should be assurance enough for the majority of use cases.
If you need further assurances, then by all means, use a physical cover.
The claim was that single-frame grab attempts are prevented by an indicator that stays on for 3 seconds. First, you do have to be alert for all of these potential 3 seconds windows, and second, it doesn't prevent anything but only tell you that it has already happened.
No, it wasn't. The claim was whether it was implemented correctly, as the entire conversation started with examples where it was not implemented correctly.
Properly designed hardware would add one small - and in every way possible, since we've already identified the circuit that drives the single power source - addition. A physical switch that prevents camera from being turned on. Same for the microphone. Unfortunately, this is never done. So people put covers on.
According to an anonymous Gruber source, Apple fixed the issue by tying the led to the Vsync on the camera board. I have not found a teardown or anything other than this confirming it https://daringfireball.net/2019/02/on_covering_webcams
I had a laptop with a physical switch for WiFi/Bluetooth in 2006 or so (with a matching orange/blue light that would turn up when you toggled it). The problem was that this was actually all done by a software driver - when I booted into Linux with the laptop I was surprised to find that the bluetooth/wifi modules were on regardless of the switch's position.
At the end of the day, unless you have a really nice microscope, solid understanding of electrical engineering, and a few tens of thousands of hours ahead of you, you have to trust whoever you're buying the hardware from that it will do what they say it will. No amount of hardware efforts can solve the fundamental human trust problem.
I have a Lenovo Thinkpad T480. Its webcam switch is a slider that covers the webcam lens. You don't need a fancy microscope, or a solid understanding of EE, or tens of thousands of hours. You need the ability to see the slider cover the lens. Takes all of half a second and at least 1 eye.
And the hackers still win, cause no one remembers to slide it shut after a call, and they can hack the led so there is no physical indicator when they are watching.
I prefer aluminum foil under the tape that's over the lens so it can be flipped up out of the way easily but still block the view. But the cover does the same thing and doesn't take the effort of putting in a piece of tape.
It would be mildly impressive if a manufacturer made a fake cover with a switch to detect when it's "closed" and make the main camera stream filtered to look like the cover is real, while having a 2nd back-door unfiltered stream. Of course this could be detected by someone who took the unit apart.
On Thinkpads, the cover has a prominent red dot painted on it, that ends up in the location where camera lens would normally be. And, of course, you can visibly see the edge of the cover move as you slide it. So I don't know how you'd fake that.
It's like the halting problem. It's hard to decide whether a given switch works in the general case. But it's possible to design an obviously correct breaker.
Edit: the gnarly thing might be ensuring it doesn't harvest power through data wires or store power in covert capacitors or batteries.
I had another laptop with a hardware switch and a corresponding LED, and it worked exactly as it should - the hardware was completely inaccessible under Linux. So yes, it can be done and it's not rocket science.
Yes, what you describe is trivial - and it would be similarly trivial to design a module that appears to respect the switch (regardless of Linux/Windows) and yet records things surreptitiously, only to offload it at a later date.
Remember the amount of effort VW was willing to expand to cheat emissions testing.
The question isn't whether you can add a cover to the product after the fact, it's whether you can trust a switch on a product to do what the manufacturer says it does.
I don't see how that fixes the problem; if you don't trust Apple to build in hardware safeguards around the camera indicator light, why would you trust them with a hardware switch?
A hardware switch should in theory be more easily verifiable than a software one through physical testing. Running tests on PCB traces to verify that a switch indeed works is probably a whole lot easier in general practice than decapping chips or decompiling and analyzing low level firmware or low level OS components.
But are you going to run those tests on PCB traces on your own hardware? If not, then you have to trust that your hardware is identical to whatever hardware was torn-down and tested. I suppose this is good enough unless your threat model includes someone swapping your computer enroute to you with a modified one.
But even then, are you sure the computer whose PCB you tested hasn't been swapped or modified since then? That Chinese operatives didn't splinter cell it while you were out grocery shopping?
Just so you know, switches in something as complicated as a laptop have a good chance at being connected to a processor , with firmware being the thing that determines what the switch does. So you still need trust, even with a physical switch.
Source: write firmware for a living, and write drivers for physical switches.
It should be implemented with the same robustness as if the user's life depended on it.
As an analogy, you wouldn't implement a car brake by running it through some firmware. Instead, you'd preferably make a direct physical connection between the pedal and the actual brake.
There's another angle, which is that even if the wiring works and forms an iron clad promise the camera is not working, not having camera covers trains the population to be okay with having cameras pointed at them all the time, even in their most personal and private spaces.
It's connected to the damn circuit! You can't power up the webcam without powering up the light any more than you can make the camera see through a piece of electrical tape.
There could still be a circuit in the light that could pass the current without lighting up. Or even if there was no such thing, it could be added in the future after everyone was shamed into believing you are a fool for putting tape over your camera.
There are probably other ways. Stop trying to shame people just because you haven't thought of a way to bypass this.
Neither of those things is the case. You can’t power the camera circuit without passing through the low power light. We can rely on the diligent work of security researchers to attempt bypasses and do teardowns for us, so the risk of Apple compromising an older model only exists for people who buy immediately on release.
The support document also suggests a paper-thin cover, so it’s not attempting to shame anyone.
... applies only to older Mac notebooks from like 2008 period which are long since obsolete according to Apple's announced support policy.
>2016: Your Mac’s Camera Can Be Hacked https://www.intego.com/mac-security-blog/your-macs-camera-ca....
... refers specifically the exploit above.
>2016: Former NSA employee: This hack gains access to your Mac's webcam https://www.cnet.com/news/mac-webcam-hack-ex-nsa-employee/
... is an attack that depends on the camera already being in use by another application and therefore has nothing to do with the camera indicator.