> First, you have to trust Apple that the indicator _really_ can't be disabled. You also have to trust that there isn't a vulnerability Apple is not aware about that could allow rolling the camera without the light coming on.
I have made this point several times throughout this thread, so I apologize for repeating myself:
Every laptop Apple has manufactured in the last ten years has an LED connected to the same circuit which powers up the camera. You cannot send power to the camera without also sending power to the LED, which will in turn cause the LED to light up. Unless the LED is broken, in which case you will know because it will never light up.
If you manage to find a vulnerability in this system, I don't think I even mind, because you've also broken physics and very possibly found a way to generate unlimited electricity forever.
> Every laptop Apple has manufactured in the last ten years has an LED connected to the same circuit which powers up the camera.
At the very least, I need a citation or an official statement. Because clearly, this has not always been the case [1]:
We describe how to disable the LED on a class of Apple internal iSight webcams used in some versions of MacBook laptops and iMac desktops.
[..] our investigation of the iSight revealed that it is designed around a microprocessor and a separate image sensor with an indicator LED sitting between them such that whenever the image sensor is transmitting images to the microcontroller, a hardware interlock illuminates the LED. We show how to reprogram the microcontroller with arbitrary, new firmware. This in turn enables us to reconfigure the image sensor, allowing us to bypass the hardware interlock and disable the LED.
[..] iSight webcam [was] found in previous generation Apple products including the iMac G5 and early Intel-based iMacs,MacBooks, and MacBook Pros until roughly 2008
Whatever reason Apple had to design the camera system this way back in 2008, is probably still a valid reason (cost, hardware simplicity, spacial constraints etc.). It means Apple and others have incentives to build camera systems that are easier to compromise. It's enough for me to worry.
So is trust. You can’t possibly audit the source of every piece of software that touches your life, even if all of it were open source. Hell, things like Heartbleed or Shellshock sat in OpenSSL / Bash for 5-10 years.
If you don't trust an open-source program due to the possibility of e.g. Heartbleed, then it's only reasonable to trust closed-source software (e.g. the majority of macOS, including in all likelihood the parts of it controlling the camera) even less.
What if only the camera is allowed to shut itself down and never responds to such requests if they happen weithin the first one second after it has been powered on
You could connect the led to a capacitor, which would be charged when camera is connected to power, and would discharge powering the led for a few more seconds after power is disconnected.
But yeah, I wouldn’t trust a led, because I can’t reverse engineer the circuit that’s in my particular device.
It is extremely unlikely (in the human terms - not possible) that LED would break in such a way that it transmits the power and not emit light at the same time.
Of course the LED can be installed in a parallel connection on the circuit, but I read the op statement as it is not the case.
"Let's devise a way to purposefully burn the LED in such a way that current can go through." We have to keep in mind that not everything has to be by accident :) I have no idea how likely it is to be possible, though, you've got a point.
Why did you read that it's not the case? I read the opposite. That if the LED broke, you'd notice it because your camera would be on and the light would be off.
I would bet on the LED being parallel - otherwise sending more current through it will burn more power, generate more heat, and likely cause it to wear faster.
I think the point though is that it's not software controlled in any way: powering on the camera lights up the LED, and there's no way to bypass that with only software. Or at least that's the claim.
The problem is that the average user has no way to verify this and also the light doesn't prevent the camera from turning on, it merely notifies you that the camera is on.
A manual, physical barrier, especially an aftermarket one, solves those issues. Personally, I use electrical tape.
> ”the light doesn't prevent the camera from turning on, it merely notifies you that the camera is on.”
No, but the OS prevents the camera from turning on without permission from the user.
(There have been bugs/compromises to this in the past, but at the browser level - you still had to give camera permission to the browser)
Besides, if you’ve got some compromised or surreptitious software on your MacBook trying to secretly take photos, you probably have much bigger security problems to worry about than just what it can see through the camera.
Without worrying about malware, several times I've clicked on some Skype like program while trying to make a voice call only to find it trying to transmit ugly video of me.
Valid point. I have to admit I'm a bit "video call vain" as well. I like to make sure my hair doesn't look too crazy and my room doesn't look too messy before getting on zoom/skype/etc. But one thing the last few months has taught me is that many of my friends/colleagues/family really don't care about these things!
Yeah, I'm not even worried about malware, I'm more worried about joining a call with video on by mistake using a legit program.
I mean, the thing is that I never want to use video on calls, basically. Waste of bandwidth and no worry about broadcasting the wrong thing by mistake.
You’re focused on the wrong part of the chain here. As the camera system is only as weak as it’s weakest link, if Apple indeed made a circuit connected to the LED (and I fully trust you on that), then the weakest link is elsewhere: company provided laptops are often altered prior to be given to an employee. I know of colonies who install software to track messages etc. What’s to say the same companies don’t alter the circuit board to modify the LED behavior?
There is a risk/reward/effort to look at, putting a small piece of tape is low risk / low effort / high reward (if your company actually angers laptops).
If they take the efford to alter the circuit they might as well place a camera somewhere else, listen to all your network traffic, install a (hardware) keylogger and what not.
I think you are taking this too far.
People who fear to be tracked buy a laptop in a random store and don't use a provided one.
What about company laptops,where you're much more likely to be targeted based on your job, not your personality.
Snowden already showed us the depths that governments will go to, to compromise their victims with hardware swaps and worse. And it's already been 7 years. They're even better at it now.
> What’s to say the same companies don’t alter the circuit board
The realities of modifying hardware. Is it possible? Sure. Is a company going to do it routinely at scale? Highly unlikely, because unlike software modifications, this would be pretty expensive. Are you aware of any companies that routinely do _hardware_ modifications on employee Macbooks?
Not aware of any that do that for laptops but I know 2 personally that do that for phones. They have a collection of devices (phones) trash to go, so it’s not as unscalable as I initially thought because they re-use the devices.
So I’m assuming if some do it for phones, must be some doing it in laptops.
Again. It’s all about probabilities. 1/ What’s the likelihood of the company doing that? Close to none.
2/ what would be the severity of the issue if they were doing that for me? Very high.
3/ what’s the effort level to prevent that? Very little.
Why do I even have to trust Apple and physics here? Why can't Apple just provide a physical lid for the camera to disable it. Why even take that chance.
I happen to have (collecting dust somewhere...) one of those old Firewire webcams Apple made. It has a physical shutter you can open and close by rotating the front. It's about as beautiful and elegant as it gets.
If Apple still cared about beautiful and elegant products, it could surely find a way to incorporate a miniaturized version of that in a Macbook.
I trust you absolutely and toally on this. Why wouldn't I?
But if you had your entire net worth riding on it, would you trust yourself to be infallibly correct or would you trust something along the lines of a post-it note to be completely sure? You know, if your life depended on it on every single possible model of apple laptop in all circumstances imaginable? (Do we include if your laptop was interecepted and altered by a hostile agent? Because we know that happens too...)
Devil's advocate: If our threat model includes your laptop being tampered with by an evil maid competent enough to imperceptibly modify the camera LED circuit, couldn't they just install a separate camera elsewhere (maybe in one of the speakers)?
Or they put you to sleep in a way where you have no memory and place the bug inside your body. You can go on like that forever. So leave your doors unlocked because you can't ever be 'safe' right? Obviously not.
There's a scale from dead easy to more difficult to very dificult. Easier to get you is a bigger problem. Cheap & easy to prevent - well why wouldn't you? It's asymetric.
Wouldn't you feel hilariously stupid if someone modified your camera circuit when interecepting your laptop and you actually didn't stick a post-it over it to thwart their dastardly plans.
The point here is making the kind of claims made about LEDs and camera circuits is really, really easy when telling other people what is not a risk. When you carry that risk - ie "all possible models and other threat vectors" suddenly you should not be so sure anymore. A physical cover is better, easier, cheaper and basically infallible for what it is advertised to do. Asymetric payoffs are worth noting. A genunine plausible risk scenarios are all you need to take a /trivial/ mitigation step.
Apple making trivial mitigation steps harder is really, really, really stupid. In fact, beyond merely stupid, it's unwittignly and incompetently user-hostile. (Unless you think they're design process has been infiltrated by the NSA or something, which I guess is at least possible, but I think it unlikely in the face of utterly incompetent idiocy - which Apple do display from time to time).
Please, share the circuit for the LED. To take a picture, it takes 4ms - a human eye would not even register that LED turning on.
I don't think I even mind, because you've also broken physics and very possibly found a way to generate unlimited electricity forever.
Unless there is an option to send higher voltage to the camera (control the VRM) and increase the current through the LED wear it off quickly for instance. The statement is incredible condescending, esp. given no link to actual schematics.
In the past, this was exactly how it was done. Here's an article on the FBI doing it with an Apple webcam six years ago [0].
Should be noted that was after Apple went to the effort of making a hardware delay to try and force the LED to turn on first, but it was still worked around.
It doesn't have to be milliseconds. Most of people don't sit and stare on the camera all day. I have multiple displays and turning camera for a second when I am looking at another display - or even the laptop one but concentrating on something on the screen, especially the lower part - would slip my attention very easily. Or I might notice something off with peripheral sight, but it is very inexact and while I turn my head to bring it into the field of sight where I have a good resolution, it could be already gone. Of course, the cover has none of these problems. If it's covered, then it's covered.
You mean current, right? And it'd have current limit circuit, at a resistor but likely a slow start circuit entirely? Unless you share the schematics, it's an empty argument.
This used to be a thing, where you’d flash the LED briefly and hope the user didn’t notice. But new Macs prevent this by having a minimum duration the light will remain on.
FWIW I tried using the command line utility isightcapture on my 2019 macbook, and the LED turned on for 4-5 seconds and I got a dialog asking if I wanted to allow access to the camera. So this seems to be true.
I still have a camera cover though
> You cannot send power to the camera without also sending power to the LED, which will in turn cause the LED to light up. Unless the LED is broken, in which case you will know because it will never light up.
You make multiple assumptions here
1) You assume that the during the time that passes between the LED breaking and the user noticing, there was not a single attack or a single blunder that caused the camera to turn on and record/capture something that was unintended.
2) You assume that the LED breaks deterministically. The LED can break randomly. Maybe it lights up when nothing is being recorded resulting in a false positive. The user has no way of differentiating between a false positive and a true positive which can result in unintended captures.
3) Similarly the LED can break in a way where it sometimes doesn't light up when something is being recorded even though power is always sent to the LED when the camera is on resulting in a false negative. Again, the user has no idea of differentiating between a false negative and a true negative.
> If you manage to find a vulnerability in this system, I don't think I even mind, because you've also broken physics and very possibly found a way to generate unlimited electricity forever
> Every laptop Apple has manufactured in the last ten years has an LED connected to the same circuit which powers up the camera. You cannot send power to the camera without also sending power to the LED, which will in turn cause the LED to light up. Unless the LED is broken, in which case you will know because it will never light up.
In order to accept this argument I need to trust that you, an internet rando I know nothing about, are telling the truth AND that it'll remain so for any future Apple models. I think no matter how confident you're in your assessment of the current Apple hardware, you can't in good faith argue that they will not change course in the future for whatever reason.
Also, again, they already messed it up once in the past. It won't be hard to imagine that they will do it again some time in the future or already doing so.
This is admittedly a bit of a movie plot threat, but could an evil maid attack rewire this, then later malware takes advantage of the rewiring?
IMHO layers of security are good.
On my end I worry about the risks of constantly just leaving my Mac, which has filevault enabled, simply protected by a screensaver. Is that less secure than if I put it to sleep? And presumably turning it off completely is safest?
How do I make informed choices about how much "locking" to do when I step away?
These are all things I think about reading an article like this, and I'd love to hear other's thoughts.
Yet Dell and some other laptop manufacturers started to include a physical privacy slider right in the hardware. Considering Apple stance on privacy, I hope they consider this at some point.
I have made this point several times throughout this thread, so I apologize for repeating myself:
Every laptop Apple has manufactured in the last ten years has an LED connected to the same circuit which powers up the camera. You cannot send power to the camera without also sending power to the LED, which will in turn cause the LED to light up. Unless the LED is broken, in which case you will know because it will never light up.
If you manage to find a vulnerability in this system, I don't think I even mind, because you've also broken physics and very possibly found a way to generate unlimited electricity forever.