They are hardwired on Macbooks. From Daring Fireball, quoting an email from an Apple engineer.

> All cameras after [2008] were different: The hardware team tied the LED to a hardware signal from the sensor: If the (I believe) vertical sync was active, the LED would light up. There is NO firmware control to disable/enable the LED. The actual firmware is indeed flashable, but the part is not a generic part and there are mechanisms in place to verify the image being flashed. […]

> So, no, I don’t believe that malware could be installed to enable the camera without lighting the LED. My concern would be a situation where a frame is captured so the LED is lit only for a very brief period of time.

https://daringfireball.net/2019/02/on_covering_webcams

An indicator light hardwired is nice but I apparently can't trust hardware manufacturers to design it properly. My work laptop (HP Dragonfly) has a physical blocker that closes over the camera when I haven't explicitly pressed the button that enables the camera. The blocker is black and white stripes so it's very obvious when it's covering the sensor. This should absolutely be the security standard we all strive for with camera privacy.

For what it's worth, you could just power on the camera, take a pic, then turn it back off instead. Provided you can do this fast enough, an indicator LED is rendered worthless. So you'd need to make the indicator LED staggered, to stay lit for a minimum amount of time.

There's also the scenario where the LED or the connections to it simply fail. If the circuit doesn't account for that, then boom, now your camera can function without the light being on.

Can't think of any other pitfalls, but I'm sure they exist. Personally, I'll just continue using the privacy shutter, as annoying as that is. Too bad it doesn't do anything about the mic input.

I might be out of the loop, but I thought that was only for some machines - I remember the LED being wired that way being a selling point for MacBooks at some point, as a privacy feature. It definitely should be the standard, though!

There was a school district that took pictures of the kids at home.

They briefly saw the LED flash.

But it was not on for any length of time and you could miss it.

This stuff should be completely in hardware, and sensible - stay on for a minimum time, and have a hardware cutoff switch.

I can't find it now, but recently I read how one company's design team added this feature to their laptops. A subsequent review by the team responsible for manufacturing found that they could change the circuit to cut down on the part count to save money. The light was still there, but it was no longer hardwired. The company continued to advertise the camera light as being hardwired even though it wasn't.

Since some sort of firmware is required, this seems like a "turing tarpit" security exploit from my laymans perspective.

There's no standard that I know, that, like "Secure EFI / Boot" (or whatever exact name it is), locks the API of periphery firmware and that would be able to statically verify that said API doesn't allow for unintended exploits.

That being said: imagination vs reality: the Turing tarpit has to be higher in the chain than the webcam firmware when flashing new firmware via internal USB was the exploit method.

I stumbled on a forum once where it was just filled with people trying to modify the software for various laptops to disable the "tally lamp" (as it is called). There were people selling the mods and one guy claiming he was selling his cracks to three-letter agencies. The people on there seemed to be using this to extort people (mostly women) by being able to record videos without the owner knowing. Some really dark shit.

In the past I've used microsnitch on macos which tells you when the mic or camera are activated, but macos seems to have support for this baked into the os now. In zoom calls the menu bar shows what is active. If this can be sidestepped and avoided in software, and the camera can be activated without any indicator, I do not know. If direct access can be done, and you don't need to go through some apple api to hit the camera, maybe.

edit: looks easily bypassed https://github.com/cormiertyshawn895/RecordingIndicatorUtili...

I'd like a law to this effect.

The idea has been around for quite some time. But it is always dropped.

My guess is that, assuming the most basic and absolute physicial design, the light would flash for silly things like booting, upgrading firmware, checking health or stuff like that.

That's why many ThinkPads have physical covers over their cameras. You don't even need to worry about whether the LEDs are hardwired - relying on any electronic indicator is already a half-baked security measure. If you want real security, just go with a physical solution.

same... i'm also surprised that having a software controlled led would be cheaper ..

It's probably done to keep it in a low powered state and reduce the initialization delay. Maybe also to prevent the Windows USB plugging sound from playing upon turning the camera on, as it would seem weird to the user ("I don't have any USB devices plugged in...")

Likely UX over security and privacy.

Sure, for a brand headquartered in Cupertino they might design it that way. But this one is a Beijing brand.

Yeah, on Chromebooks and MacBooks the LED is hardwired to ensure it's always on when the camera is enabled.

Yeah, my understanding is that is how the light on MacBooks works, but I'm not sure about any other makes/models. Obviously, if this is possible that Thinkpad model doesn't do that.

Most business class thinkpads have a physical cover in the screen that covers the camera with a piece of plastic.

Led, no led, who cares, plastic is blocking the lens. Move the cover away, say hi on zoom, wave, turn the camera back off, cover on, and stay with audio only, as with most meetings :)

It isn't clear to me that webcam firmware ever powers down a typical camera module. See below for data about how the Sony IMX708 sensor is an I2C device with start and stop streaming commands.

https://github.com/Hermann-SW/imx708_regs_annotated?tab=read...

It wasn't. Only responsible manufacturers wired them up that way.

"Add an LED next to the camera, our customers demand it!"

"Job done boss!"

That's it. That's what happens. Nobody ever reviews anything in the general industry. It's extremely rare for anyone to raise a stink internally about anything like this, and if they do, they get shouted down as "That's more expensive" even if it is in every way cheaper, or "We'll have to repeat this work! Are you saying Bob's work was a waste of time and money!?" [1]

[1] Verbatim, shouted responses I've received for making similar comments about fundamentally Wrong things being done with a capital W.

> I thought the whole point of these camera LEDs was to have them wired to/through the power to the camera, so they are always on when the camera is getting power, no matter what.

This definitely happened too on Mac in the past, then they went in damage control mode. Not only had Apple access to turn off the LED while the camera was filming, but there was also a "tiny" company no-one had ever heard off that happened to have the keys allowing to trigger the LED off too. Well "tiny company" / NSA cough cough maybe.

After that they started saying, as someone commented, that it requires a firmware update to turn the LED off.

My laptop has a sticker on its camera since forever and if I'm not mistaken there's a famous picture of the Zuck where he does the same.

I've got bridges to sell to those who believe that the LED has to be on for the camera to be recording.

Only apple does this properly.

I believe it is possible to turn a speaker into a microphone. Found a paper which claims to do just that[0]. So, there is no safety anywhere?

  SPEAKE(a)R: Turn Speakers to Microphones for Fun and Profit
  It is possible to manipulate the headphones (or earphones) connected to a computer, silently turning them into a pair of eavesdropping microphones - with software alone. The same is also true for some types of loudspeakers. This paper focuses on this threat in a cyber-security context. We present SPEAKE(a)R, a software that can covertly turn the headphones connected to a PC into a microphone. We present technical background and explain why most of PCs and laptops are susceptible to this type of attack. We examine an attack scenario in which malware can use a computer as an eavesdropping device, even when a microphone is not present, muted, taped, or turned off. We measure the signal quality and the effective distance, and survey the defensive countermeasures. 

Yup it's wild to me how much anxiety there is about cameras while no mind is given to microphones. Conversations are much more privileged than potentially seeing me in my underwear.

That said the most sensitive information is what we already willingly transmit: search queries, interactions, etc. We feed these systems with so much data that they arguably learn things about us that we're not even consciously aware of.

Covering your camera with tape seems like a totally backwards assessment of privacy risk.

The microphone also can't be covered with a $1 plastic camera cover off Amazon. It's so easy to solve the camera issue if you care about it, but there's really nothing you can do about the mic.

FWIW, modern Macbooks also hardware disable the mic when the lid is closed.

https://support.apple.com/en-ca/guide/security/secbbd20b00b/...

Miclocks are a thing, or any chopped 3.5mm 3 prong plug should do the trick

https://mic-lock.com/products/copy-of-mic-lock-3-5mm-metalli...

This still doesn't stop a program from switching the input from external back to the internal mics though afaik

How will microphone access be monetized?

For video, it is extortion. For microphone, it's much harder.

I'm not sure if an attacker could get some additional sensitive information from me with access to the microphone or the camera, if they already have full access to my PC (files, screen captures, keylogger). Most things they would be interested in is already there.

Hardware switch in line with the microphone. Can’t be turned on behind my back.

macOS is a proprietary binary blob, remotely controlled by Apple. So, the light in the menu bar is not a reliable indicator of anything. There is no privacy on macOS, nor any other proprietary system. You can never be 100% sure what the system is doing right now, as can be anything it is capable of. Apple is putting a lot of money to "teach people" otherwise, but that is marketing, not truth.

Soldering iron to the rescue. Locate the microphone and unsolder it.

I haven't seen any microphone integrated in the processor.

Yet

In Yoga C740 it only blocks the shutter. Covering the LED doesn't make sense to me

How does malware move the plastic?

And having a microphone in the same chassis as the keyboard would make creating a keylogger easier. A microphone in the same room as the keyboard can be made into a keylogger[1].

[1] <https://github.com/shoyo/acoustic-keylogger>

At the same time we're at a point where synthesizing your voice is getting more trivial everyday, you need only a few seconds of it and you can be made to say whatever someone wants.

>These usually get neither an LED nor a switch

Lots of ThinkPads have «Microphone is muted» LED. Not exactly what's requested (and is bound to a software mute/unmute shortcut), but it's better than nothing regarding state of machine being observable with a quick glance.

No amount of microphones will ever be a bigger problem than a single compromising photo or video.

Assuming Hanlon's razor it's a Chesterton's fence situation you just see a LED that indicates the camera is on. Assuming they ask the question at all they think it's just to remind you your still streaming/in a meeting. Then someone asks any of the following questions:

Can we use it to indicate additional information?

Can we make it standard with the other LEDs?

Can we dim it so it's more pleasant to use at night or make it a customisable colour?

I'm sure plenty of other questions take you down the same path and you've just destroyed one of the LEDs most useful functions.

To be fair, from what I can tell ThinkPad X230 is from 2012, which is over a decade ago, and my guess is that this practice was not yet common place.

In series with the power to the camera would be odd. You would be passing the same amount of current through both the camera and the LED. Unless you meant in parallel, which still leaves the other issue that the camera is likely always powered even when not in use, so the LED would always be on.

I'm not an EE by trade, but I personally wouldn't want to put a CCD in series with an LED with god-knows-what Vf tolerances. Then again, I'd bet that nearly all laptop webcams come as off-the-shelf modules with their own internal regulators for the CCD anyway. So maybe it wouldn't matter.

I'll bet it went something like this: As originally specified, the user need was "LED privacy indicator for the webcam." Product management turns that into two requirements:

1) LED next to webcam.

2) LED turns on and off when webcam turns on and off.

Requirement 1 gets handed to the EEs, and requirement 2 gets handed to the firmware engineers. By the time a firmware engineer gets assigned the job of making the LED turn on and off, the hardware designers are already 1 or 2 board spins in. If the firmware engineer suggested that we revise the board to better fit the intention of the user needs, one of two things will happen:

1) They'll get laughed out of the room for suggesting the EEs and manufacturing teams go through another cycle to change something so trivial.

2) They'll get berated by management because it's "not the engineers' place to make decisions about product requirements."

Of course this is all spitballing. I've definitely never been given a requirement that obviously should have been a hardware requirement. I've definitely never brought up concerns about the need to implement certain privacy and security-critical features in hardware, then been criticized for that suggestion. And I've definitely never, ever written code that existed for the sole purpose of papering over bad product-level decision making.

Nope, never. Couldn't be me.

>Who designs this LED to be software addressable?

The very first home made monitoring camera I made with a Raspberry Pi 1 and the camera module you could disable the LED in the config.

So it seems to be an old pattern. Definitely would make the most sense to focus on privacy and make the LED hard wired but here we are.

Does that mean if the LED dies the camera is dead?

> Short of black blutack I've not got a decent option for the mic though.

And then there's the issue that speakers can theoretically be used as a microphone as well

This exploit picks up audio, too. The shutter helps make sure you're not accidentally sending nudes to North Korea's hacking teams, but audio can still be hijacked unfortunately.

Taping your camera doesn't necessarily look like anything. I have a small piece of electrical tape over my webcam, and it blends in so perfectly with the background that other people probably wouldn't see it unless they were specifically looking for it.

(I personally just leave the tape there all the time, because if I need to videoconference, I’d rather connect my mirrorless camera with a much better lens and sexy bokeh.)

A post-it note works if you don't have a slider.

Looks like it, I remember coding for it in 1991)

Agreed. I find so much peace of mind in the microphone / webcam hardware switches of my Framework laptop.

Seeing the webcam actually vanish from the list of devices is very nice. :D

> Cameras and microphones and write enable must have physical switches, not software ones. When will people learn?

Your preferences are not everybody's. Personally, I'd be totally fine with a camera and microphone LED that is guaranteed to activate whenever there is power/signal flowing from either.

> Me, I unplug the camera and mike when not in use.

That's a bit hard to do on a laptop that has both built in.

Some laptops (I've seen it on a lot of Thinkpads) include a physical cover that can be slid over the webcam when you aren't using it. While that doesn't cut power to the camera or mic, I figure would pretty straightforward for manufacturers to add contacts to the camera cover to use it as a power killswitch instead of just a privacy cover.

> When will people learn?

Different persons learn this at different times (or never).

But then market dynamics come into play, as well as the current state of the legal code / enforcement.

> Cameras and microphones and write enable must have physical switches, not software ones. When will people learn?

I feel like people were pleading for this when people were getting ratted and began taping over their cameras, and the tiny number of laptop manufacturers just ignored what would be a cheap easy change. Eventually, people just accepted that it must be impossible to install a switch. I couldn't ever think of any motivation for a lack of a switch other than government pressure, so I've always assumed that the cameras and microphones are backdoored.

I don't get how "some tape" became the standard solution for these thousand dollar devices.

My Framework 13 has this - 2 physical switches next to the camera. I would assume (but haven't checked), that they physically disconnect the camera/mic.

The Framework laptop does this for both microphone and webcam, and there are privacy focused Android phones which also have a microphone switch which cuts the power to the microphone. It's definitely possible.

Many assume that led indicators are tied to hardware rather than firmware. And this just proves that it is still not always the case.

In this vein, apps on your phone likely have unrestrained access to the photosensor, and researchers have figured out how to take low-resolution photos with it: https://news.mit.edu/2024/study-smart-devices-ambient-light-...

There is a third little dot near the camera you can see with a flashlight and that's an ambient light sensor.

Macbooks have a dedicated ALS (Ambient Light Sensor). They don't use the camera.

Surprised Apple hasn't implemented it and charged an additional $50 for the feature.

> Always assume that the company's provided laptop is a RAT with voice and video recording with notice is a norm.

I... don't? Depends on the company, but I trust that my company has no override for the hardware based LED light on my Mac, as well as the software based microphone indicator. If they did, I would consider this highly scandalous for apple

100% agree with you on the keyboards. I had an X220, then a T490, and now I'm on an E16. The keyboard has gotten noticeably worse every time I've upgraded, sacrificing key travel and feel for flatness. It's such a shame - I would happily take a little extra body thickness for a nicer feeling keyboard.

Still use my X230.

I swapped its keyboard with an x220 one, which is the thing to do if you are into the older thinkpad KB feel.

Nope, in fact i have no built in mic or camera, and theyre unplugged when not strictly needed.

How would a 3.5mm dummy mic jack prevent software from just changing the input mic source to the built in one?

Yeah but he's also WAAAAYYYYY more likely to be targeted than any of us, I would argue.

And arguably if one applies duct tape all over the laptop, the laptop can no longer be used, therefore no data can be input into it, preventing that data to be then exfiltrated by malware. A truly versatile product.

It’s easy enough to disassemble your thinkpad and unplug the mike. Use external mikes if you need them, they will be better quality anyways

Eh. If it's not a physical power-disconnect switch, one could imagine it still being able to record audio, which still sucks.

On a Framework laptop, you can physically remove the module with the webcam and microphone.

> Don't even understand why laptops have cameras and microphones. If you're serious about video meetings you'll want an external camera anyway.

The whole point of a laptop is to be able to move around and travel with it.

FWIW you can still encounter laptops without webcams (MNT reform comes to my mind) and you can also choose to disable/load/unload the kernel modules for them dynamically on linux distros and BSDs

I'm not serious about video meetings, but that doesn't mean I never have to take them.

There's lots of people who aren't "serious about video meetings" but still want to be able to do a face-to-face chat with family or whatnot.