Vendors must start adding physical on/off switches to devices that can spy on us

Update (May 15, 2019): This post was linked and its author quoted as a source in this Fast Company article on the same subject.

Where’s my webcam’s off switch?

Have you ever noticed that your webcam doesn’t have an “off” switch? I looked on Amazon, and I couldn’t find any webcams for sale that had a simple on/off switch. When I thought I found one, but it turned out just to have a light that turns on when the camera is in use, and off when not—not a physical switch you can press or slide.

The “clever” solution is supposed to be webcam covers (something Mark Zuckerberg had a hand in popularizing); you can even get a webcam (or a laptop) with such a cover built in. How convenient! I’ve used tape, which works fine.

But a cover doesn’t cover up the microphone, which could be turned on without your knowledge. Oh, you think that’s impossible? Here are some handy instructions. Or maybe you’ll say you’re not paranoid—it’s not a serious problem? Don’t be so naive, said the FBI seven years ago (they’re worried about predators stalking children), and the Atlantic, and USA Today more recently. The issue isn’t going away. With hacking skills growing more common, the problem has surely grown, if anything, more dire.

Another “clever” solution is to use a software off switch, like this (for Windows). But it simply turns your webcam’s driver on and off. Of course, it’s not too hard for a sufficiently skilled hacker to turn your driver back on and start recording you without your knowledge.

For USB devices, you can use a USB off switch like this, which seems like a good idea; but it doesn’t solve the problem for devices with built-in cameras and microphones like laptops and smart phones.

The humble “off” switch is now high technology. It is a significant selling point for the single device that I could find that comes equipped with one.

Do any computer cameras with “off” switches (not just covers) exist? They seem to be very rare at best, but I was able to find one: the company building a Linux phone, Purism, has a whole page devoted to the joys and wonders of its off switch—which is kind of ridiculous, if you think about it. The humble “off” switch is now high technology. It is a significant selling point for the single device that I could find that comes equipped with one.

(By the way, I have absolutely no relationship to Purism. I write about them because their focus is privacy and I’ve been writing a lot about privacy.)

The kill switch on Purism’s Librem laptop (c) Purism 2019

Your phone has the same problem, you know

Tape over the webcam? Covers to disable the functionality we paid for? Why on earth do we go to these lengths when hardware vendors could simply sell their products with off switches? The more I think about it, the more I find it utterly bizarre. Don’t these companies care?

I’ve just been talking about webcams, but let’s talk about the really horrible spy devices: your smart phone. Oh, your Android phone can’t be hacked? Here are some handy video instructions, viewed over 300,000 times and upvoted 1,100 times. Surely not your iPhone? Don’t be so confident; hackers are very creative, as (for example) the Daily Mail has reported, and besides, Apple is proud of its patent allowing remote control of iPhone cameras.

Besides, it’s been known since at least 2014 that the NSA had developed, as early as 2008, software to remotely access anybody’s phone.

And yet there isn’t a hardware off switch for your phone’s camera and microphone, short of turning the device entirely off (but there’s an app to turn the camera off). A device equipped with a hardware “off” switch for the camera and microphone isn’t yet on the market, as far as I know. Purism is making one.

It’s not just your webcam and your phone that you need to worry about, by the way. Do you have a smart speaker? At least you can mute Amazon Echo’s microphone, and it’s apparently a hardware switch, too, so well done, Jeff Bezos. That’s important, if true, because it prevents software exploits. I found no word on whether Google Home’s and Apple HomePod’s mute buttons are hardware switches; maybe not. How about a surveillance or doorbell camera? How about your smart TV? Those can be hacked too, of course, and some of them are always listening. Wouldn’t it be nice to have the peace of mind that they aren’t listening to you when you’re not using the TV?

In short, what if you want to turn these devices’ cameras and microphones off sometimes, for some perfectly legitimate reason? Can you do so in a trustworthy, hardware-based way? In most cases, for most devices, the answer is No.

Let’s demand that hardware vendors build hardware “off” switches

It’s almost as if the vendors of common, must-have devices want to make it possible to spy on us. An enterprising journalist should ask why they don’t make such switches. They certainly have deliberately made it hard for us to stop being spied upon—even though we’re their customers. Think about that. We’re their bread and butter, and we’re increasingly and rightly concerned about our security. Yet they keep selling us these insecure devices. That’s just weird, isn’t it? What the hell is going on?

But this, you might say, is both paranoid and unfair. Surely the vendors don’t intend to spy on you. Why would they add an off switch when nobody will turn your camera and microphone on without your consent?

But, as I already said, it’s a hard, cold fact that hackers and government and corporate spies can and sometimes do turn our cameras and microphones on without our consent. This isn’t controversial and, for anybody who is slightly plugged-in, shouldn’t be surprising. Security experts have known that, for many years, regardless of the intentions of hardware vendors like Logitech and Apple and large software vendors like Skype and Snapchat, the hardware, firmware, and software that run our devices just are susceptible to hacking. It’s just a fact, and we are right to be concerned. So these companies are responsible for building and selling insecure systems. At a minimum, they could be made significantly more secure with a tiny bit of hardware: the humble “off” switch.

If your webcam, or your phone, or any other device with an Internet-connected camera or microphone (think about how many you own) has ever been hacked, these companies are partly to blame if it was always-on by design. They have a duty to worry about how their products make their users less secure. They haven’t been doing this duty.

It starts with us. We the consumers need to care more about our privacy and security. We’re not powerless here. In fact, we could demand that they give us an off switch.

I think we consumers should demand that webcams, smart phones, smart speakers, and laptop cameras and microphones—and any other devices with cameras and microphones that are connected to the Internet—be built with hardware “off” switches that make it impossible for the camera and microphone to be operated.

Do you agree?


by

Posted

in

,

Comments

Please do dive in (politely). I want your reactions!

48 responses to “Vendors must start adding physical on/off switches to devices that can spy on us”

  1. I was suggesting the same thing over three years ago — in a sci-fi novel. How in the world is this (still) sci-fi?

  2. David

    Yeah, we have D-Link cameras watching our living room and such (worst idea ever!) so we can watch the cats when out of town… but they are normally off, actually powered off, connected to WeMo switches. If we want to use them remotely, we first have to turn on the WeMo, wait about 30 seconds, then we can view the camera. Anyone who wanted to hack the system would have to hack two devices this way (and a light does turn on the camera when it is powered)… this is sufficiently safe for me, at least right now.

    1. I’m thinking of installing a bunch of such cameras, but instead of making the data accessible via public cloud services run by the camera vendors (and, probably, Amazon), we’ll just use my cool new NAS.

      After all, another way to hack your system would be via the data as it exits your home, en route, or in the public cloud.

  3. […] of Wikipedia and the chief information officer of the blockchain-based wiki Everpedia, pointed in a recent blog post, kill switches are still far from commonplace, particularly in mobile phones where it may be most […]

    1. The source of the post that generated this backlink is actually this Fast Company article. The author of the article used this blog post (and an interview with me) as a source.

  4. David Yoffe

    Another reason for hardware security protection is compromised mobile devices , if world second size manufacturer Huawei was blacklisted for security reason by US president , leading companies and administration should be convinced , that problem is real.
    Solution for that is available , named ” Security switch” https://en.wikipedia.org/wiki/Security_switch.
    This solution is also protected by US patents.

    1. I see you’re a co-author of the “security switch” patent.

      I’m a bit saddened that you thought this necessary technology, so beneficial to the public, should be protected by a patent.

      Indeed, the value of the feature increases precisely as the development and design is done out in the open, a la “open hardware.” After all, if a hardware switch doesn’t provably cut the power to the component, which is something open hardware would facilitate, then it doesn’t satisfy the requirement of putting the user’s mind at ease about hackability.

      1. David Yoffe

        There are variety of method how to implement ” security switch” , that should disable component with no possibility of recovery – Switch can disconnect power to component , disconnect communication with component or shorten communication signal.
        Method is not really important , essential issue is lack of bypass and lack illegal assess to switch itself.
        In the past some laptops were equipped with hardware button that disables WIFI , in reality this button was only sending signal to device processor and can be easily bypassed by software.
        Device may be equipped with nice big switch , that give false feeling of security , but this switch can be easily bypassed by software and put user in trouble.
        So vendors that are adding ON/OFF switches should also guarantee to users that this device does not have any bypass and there is no access at all , to disabling mechanism that can manipulate it.

    2. Apple , Samsung and Google all add these cameras and sensors as it is data they on sell to govt , companies and marketing, who’s to say what these companises do with it after or if a staff employee steals it and what they can do with it! If these companies weren’t making money out of it this wouldnt be the case. Only company to attempt it is Purism and at a cost of $2000 for old technology that early 2000s phones were able to perform! We are all duped

  5. Lorenz

    Hi,

    so happy to find this blog post. I completly agree!

    I have just thought about this topic back in 2014 and created a Facebook post, no reactions at all. I have been this year in February to San Francsico and took the chance to send post cards to all important tech CEOs. I have created individual webpages for them:

    http://switchtim.lorenz-sykora.com/ username: tim password: givegive

    http://switchelon.lorenz-sykora.com/ username: elon password: oldold

    http://switchjeff.lorenz-sykora.com/ username: jeff password: switchswitch

    http://switchlarry.lorenz-sykora.com/ username: larry password: ususus

    http://switchmark.lorenz-sykora.com/ username: mark password: goodgood

    http://switchsatya.lorenz-sykora.com/ username: satya password: hardware

    Meanwhile Google has introduced a new home device with a kill switch. I think we have now the chance to get something moving, if it is not already moving. I predict, that digital devices will have this switch five years from now. But to make sure, we should let them know that we want this feature!

    We could start a petition on change.org? Or we choose the start-up landing page approach? Or we send around a survey, which just asks users: If you get the same smartphone with an hardware on off switch, which would you choose? Or we get the European Parliment into this, they are strong in privacy regulations?

    What do you think?

    All the best 🙂
    Lorenz

  6. Amos Batto

    What you didn’t cover are the extra costs and extra engineering of adding on/off switches, and how they will change the weight, size and ergonomics of devices.

    The cheapest way to implement an on/off switch is to add a little plastic cover that slides over the lens of a camera. This solution works fairly well to stop light from reaching a webcam mounted in a laptop screen. However, it doesn’t work very well with cameras in tablets and smartphones, because those devices have to be very thin and they are rubbed as they slide in and out of pockets, purses, tight sleeves, etc., so the plastic cover has to have a mechanism to hold it in the open or closed position. This means that a significant amount of physical force has to be applied to move the plastic cover. The camera lens is already the thickest part of a smartphone, and that plastic cover will add another 1 mm to the thickness of the camera’s hump, which many manufacturers want to avoid for stylistic reasons.

    In other words, plastic covers over camera lens might be cheap, but they won’t work well for smartphones and tablets. Covering a microphone, however, doesn’t work because it only muffles it. If you really want to turn off the microphone, you have to cut its circuit, which means that you have to add electrical switches like Purism does.

    Adding electrical switches to cut circuits means that you have to do custom circuit board design. If hardware kill switches were part of the standard reference designs put out by Intel and AMD for laptops and Qualcomm, Mediatek, UNISOC for phones and Rockchip, Amlogic, Allwinner and nVidia for tablets, then this would not be that expensive, but the current situation is that the device maker has to custom design the board to add electrical switches and custom design the case with holes for those switches. Any moving part has to be tested for failure over time.

    This extra engineering for hardware kill switches is one of the reasons why Purism’s devices cost significantly more than its competitors. Every other company that sells new Linux x86 laptops (System76, TUXEDO Computers, Slimbook, Think Penguin, StationX, Entroware, Juno Computers) simply takes a base design from Clevo and slaps their logo on the top. Only Purism, Star Labs and PINE64 custom design their own Linux hardware. (I suspect that the situation is similar with the small-scale makers of Windows and Android devices, but I haven’t investigated it.) Asking a boutique hardware seller to add hardware kill switches means that seller needs to license the reference board design from Intel, AMD, Qualcomm, Mediatek, etc, and then modify it, which means hiring engineers to do the work and finding their own board manufacturers in China. Of course, the big electronics companies like Lenovo, Dell, HP, Samsung, LG, Huawei, etc., can easily make this happen, since they already design their own hardware or they can just tell the Taiwanese/Chinese ODMs to make it for them, but they aren’t going to bother until some boutique hardware companies like Purism first prove that there is a market for privacy devices with hardware kill switches.

    Another problem is that the software has to be changed, so that it can deal with the camera, microphones, Wi-Fi/Bluetooth, cellular basebands, GNSS, etc. suddenly being cut off and not communicating. Cheese, which is the webcam software used by Purism, still doesn’t know how to handle the webcam being turned on. You have to shut down Cheese and restart it in order for it to detect that you have flipped the webcam/microphone switch on.

    Adding hardware kill switches to cameras and microphones isn’t that big of deal, but it is huge problem for the cellular baseband, GNSS, Wi-Fi and Bluetooth, because these are usually built into the SoC in mobile devices. There is no way to cut the power to these components without shutting down the entire device. If you turn them off using software, then they can easily be turned on without the user knowing it, so you have to have a hardware kill switch, not a software kill switch. The only way to have hardware kill switches is to put these functions on separate chips, which takes up a huge amount of space and is very expensive.

    A mobile SoC that incorporates all these functions doesn’t cost that much (Snapdragon costs $10-$70, Mediatek costs $8-$25 and UNISOC costs $8-$15) and it is typically 15×15 mm in size. In contrast, a separate cellular basebase chip is typically 29x33x1.5 mm in size and its costs over $30, because it contains a huge heat spreader and is only manufactured in small production runs due to the segmentation of cellular bands and limited demand. Nobody makes separate cellular baseband chips without the heat spreader, because these chips are typically mounted on a mini-PCIe or M.2 card, so they can’t use the same cooling mechanism as the SoC mounted on the motherboard.
    Look at what Purism has to do in its Librem 5 with 3 hardware kill switches just to provide the same functionality as one 15×15 mm mobile SoC like a Snapdragon:
    – NXP i.MX 8M Quad CPU/GPU, 17×17 mm, ~$20
    – Gemalto PLS8 cellular baseband, 29x33x1.3 mm, ~$35
    – STMicroelectronics Teseo-LIV3F GNSS, 9.7×10.1 mm, ~$10
    – Redpine Signals RS9116 Wi-Fi/Bluetooth, 9.1×9.8×1.2 mm, ~$10
    Plus the Librem 5 will need a separate USB 3.0 host/power deliver chip to provide fast charging and separate chips to provide HDMI/DisplayPort Alt Mode and a DSP/ISP which comes in most mobile SoC’s. The Librem 5 is going to be very energy-inefficient in order to operate all these separate chips, need a huge board and will be 14mm thick, whereas today’s standard phone is 8mm thick.

    How many people are going to pay $699 for the Librem 5? I preordered it, but I care passionately about digital rights, software freedom and planned obsolescence, so I’m not a typical consumer. The Librem 5 has a lot of extra costs to pay for 2.5 years of development, adapting GTK/GNOME to work as a mobile operating system, small-scale, custom manufacturing and its 100% free software requirement.

    However, let’s assume that you have a normal boutique hardware company that takes standard Android and wants to make add three hardware kill switches for camera/microphone, Wi-Fi/Bluetooth and cellular baseband/GNSS. You have tripled the cost of the chips on the board, you need to add a large battery to compensate or accept poor battery life and you have to convince consumers to pay an extra $100-150 for the hardware kill switches to cover your costs.

    in Purism’s Librem 5 is 17×17 mm, plus 1 Most software expects to still be able to communicate with these components, even when turned off. T

    prove with Windows devices, but I suspect it is very similar.
    Another problem is that the software has to be changed, so that it can deal with the camera, microphone

    The software also has to be adapted to deal with

    microphone is also a cheap solu

    The other option is to add hardware kill switches that cut the circuit to the

    1. Thank you very much for this excellent analysis! By all means complete it on your own blog (or here, if you wish!).

  7. […] tão simples como um interruptor físico, sem possibilidade de o ligar apenas com software, está ausente de grande parte das câmaras e microfones nos nossos computadores e telemóveis [8], de tal forma que é um ponto de diferenciação para as poucas empresas que os fornecem [9]. […]

  8. Sondra Snyder

    Agree.

  9. Bert

    Stumbled by accident on this article, and I completely agree. I have nothing in particular to hide, but if cell phones were available with a physical switch that only activates cameras and mike when I want it, I would gladly pay a premium price for it. My house would also have been cheaper without bathroom doors.

Leave a Reply

Your email address will not be published. Required fields are marked *