Vendors must start adding physical on/off switches to devices that can spy on us

Update (May 15, 2019): This post was linked and its author quoted as a source in this Fast Company article on the same subject.

Where’s my webcam’s off switch?

Have you ever noticed that your webcam doesn’t have an “off” switch? I looked on Amazon, and I couldn’t find any webcams for sale that had a simple on/off switch. When I thought I found one, it turned out just to have a light that turns on when the camera is in use, and off when not—not a physical switch you can press or slide.

The “clever” solution is supposed to be webcam covers (something Mark Zuckerberg had a hand in popularizing); you can even get a webcam (or a laptop) with such a cover built in. How convenient! I’ve used tape, which works fine.

But a cover doesn’t cover up the microphone, which could be turned on without your knowledge. Oh, you think that’s impossible? Here are some handy instructions. Or maybe you’ll say you’re not paranoid—it’s not a serious problem? Don’t be so naive, said the FBI seven years ago (they’re worried about predators stalking children), and the Atlantic, and USA Today more recently. The issue isn’t going away. With hacking skills growing more common, the problem has surely grown, if anything, more dire.

Another “clever” solution is to use a software off switch, like this (for Windows). But it simply turns your webcam’s driver on and off. Of course, it’s not too hard for a sufficiently skilled hacker to turn your driver back on and start recording you without your knowledge.

For USB devices, you can use a USB off switch like this, which seems like a good idea; but it doesn’t solve the problem for devices with built-in cameras and microphones like laptops and smart phones.

The humble “off” switch is now high technology. It is a significant selling point for the single device that I could find that comes equipped with one.

Do any computer cameras with “off” switches (not just covers) exist? They seem to be very rare at best, but I was able to find one: the company building a Linux phone, Purism, has a whole page devoted to the joys and wonders of its off switch—which is kind of ridiculous, if you think about it. The humble “off” switch is now high technology. It is a significant selling point for the single device that I could find that comes equipped with one.

(By the way, I have absolutely no relationship to Purism. I write about them because their focus is privacy and I’ve been writing a lot about privacy.)

The kill switch on Purism’s Librem laptop (c) Purism 2019

Your phone has the same problem, you know

Tape over the webcam? Covers to disable the functionality we paid for? Why on earth do we go to these lengths when hardware vendors could simply sell their products with off switches? The more I think about it, the more I find it utterly bizarre. Don’t these companies care?

I’ve just been talking about webcams, but let’s talk about the really horrible spy devices: your smart phone. Oh, your Android phone can’t be hacked? Here are some handy video instructions, viewed over 300,000 times and upvoted 1,100 times. Surely not your iPhone? Don’t be so confident; hackers are very creative, as (for example) the Daily Mail has reported, and besides, Apple is proud of its patent allowing remote control of iPhone cameras.

Besides, it’s been known since at least 2014 that the NSA had developed, as early as 2008, software to remotely access anybody’s phone.

And yet there isn’t a hardware off switch for your phone’s camera and microphone, short of turning the device entirely off (but there’s an app to turn the camera off). A device equipped with a hardware “off” switch for the camera and microphone isn’t yet on the market, as far as I know. Purism is making one.

It’s not just your webcam and your phone that you need to worry about, by the way. Do you have a smart speaker? At least you can mute Amazon Echo’s microphone, and it’s apparently a hardware switch, too, so well done, Jeff Bezos. That’s important, if true, because it prevents software exploits. I found no word on whether Google Home’s and Apple HomePod’s mute buttons are hardware switches; maybe not. How about a surveillance or doorbell camera? How about your smart TV? Those can be hacked too, of course, and some of them are always listening. Wouldn’t it be nice to have the peace of mind that they aren’t listening to you when you’re not using the TV?

In short, what if you want to turn these devices’ cameras and microphones off sometimes, for some perfectly legitimate reason? Can you do so in a trustworthy, hardware-based way? In most cases, for most devices, the answer is No.

Let’s demand that hardware vendors build hardware “off” switches

It’s almost as if the vendors of common, must-have devices want to make it possible to spy on us. An enterprising journalist should ask why they don’t make such switches. They certainly have deliberately made it hard for us to stop being spied upon—even though we’re their customers. Think about that. We’re their bread and butter, and we’re increasingly and rightly concerned about our security. Yet they keep selling us these insecure devices. That’s just weird, isn’t it? What the hell is going on?

But this, you might say, is both paranoid and unfair. Surely the vendors don’t intend to spy on you. Why would they add an off switch when nobody will turn your camera and microphone on without your consent?

But, as I already said, it’s a hard, cold fact that hackers and government and corporate spies can and sometimes do turn our cameras and microphones on without our consent. This isn’t controversial and, for anybody who is slightly plugged-in, shouldn’t be surprising. Security experts have known that, for many years, regardless of the intentions of hardware vendors like Logitech and Apple and large software vendors like Skype and Snapchat, the hardware, firmware, and software that run our devices just are susceptible to hacking. It’s just a fact, and we are right to be concerned. So these companies are responsible for building and selling insecure systems. At a minimum, they could be made significantly more secure with a tiny bit of hardware: the humble “off” switch.

If your webcam, or your phone, or any other device with an Internet-connected camera or microphone (think about how many you own) has ever been hacked, these companies are partly to blame if it was always-on by design. They have a duty to worry about how their products make their users less secure. They haven’t been doing this duty.

It starts with us. We the consumers need to care more about our privacy and security. We’re not powerless here. In fact, we could demand that they give us an off switch.

I think we consumers should demand that webcams, smart phones, smart speakers, and laptop cameras and microphones—and any other devices with cameras and microphones that are connected to the Internet—be built with hardware “off” switches that make it impossible for the camera and microphone to be operated.

Do you agree?


by

Posted

in

,

Comments

Please do dive in (politely). I want your reactions!

50 responses to “Vendors must start adding physical on/off switches to devices that can spy on us”

  1. Mike Stone

    I recently wrote to DARPA about standing up a federal Camera/Microphone Certification Authority to certify that hardware and software Off work as advertised. If you support this initiative please write to DARPA, Information Innovation Office, c/o DARPA.MIL or the Pentagon, Washington DC 20301.

  2. Ashley

    Absolutely we need cutoff switches. Hardware not soft-switches.

    But DARPA? They are critical to defending the US, but not via advocacy, by research.

    How to make hw cutoffs real: make it easy for hobbyists to open the phone and check. Cheap, easy, distributed, verifiable.

    1. Max

      If the hardware switch is integrated in a custom IC, it’s impossible for a hobbyist to verify. Only if it’s handled by a standard component (=more board space and cost) is it somewhat easily verifiable.

  3. Jesse

    This needs to happen, but not just a button. Buttons can be run through software (and then the software turns the indicator light on the button on/off), whereas sliding switches can’t be changed by the software.

    1. Nathan Myers

      Speakers can very frequently be used as microphones, particularly when driven directly from the audio chip without an intervening amplifier. (The pin used can typically be reconfigured as an input, in software.) So, ehrn we demand off switches for cameras and mikes, we should also demand isolation for speakers.

      1. Peter R Fletcher

        ‘particularly…’ should be: ‘but only…’. There is no feasible way of getting audio input from the speaker of an amplified speaker system. Amplifiers don’t work in reverse!

  4. Daniel W

    From a vendor perspective, I’d suspect a combination of penny pinching and engineering considerations. They don’t want to spend money on a switch, nor find room for it or make another hole in the case, if avoidable.

    From what I’ve read, switches and connectors are two of the most failiure-prone parts in modern electronics, so by removing those not considered neccesary, reliability is improved.

    That said, I think hardware “off” switches ARE neccessary. One challenge, though, would be to make sure they ARE actually working. It would be easy to hook up a switch to a pin on a chip, and as long as that pin, on a hardware level, turns something off, it would be fine. But if that pin is read by software that could be manipulated, it’s pointless. The problem is, you couldn’t really tell by looking inside the device. Both circuits could look identical.

    One way might be to make sure that, say, a webcam LED and the sensor shares the same power supply line, such that one cannot be on without the other, but that would still require careful following of PCB traces to verify, and on modern, multi-layer circuit boards, some traces may be inside the PCB and thus not be feasible to follow.

    So, rather, “true” off switches would have to visibly airgap a power supply line or similar, not because it’s a good design from a technological point of view, but because otherwise it would be very hard to PROVE that the off switch is absolutley unconditional.

    But, well, a third party certification that the off switch, however implemented, is real, would be a good start. A next best option would be to keep working to make “true off” a desirable feature, let market competition deliver and have enthusiasts tear things down to make sure, and shame those who are caught cheating.

  5. What if all recording devices were mandated be picked up on WIFI networks, with ‘network’ names that couldn’t be changed from describing what it is. It seems to me that actually knowing you’re being recorded could be the bigger issue over being able to disable it. I.e. You turn up to an Airbnb and there is a spy cam recording you. Let’s say in this case the camera had a physical ‘turn off’ switch. Problem is, you don’t know you’re being recorded. For many people, the first thing they do is hook up the WIFI on their devices. Hey presto, know you know there’s a device that’s recording you. No app needed, no extra expense for the majority of people, and crucially – it’s a deterrent to trying to record people. This doubtlessly glosses over the ambiguities of the real-world. It could also probably be hacked, but, maybe an idea…

    1. Peter R Fletcher

      If I were providing WiFi access at my Airbnb rental, I would certainly _not_ give the guest access to my primary network – for lots of reasons, none of which have to do with any wish to have a webcam spy on them. Most mid- to high-end WiFi routers have the option to provide a functionally separate network for use by guests, which just gives them access to the internet. If you login to such a ‘guest’ network, you can’t see any device that might be on the main network.

  6. Viktor

    They can? Yes.
    They will? Not at all.
    Just an small number of people want this. Most of them put that Alexa spy-can on their rooms happily! They WANT to be spied. Being spied by megacorps are their wet dream.

  7. Nardlo Sverdrup

    I pre-ordered the Librem 5 before I knew this; now I’m even more excited. You’ve got me considering ordering one of their laptops too.

    For the rest of the problems/devices (note the not-coincidental one-to-one correspondence), I solved the problem by not owning unnecessary “smart” shit. It really is that simple. I can flip my own light switches (speaking of switches).

    Basically you have to vote with your wallet.

  8. I started thinking about this problem a few years ago. What might work would be an alliance of privacy interests and a well publicized, (& funded!,) (& branded!,) effort. I was thinking of the name “Off Means Off” with a logo. There would be a list of standardized and verifiable capabilities and levels. Levels would be indicated by LED or some other independent indicator. An isolated microcontroller* or physical switch could cycle through the levels. The μCPU and LEDs must be hack proof (and independently verified!). There would be one indicator for everything on (enabled). No indicator lit means total power off. There would be additional indicators for camera off, microphone off, (or camera and microphone off,) RF (Bluetooth & WiFi etc) off, and possibly for when secure access to keyboard and screen is enabled. (The most common hack today is a screen or windows grab and a keyboard interceptor.) Think Samsung’s Knox; only independently verified. -H-
    * Built into a standard system chip, but with it’s own, independent pins. If we can get it built into *every* system chip, then the incremental cost drops to almost nothing.

  9. Stu

    Hardware off switches need to be written into the various security standards, which need to be complied with for many large government and military contracts around the world. Large companies would be forced to purchase hardware with the feature to remain compliant. Hardware manufacturers would be forced to add the feature to sell hardware to large companies.

  10. […] Vendors must start adding physical on/off switches to devices that can spy on us 342 by jrepinc | 148 comments on Hacker News. […]

Leave a Reply

Your email address will not be published. Required fields are marked *