Taping the webcam on your laptop isn’t a dumb idea. A security engineer has discovered a way to reflash the webcam firmware on a Lenovo ThinkPad X230 laptop and arbitrarily control its LED independently if the webcam itself is activated. Malware could effectively turn on the camera without an LED.
Andrey Konovalov, a Linux kernel security engineer who goes by the moniker xairy on GitHub, posted a tool to get software control of a webcam’s LED on the business laptop ThinkPad X230.
While the laptop model is already more than a decade old, the code sparked a heated discussion on Hacker News. Why isn’t the webcam LED hardwired?
The whitehat discovered that the X230's camera is plugged in over a USB connector and is based on the Ricoh R5U8710 USB camera controller. Some other laptops from 2012 also use this controller.
It stores part of the firmware, and the LED is connected to one of the pins. Therefore, the controller can enable or disable the LED independently.
After bricking a few laptops, xairy was able to develop and flash a custom firmware. To achieve that, the engineer had to dump and analyze the controller’s SROM (read-only memory) in hexadecimal and disassemble the code without any documentation to find locations responsible for streaming video and enabling the LED pin.
Xairy demonstrated that USB device firmware can be overwritten using software and then controlled by corrupted code.
“Laptop webcams are often connected over USB internally,” the engineer noted. “Firmware of many USB devices can be flashed over USB.”
He believes that LEDs on many webcams can be controlled similarly via a combination of software and firmware. Lenovo commented on his findings by saying that older, EOL systems such as the X230 did not include validation for firmware updates.
However, since 2019, Lenovo’s image processors “have included digital signature checks for camera firmware, and we have supported secure capsule updates with write protection.”
“Putting sticker onto a laptop webcam lens is not that paranoid,” xairy said.
Many would prefer physical switches
Cybernews researchers said that similar attacks, bypassing camera indicator LEDs, have been already performed numerous times in the past. The assumption that webcam LEDs are hardwired to the camera power supply is not always true.
“The significance of this type of attack is that it allows attackers to spy on their victims undetected, by installing malware on the affected models of laptops,” said Aras Nazarovas, a security researcher at Cybernews.
“While having camera indicator LEDs hardwired to a camera enable/activity/power signal is preferred, not all built-in webcams work this way.”
Nazarovas noted that the Lenovo X230 laptop used for the demonstrated proof of concept is over 10 years old (released in 2012). At that time, the practice of controlling webcam indicator LEDs via software was more commonplace and accepted, as such attacks were not that common and known.
Meanwhile, the repository on GitHub got a lot of attention on Hacker News. The concern is that the demonstrated approach likely affects many other laptops that have the webcam connected via USB and allow reflashing the firmware.
“That's backwards. The LED should be connected to the camera's power or maybe the camera's ‘enable’ signal. It should not be operable via any firmware. The LED also has to be connected through a one-shot trigger (a transistor + a capacitor) so that it would light up, say, for at least 500 ms no matter how short the input pulse is. This would prevent making single shots hard to notice,” one of the users said.
Some argued that Macbooks and other modern computers have more robust hardware-based solutions to ensure that the LED always stays on when the camera is in use. However, many also argued they would prefer physical hardware switches or covers for cameras and microphones to bypass any software-based indicators.
Your email address will not be published. Required fields are markedmarked