Mastodawn

Florian Lattner Feb 21

A friendly reminder to never trust manufacturers privacy protections.

I was recently attempting to get an external camera functioning, so I started polling various video devices sequentially to find out where it appeared and stumbled across a previously unknown (to me at least) camera device, right next to the regular camera that is not affected by the intentional privacy flap or "camera active" LED that comes built in.

I had always assumed this was just a light sensor and didn't think any further about it.

The bandwidth seems to drop dramatically when the other camera is activated by opening the privacy flap, causing more flickering.
This was visible IRL and wasn't just an artifact of recording it on my phone.
I deliberately put my finger over each camera one at a time to confirm the sources being projected.

A friend of mine suggested this may be related to Windows Hello functionality at a guess but still seems weird to not be affected by the privacy flap when its clearly capable of recording video.

dmidecode tells me this is a LENOVO Yoga 9 2-in-1 14ILL10 (P/N:83LC)

Command I used for anyone to replicate the finding. (I was on bog standard Kali, but I'm sure you'll figure out your device names if they change under other distros):
vlc v4l2:///dev/video0 -vv --v4l2-width=320 --v4l2-height=240 & vlc v4l2:///dev/video2 -vv --v4l2-width=320 --v4l2-height=240

#Cyber #Security #Infosec #Lenovo #Privacy #Hacking

Matt Organ Feb 6

@jik Yeah, does look to be IR based on the output. It just seems very unusual to provide the illusion of privacy with hardware right next to it.

I haven't got a Windows version to test with but it equally there's a lot of privileged software that would be able to get to it just fine. From the legitimate sources, I doubt there's much specific logging if your SOC decided to bring it up remotely (nothing in directly in Elastic, Helix or Sophos comes to mind... Maybe Sysmon output).

From the not so legitimate sources, LPE on windows is not treated particularly critically and are pretty common. eventvwr and razor keyboard driver installers both had longstanding "easy wins", to mention the myriad of opportunistic dll highjacking.

The solution for all that would be for the privacy switch to actually just work as one would expect it too, even if it inconveniences windows hello.

Matt Organ Feb 6

A few people have pointed out the security separation being a point of difference in Windows but I do wonder if that actually exists or if is it just assumed?

The hardware itself just presents as a regular camera with a regular generic driver, nothing special about it.

The login screen context is certainly segregated context (has been Win2k, I think) but does anyone elevate to enroll their face under their own user context?

I've never used Windows Hello, so my knowledge is quite dated but I don't belive fingerprint scanners do, which would be a similar mechanism where an abstract identity token from an arbitrary hardware device is created and stored without the need to elevate. Presumably you still need to authenticate to prove "you are you" when enrolling new methods but just no privilege escalation to use the hardware device for the capture itself.

Matt Organ Feb 10

Well that was an unexpected twist.
Dammit Physics!

I decided to put some regular black electrical tape over the camera to block it whilst keeping a neat finish. Turns out IR passes straight through electrical tape 😂

I did consider whether its because of the adjacent backlight and so I tried blocking that too, however most of the rooms I sit in have enough ambient IR to not matter.

I'm considering something more "glass like" since that seems to reflect IR much better but the seems a pain.
Anyone else have a better solution they've found?

Its probably at the point for me that its "good to know but can't be bothered" but there's just so many interesting and unexpected outcomes I felt compelled to satisfy my curiosity and share.

#Cyber #Security #Infosec #Lenovo #Privacy #Hacking

@Slater450413 You could try aluminium or copper tape, or use electrical tape to fix a small piece of aluminium foil. That should block any light short of gamma rays, I think.

Matt Organ Feb 22

@maxy Fair point, hadn't considered copper tape, I might give that a go. 👍

I'd been thinking next time I find a smashed phone screen protector, I'd take a small piece of that. I based that theory purely on seeing how bad IR security cameras are from behind glass.

The electrical tape experience I had reminded me of a YouTube clip I saw recently where a germanium coin had a similar outcome.

https://youtube.com/shorts/Chx2hnZrUAQ?si=uUrHtl46_CCF_wy-

This Metal Is Completely See-Through

YouTube

Jonathan Kamens 86 47 Feb 6

@Slater450413 Pretty sure that's an IR camera which is indeed used for facial recognition login. Covering it up with the flap would disable facial recognition, which is presumably why they don't cover it, but I definitely hear your privacy concerns.
One would expect the OS not to give unprivileged processes access to that video stream, and maybe that's how it works on Windows, but apparently not on Linux.

Dave Rahardja Feb 6

@jik @Slater450413 The fact that the image is black and white suggests to me that yes, it’s an IR camera for facial recognition.

I think the presence of a privacy flap is the real problem here, because it gives the illusion of privacy. If the flap wasn’t there to begin with, this wouldn’t be an issue.

Cake & Pudding 🌱Feb 6

@drahardja @jik @Slater450413

Exactly. The false sense of privacy is the main issue here. We all know an exclusive "windows-kernel level resource" will not stay exclusive for long if it's useful…

Laberpferd Feb 9

@iwoakura @drahardja @jik @Slater450413
exactly what i say all the decades, if hardware is there then it WILL be used

Its only a hack, or a silent update away until someone has access to the camera, while you dont even knowing you are watched by someone

@drahardja @jik @Slater450413 yeah you can also see the IR illuminator flashing

@jik @Slater450413 I am pretty sure you need to be part of the video group or superuser to access the video loopback devices on most Linux distros, but it probably varies across distributions.

Matt Organ Feb 6

@kraftnix @jik OK, just booted up real quick. Confirming I am in the "video" group with that standard user. That makes sense.

Edit: and that the group permissions on all /dev/video* is also video.

@Slater450413 My laptop doesn't even have one. So false security sense of security!

@Slater450413 that’s common to most modern business-y windows laptops. That’s an IR cam that windows uses for with a presence detection. It’s not supposed to be visible to applications on windows, and because of that privilege separation it makes sense to not have it covered by the shutter. Otherwise you’d have to open the regular cam that’s accessible to unprivileged applications as well every time to log in using face recognition.

@Slater450413 covering that cam with the privacy shutter would also silently disable lock on leave (presence detection screen lock), which would open up an unintuitive security footgun when someone expects their laptop to automat lock when they go away but forgets they closed their privacy shutter.

@Slater450413 I think the core issue here is that linuxes just don’t share the same security distinction windows uses for these cameras and that mismatch looks weird.

Matt Organ Feb 6

@jaseg I totally get they want to keep support calls down (I don't blame them for that and makes sense).

I guess I find it a little more non-negotiable that they could at least blip the activity LED when there's activity on the bus at the hardware level instead of needing consumers to read developer docs.

I'm comfortable and capable of doing the research but I until now, I didn't realise I even needed to. I had, incorrectly in hindsight, assumed privacy screen meant privacy and activity LED meant activity which is a pretty normal presumption for any regular person.

@Slater450413 I think their design is sound, but it’s rude that they didn’t consider how it interacts with linuxes. I agree that an activity indicator, similar to how faceID is handled on apple phones, would be useful. From a security perspective, a more fail-safe design would handle the image processing inside the IR camera module and only present a binary “go/no go” sensor signal to the OS similar to how fingerprint readers work.

@Slater450413 having the image processing done inside the camera module would solve the privacy issue on linux or other oddball OSes, but would probably compromise security on windowses since the firmware for these modules would be hard to maintain and to update.

@Slater450413 Yes, this is the #IR camera with #LIDAR functionality as per #WindowsHello spec.

And the only reasonable way to deal with it is to unplug it physically...

AFAIK only @purism / #Purism does physical disconnection of the data lines for cameras.

@kkarhan @Slater450413 @purism

I tried to find info about lidar but I don't see anything, only about infrared.

I would be interested in turning a webcam into deapth camera if it would be even possible.

Matt Organ Feb 6

@ludrol @kkarhan @purism I saw your comment and immediately thought of johhny Chung Lee with his Wiimote hacking years ago .... Good times! 🙌😂

https://www.reddit.com/r/gaming/comments/13l6sw8/throwback_to_2008_when_the_nintendo_wii_was/

@Slater450413 I just tested it on the Lenovo T15 Gen 2. On this laptop the privacy-shutter blocks the IR-cam, too. And the IR-cam enables the little cam-is-on-LED, too.

(And the privacy shutter blocks the little cam-is-on-LED, too which I dislike.)

Matt Organ Feb 6

@ranlvor oh, that's interesting 🧐

Tim N7KOM Feb 6

@Slater450413 a couple interesting articles about the IR technology.
https://apnews.com/photo-essay/chinese-surveillance-silicon-valley-tech-photo-essay-2da6d9ae5c29d973955e761fa42f7798

https://apnews.com/article/2025-invisible-infrared-surveillance-technology-extraordinary-photo

Photo essay shows how AP photographers captured infrared technology used in surveillance

When you unlock a phone, step into view of a security camera or drive past a license plate reader at night, beams of infrared light - invisible to the naked eye — shine onto the unique contours of your face, your body, your license plate lettering.

AP News

/dev/urandom Feb 6

@Slater450413 interesting

my laptop also has a black-and-white camera, which seems to use infrared, but its usage is more noticable, as there's a red blinky light behind it whenever it's on (and the regular IR camera has a white light)

both are visible to webcam-using apps

@Slater450413 That's the regular IR camera on modern (especially business) laptops. Used for authentication, eg. windows hello

Weird that the cover is not affecting the IR camera part on the Yoga, it does cover it on the Thinkpad L14 G5. I didn't need VLC to open it, it works with the KDE built-in camera app "Kamoso".

Klaus Frank Feb 6

@exec @Slater450413

A lot of vendors build it that way actually. Basically all that do not sell into VS-NfD context build it that way. The device is hidden on a driver basis within windows so that software cannot access its video feed.

They would rather decrease the amount of support calls for people trying to use windows hello while having that privacy thingy covering it than actually providing privacy...

Alexander Bochmann Feb 6

@exec Same here on a T14 G6 - its camera switch will turn off both main and IR camera (or well, at least their respective video streams, the camera devices are still there).

Klaus Frank Feb 6

That's the IR camera used for things like Windows Hello to allow you to sign in without entering a password.

Also the reason it is not affected by the privacy thingy is because on windows you're not able to poll the video from it. It doesn't show up as a camera device there if I recall correctly.

On e.g. linux though...

@Slater450413 IR camera

Zło To 🏴‍☠️ ᵗʰʳᵉᵉᶠᶦᵈᵈʸ Feb 6

product manager at lenovo: seems a legit compromise between security and convenience

Matt Organ Feb 6

@mattesilver yeah, can't say I agree with that.

I get the privacy flap causing Helpdesk issues trade off. OK, it's not the choice I'd prefer personally but I accept its probably necessary but to have an activity light right there and not use it is an.... odd choice.

The framerate drop suggests they're on the same interface, so just using literal power draw when it wakes up to activate the LED would all it needs.

Having said all that, I'm hardly outraged. I'm sure there are people out there whom actually need this kinda privacy and subsequently, this info is now available. So good luck to them.

The extent of it to me was "oh cool" (plays around with it for 20mins) followed by "hmmm, I should probably wear pants more often around the house if the laptop is running in the same room".

Out of this thread I've now learned that the experience is not even consistent across Lenovo product range. Won't stop me buying them in the future but I'll probably change my habits and expectations around privacy switches.

CrashLogger Feb 6

@Slater450413 My T490 does the exact same thing! I ended up painting the lens with a marker to cover it up.
There was something different, howeve: I haven't managed to turn the IR illuminator on so I have never managed to get anything resembling a real image out of it. Just a bit of my silhouette

Baloo Uriza Feb 6

@Slater450413 With Lenovo, one can't help but to immediately wonder if this is deliberate for CCP reasons.

@Slater450413 I have one of those on my new ThinkPad. Yes it is an identity camera. It is IR only and a pulsed IR LED lights up your face when it activates. It shows up as one of the /dev/video devices in Linux.

Jak2k 🏳️‍🌈Feb 8

@Slater450413 I just tried this out on my X1 Extreme 2nd gen. The IR camera is the same as the normal one on it. But there is another hole. It cold be some kind of IR led but i couldn't trigger it.