lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <381cf376-72b0-4a5f-a99e-524f6d83a2d0@kernel.org>
Date: Tue, 18 Nov 2025 15:26:07 +0100
From: Hans de Goede <hansg@...nel.org>
To: Gergo Koteles <soyer@....hu>, Ricardo Ribalda <ribalda@...omium.org>
Cc: Laurent Pinchart <laurent.pinchart@...asonboard.com>,
 Mauro Carvalho Chehab <mchehab@...nel.org>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
 linux-media@...r.kernel.org, linux-kernel@...r.kernel.org,
 linux-usb@...r.kernel.org
Subject: Re: [PATCH 4/4] media: uvcvideo: Introduce allow_privacy_override

Hi George,

On 18-Nov-25 12:14 PM, Gergo Koteles wrote:

..

>> Do you have a compelling use-case for turning off the privacy LED?
>>
> 
> As a pet camera, it is useful to be able to turn off the LED.
> In some cases, it can also eliminate unwanted reflections.
> Some cameras may have blue LED, and if someone hates blue LEDs..

And almost all cameras already do not allow manually overriding the LED
turning on while streaming. There is a very low-tech solution for this,
put some black isolation tape over the LED :)

>> My core goal is simple: if the camera is in use, the privacy LED must
>> be ON. If the LED is ON unexpectedly, it serves as a clear indication
>> that something unusual is happening.

...

>> No freedom is lost. This change simply increases the
>> trustworthiness/reliability of your device.
> 
> It will decrease to the extent that fewer people will know that such an
> option exists because they will not read the description of the
> module's parameters.

People currently already will not know that the option exists.

Seeing the current LED controls on Logitech cams requires 2 manual steps:

1. Install uvcdynctrl which maps the custom GUIDs to the LED controls
   Note distros do not install this be default
2. Use either a GUI v4l2-control app like qv4l2ucp or gtk-v4l, or
   v4l-ctrl -l to list controls and then change the setting.

So there already is close to 0 discoverability for this Logitech
only feature.

For the new MIPI cameras on laptops we have deliberately made it
impossible to disable the privacy LED while streaming even though
it is often controlled by a separate GPIO because of privacy reasons.

For the same privacy reasons I fully agree with Ricardo that this should
be behind a module option. Which replaces step 1. with creating
a /etc/modprobe.d/uvc.conf file, so just about as much work.

> And it's not possible to be sure that there isn't another undocumented
> option in the firmware to turn it off the LED.
> 
> A physical switch would be the best for this control, but that's not an
> option :(

Sure but remember perfect is the enemy of good. Having a v4l2-ctrl to
force the LED to always be off will make it a lot easier for an attacker
to use the camera without the LED turning on. Security is all about
layers / defense in depth and the module option is a nice and simple
way to make things harder for pervert spyware.

Regards,

Hans

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ