The Secure Design of the MacBook Neo’s On-Screen Camera Indicator
One might presume that the dedicated indicator lights are significantly more secure than the rendered-on-display indicators. I myself made this presumption in the initial version of my MacBook Neo review last week. This presumption is, I believe, wrong.
Later last week Apple published, and I linked to, a small update in their Platform Security Guide, which states:
MacBook Neo combines system software and dedicated silicon elements within A18 Pro to provide additional security for the camera feed. The architecture is designed to prevent any untrusted software — even with root or kernel privileges in macOS — from engaging the camera without also visibly lighting the on-screen camera indicator light.
[The] software-based camera indicator light in the MacBook Neo runs in the secure exclave part of the chip, so it is almost as secure as the hardware indicator light. What that means in practice is that even a kernel-level exploit would not be able to turn on the camera without the light appearing on screen. It runs in a privileged environment separate from the kernel and blits the light directly onto the screen hardware.
Previously:
- Apple Exclaves
- MacBook Neo
- Apple Platform Security Guide (May 2024)
- Monterey Shows Orange Microphone Dot on Video Projectors
- Don’t Close Your MacBook With a Camera Cover
- On Covering Webcams
- MacBook’s T2 Will Prevent Eavesdropping on Your Microphone
- Micro Snitch 1.0
- iSights Spying on Their Users Without Warning
Update (2026-03-20): Saagar Jha:
The indicator light is still software and this still means it is susceptible to compromise as all software is, in a way that a hardwired indicator cannot be. Sophisticated exploits achieve privileges beyond the kernel’s all the time.
The solution they picked does make it non-trivial to bypass and it is a good choice if a hardwired indicator is not available. However it is still substantially less secure than having one, and Apple knows it.
Update (2026-03-30): Bruce Schneier:
It’s really well-designed, and important in a world where malware could surreptitiously start recording.
11 Comments RSS · Twitter · Mastodon
That's not very surprising considering that's the technology iOS has always used. iOS devices never had a hardware indicator light.
@Sébastien iOS has always used a software indicator, but it sounds to me like until versions of iOS (and even still on older processors) it used different, less secure technology.
I wonder how this indicator will work for running a Fully Untrusted OS, such as Asahi Linux (when the support for A18 Pro becomes available, which seems to be a while away for now). Running untrusted/non-Apple OSes is something that even Apple allows, and documents extensively.
The link says the document is from December 2024 and from a quick search of the PDF I can't find anything about the indicator light.
For those who are more capable than I am of finding the actual information: Is there anything that guarantees the indicator will contrast with the background? Gruber's Photo Booth screenshot shows it as a plain green dot. If some nefarious software used a green background of the same shade, would it essentially hide the indicator?
Still though, seems to me having a hardware light that cannot be physically bypassed without bypassing the camera or physical access is more secure. Yet another software popup is not as effective as Apple and everyone else have trained users to ignore the yet another thing trying to get their attention. But people know very well what a web cam light means.
The hardware exists, I wonder how much cost savings could possible have been had by omitting this.
I always assumed that a hardware light was more secure since the energy that would power a camera would first pass through the led to warn you about it... I don't like things that rely on software only, specially with current track record that Apple have.
@KushSrivastava
> I wonder how this indicator will work for running a Fully Untrusted OS,
You know how there's no third party operating systems for iPhones, iPads, AppleTV and Apple Watches?
Guess what's going to happen in the next couple of years, now that the Mac is just an iPad.
"However [the software-based indicator light] is still substantially less secure than having one, and Apple knows it."
Saying something is "substantially less secure" is not the same as saying something is a substantial risk. This kind of number-less wording is common, like when a behavior increases some specific risk and it's described as far more deadly, when the numbers show the change is from a 0.005% chance of happening to a 0.05% chance. Sure, the chance is 10 times greater, but the chance is still unlikely.
Maybe the indicator-light setup Apple is using with the Neo is a basis for concern, but Jha hasn't demonstrated that (nor has anyone else that I have seen).
There are plenty of devices with software-controlled hardware lights. In fact, as far as I understand, on Apple Silicon MacBooks, the hardware light is also controlled independently of the camera through the secure enclave:
https://support.apple.com/guide/security/mac-on-screen-camera-indicator-light-sec75a2d237d/web
Unless you know exactly how both are implemented, there is no reason to assume that a hardware light is more secure than an on-screen indicator. Neither should be assumed to be reliable. The only difference is that you can probably hide the on-screen indicator with a background of the same color.
Sorry, I meant to link to this:
https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-brocker.pdf
"We describe how to disable the LED on
a class of Apple internal iSight webcams used in some
versions of MacBook laptops and iMac desktops. This
enables video to be captured without any visual indication
to the user and can be accomplished entirely in user space
by an unprivileged (non-root) application."
