A friendly reminder to never trust manufacturers privacy protections.

I was recently attempting to get an external camera functioning, so I started polling various video devices sequentially to find out where it appeared and stumbled across a previously unknown (to me at least) camera device, right next to the regular camera that is not affected by the intentional privacy flap or "camera active" LED that comes built in.

I had always assumed this was just a light sensor and didn't think any further about it.

The bandwidth seems to drop dramatically when the other camera is activated by opening the privacy flap, causing more flickering.
This was visible IRL and wasn't just an artifact of recording it on my phone.
I deliberately put my finger over each camera one at a time to confirm the sources being projected.

A friend of mine suggested this may be related to Windows Hello functionality at a guess but still seems weird to not be affected by the privacy flap when its clearly capable of recording video.

dmidecode tells me this is a LENOVO Yoga 9 2-in-1 14ILL10 (P/N:83LC)

Command I used for anyone to replicate the finding. (I was on bog standard Kali, but I'm sure you'll figure out your device names if they change under other distros):
vlc v4l2:///dev/video0 -vv --v4l2-width=320 --v4l2-height=240 & vlc v4l2:///dev/video2 -vv --v4l2-width=320 --v4l2-height=240

#Cyber #Security #Infosec #Lenovo #Privacy #Hacking

Matt Organ

@Slater450413@infosec.exchange

Yeah, does look to be IR based on the output. It just seems very unusual to provide the illusion of privacy with hardware right next to it.

I haven't got a Windows version to test with but it equally there's a lot of privileged software that would be able to get to it just fine. From the legitimate sources, I doubt there's much specific logging if your SOC decided to bring it up remotely (nothing in directly in Elastic, Helix or Sophos comes to mind... Maybe Sysmon output).

From the not so legitimate sources, LPE on windows is not treated particularly critically and are pretty common. eventvwr and razor keyboard driver installers both had longstanding "easy wins", to mention the myriad of opportunistic dll highjacking.

The solution for all that would be for the privacy switch to actually just work as one would expect it too, even if it inconveniences windows hello.

February 6, 2026 at 6:51:24 AM
(Edited)
·

Elk Logo

Elk is in Preview!

Thanks for your interest in trying out Elk, our work-in-progress Mastodon web client!

Expect some bugs and missing features here and there. we are working hard on the development and improving it over time.

Elk is Open Source. If you'd like to help with testing, giving feedback, or contributing, reach out to us on GitHub and get involved.

To boost development, you can sponsor the Team through GitHub Sponsors. We hope you enjoy Elk!

三咲智子 Kevin DengPatakDaniel RoeAnthony Fu

The Elk Team