Published on bearblog

Anker PowerConf C200: a case study in webcam security theatre

The Anker PowerConf C200 is a well-regarded budget webcam. It’s got a reasonable feature set, good quality video output, convenient mounting, and what’s more it’s got excellent privacy protection. No need to worry about hackers viewing your personal moments through your webcam!

With triple-layered defences, you ought to be able to rest easy:

  • a LED that lights up when the camera is recording - no light, no recording.
  • a physical privacy filter that pops in with the flip of a switch - bright red, too, so it’s obvious at a glance.
  • software to detect the privacy filter position - if it’s switched on then the camera feed will be blanked out with a convenient icon so you know to unfilter when you want it.

Except none of that is true. You, or any software on your PC, can take a photo through the webcam - not getting the blank frame-with-an-icon, with the red privacy filter closed, and without the LED lighting up!

Maybe that’s a bit strong:

  • it does have an LED that lights up when the camera is recording (sometimes). The firmware checks if the privacy filter is closed before lighting the LED - so if you can get through the physical defence then the LED is useless - one layer of swiss cheese down.
  • it does have a physical privacy filter. And it is bright red, and has a convenient slider-controlled iris mechanism. But iris mechanisms don’t work for privacy protection - there’s a tiny hole in the middle that acts as a pinhole camera. Another layer of cheese gone.
  • It does have software that detects the privacy filter position, but the firmware is incorrectly implemented, and it allows unfiltered frames through! And that’s all the security there was…

I will caveat the above - it is possible that new hardware revisions or firmware updates since I tested this webcam will have fixed these issues.

If you want to try this yourself, simply plug in the webcam, close the privacy cover, and run this command on a machine with ffmpeg. You’ll get a nice selfie saved!

ffmpeg -y -f video4linux2 -input_format h264 -video_size 2560x1440 -framerate 30 -i /dev/video0 -frames:v 1 selfie.jpg

In my personal opinion this is an example of product design that did not understand security requirements properly, and atrocious internal security culture at Anker. The iris mechanism with slider is a nice user interface, but nobody in the mechanical team spoke out at any point to say “this doesn’t work”. Instead, the firmware team just covered it up with a bodge - detect the slider position and blank out the stream. But this wasn’t tested to check it actually worked (or it was tested, and nobody in the test team cared that it didn’t work, which is worse). And the LED tally light is fail-dangerous rather than fail-safe. It should be linked in hardware to the power supply to the camera sensor, but obviously security wasn’t a concern for the electronics design team either.

Anker could have sold the webcam without the privacy cover, the LED, or the firmware filtering. But they didn’t. They understood the user requirement for privacy features. But they didn’t understand this as a security requirement - the user does. And the lack of security here is a fatal flaw to the product. The privacy filter is not just useless, it is worse than that, it is actively harmful - just like an exploding airbag.

This vulnerability was diclosed to Anker on 2026-02-15, but as 90 days have passed with no timeline for a firmware patch being released for this issue, public disclosure is being made.

My recommendation for webcam buyers is that they don’t buy a C200 if privacy against hackers is in their security model. For existing owners - keep the privacy filter open all the time. At least the tally light works when the iris is open as far as I can tell.

Comments

No comments yet!

To leave a comment, please send it via email here. Comments are licensed CC-BY as with the rest of the site. Your sender name and email address will be published along with the comment, unless you tell me not to.

Articles from other blogs I follow

Giant mud doughnut lands at the Barbican — and yes, it’s art

A giant muddy doughnut has arrived in the middle of the Barbican, and of course, it’s art.Read more ›

via ianVisits May 15, 2026

UK Government Kicks Out Palantir

The UK Government, for all its faults, is pretty good at publishing contracts it has awarded. That's why I get depressed when I see rage-bait nonsense about how companies have been award "Top Secret" deals. Right now you can go to https://www…

via Terence Eden’s Blog May 15, 2026

banning all Anthropic employees

Per my policies, I need to ban every employee and contractor of Anthropic Inc from ever contributing code to any of my projects. Anyone have a list? Any project that requires a Developer Certificate of Origin or similar should be doing this, because Anthropic…

via see shy jo April 1, 2026

Generated by openring

All posts on bearblog are licensed as CC-BY rss