Each new technology seems to emerge together with exploitable baggage. Speech recognition, for example, is being used in rising technologies from Siri to smart homes and is evolving quickly. While speech recognition has the potential to make life much easier and quicker, like any technology it comes with flaws. In this case, a Chrome browser exploit involving Google’s speech recognition technology that was discovered and reported to Google and has yet to be fixed.
The exploit can occur when someone is using a site that uses speech recognition for any number of reasons. When the microphone is turned on, the user must allow permission for Chrome to start recording their speech. Once allowed, the browser tab will show a red light and a camera icon appears in the address bar, signifying to the user that it’s recording. Once the user leaves the site, however, the red light and camera icon disappear but the site retains the ability to keep listening in.
A pop-up window without the red light and icon, for example, can remain hidden to the user as a banner ad yet still record anything within earshot of the computer. The data is sent to Google for analysis before being sent to the website that had the permission to record.
Tal Ater is the Israeli developer who discovered the flaw back in September. “As long as Chrome is running, the transcripts of anything that is said next to your computer can be recorded by the malicious site—your private phone conversations, meetings, anything within earshot of your computer is compromised,” Ater wrote in an e-mail to Ars Technica. “This is a unique vulnerability, as it essentially turns Chrome into an espionage tool with consequences on the physical world.” You can check out the exploit video here.
After reporting the vulnerability to Google’s security team on September 13th, he received a response on the 19th saying Google’s engineers had identified the bugs with suggested fixes. The patch was ready on the 24th and Ater was nominated for Chromium’s Reward Panel, a prize that can go as high as $30,000. In a statement regarding the bug, Google said, “The security of our users is a top priority, and this feature was designed with security and privacy in mind.”
“A month and a half later, I asked the team why the fix wasn’t released,” Ater said. They responded saying that due to discussions about the best fix case, nothing had been decided. “As of today, almost four months after learning about this issue, Google is still waiting to agree on the best course of action, and your browser is still vulnerable.” On Tuesday, Ater posted a blog about his find to try and spur Google on to make the necessary changes.
Much like the recently discovered way of turning off the light on Mac’s so that a user wouldn’t know they’re being filmed, these exploits allow malicious users very easy access to highly coveted and private situations, and highlights a growing issue with personal privacy. The apps on our phones and devices have permissions beyond what they need – just browse through your phone’s privacy settings and you’ll wonder why your music app needs your location or your sleep cycle app wants microphone access. With Google Glass still to come to the general public, these are the kinds of privacy issues that need to be addressed before speech recognition further popularizes.
It’s really up to us, as users, to be especially careful when visiting sites that ask for microphone and camera permissions. It also appears you cannot count on the red light and camera icon to always beam while your microphone or camera is being used. Ars Technica recommends Chrome users regularly check the sites which have permission to access these.
Here’s how you can keep an eye on your media permissions in Chrome:
- Head to your settings within Chrome
- At the bottom, hit ‘Advanced Settings’
- Scroll down to the ‘Privacy’ section
- Go into ‘Content Settings’
- Scroll down to ‘Media’
- ‘Manage exceptions’ to manage which sites have which permissions
Read Tal Ater’s post on the exploit here.
Latest posts by Sarah Vonnegut (see all)
- How Secure is Your Online Banking App? - February 26, 2018
- Top 5 OWASP Resources No Developer Should Be Without - January 9, 2018
- Smart Cities: Can My City be Hacked? - December 11, 2017