Google Turns Deaf Ear to Speech Recognition Exploit in Chrome

Each new technology seems to emerge together with exploitable baggage. Speech recognition, for example, is being used in rising technologies from Siri to smart homes and is evolving quickly. While speech recognition has the potential to make life much easier and quicker, like any technology it comes with flaws.A�In this case, a Chrome browser exploit involving Googlea��s speech recognition technology that was discovered and reported to Google and has yet to be fixed.

The exploit can occur when someone is using a site that uses speech recognition for any number of reasons. When the microphone is turned on, the user must allow permission for Chrome to start recording their speech. Once allowed, the browser tab will show a red light and a camera icon appears in the address bar, signifying to the user that ita��s recording. Once the user leaves the site, however, the red light and camera icon disappear but the site retains the ability to keep listening in.

A pop-up window without the red light and icon, for example, can remain hidden to the user as a banner ad yet still record anything within earshot of the computer. The data is sent to Google for analysis before being sent to the website that had the permission to record.A�

Tal Ater is the Israeli developer who discovered the flaw back in September. “As long as Chrome is running, the transcripts of anything that is said next to your computer can be recorded by the malicious sitea��your private phone conversations, meetings, anything within earshot of your computer is compromised,” Ater wrote in an e-mail to Ars Technica. “This is a unique vulnerability, as it essentially turns Chrome into an espionage tool with consequences on the physical world.”A�You can check out the exploit videoA�here.A�

After reporting the vulnerability to Googlea��s security team on September 13th, he received a response on the 19th saying Googlea��s engineers had identified the bugs with suggested fixes. The patch was ready on the 24th and Ater was nominated for Chromiuma��s Reward Panel, a prize that can go as high as $30,000.A�In a statement regarding the bug, Google said, a�?The security of our users is a top priority, and this feature was designed with security and privacy in mind.a�?

And thena��nothing.

a�?A month and a half later, I asked the team why the fix wasna��t released,a�? Ater said. A�They responded saying that due to discussions about the best fix case, nothing had been decided. a�?As of today, almost four months after learning about this issue, Google is still waiting to agree on the best course of action, and your browser is still vulnerable.a�? On Tuesday, Ater posted a blog about his find to try and spur Google on to make the necessary changes.

Much like the recently discovered way of turning off the light on Maca��s so that a user wouldna��t know theya��re being filmed, these exploits allow malicious users very easy access to highly coveted and private situations, and highlights a growing issue with personal privacy. The apps on our phones and devices have permissions beyond what they need a�� just browse through your phonea��s privacy settings and youa��ll wonder why your music app needs your location or your sleep cycle app wants microphone access. With Google Glass still to come to the general public, these are the kinds of privacy issues that need to be addressed before speech recognition further popularizes.

Ita��s really up to us, as users, to be especially careful when visiting sites that ask for microphone and camera permissions. It also appears you cannot count on the red light and camera icon to always beam while your microphone or camera is being used. Ars Technica recommends Chrome users regularly check the sites which have permission to access these.

Herea��s how you can keep an eye on your media permissions in Chrome:

  1. Head to your settings within Chrome
  2. At the bottom, hit ‘Advanced Settings’
  3. Scroll down to the ‘Privacy’ section
  4. Go into a�?Content Settingsa��
  5. Scroll down to a�?Mediaa��
  6. a�?Manage exceptionsa�� to manage which sites have which permissions

Read Tal Atera��s post on the exploit here.A�

The following two tabs change content below.

Sarah Vonnegut

Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Jump to Category