Listening Device via Chrome

Thursday, January 23, 2014 @ 05:01 PM gHale

Several security flaws in Chrome can turn the browser into a surreptitious listening device, a researcher said.

It was not too long ago, Chrome was able to support voice input, and there are already websites out there that offer speech recognition for interested users.

RELATED STORIES
Apps Lack of Security
Mobile Alert: Bug in Smartphone
Pulling RSA Keys by Listening
Air Gaps Not Even Secure

In order for the voice aspect of the browser to work, the website explicitly asks users permission to use their computer’s microphone. If the user allows it, the site now has access to it and the browser indicates it by a blinking red light. When the user closes the site, Chrome automatically stops listening.

But Israeli developer Tal Ater said the functionality can end up misused by bad guys.

Most sites using speech recognition choose to use secure HTTPS connections. This doesn’t mean the site is safe, just that the owner bought a $5 security certificate. When you grant an HTTPS site permission to use your mic, Chrome will remember your choice, and allow the site to start listening in the future, without asking for permission again. This is perfectly fine, as long as Chrome gives you clear indication there is the potential of someone listening, and the site can’t start listening to you in background windows hidden to you.

When you click the button to start or stop the speech recognition on the site, what you won’t notice is the site may have also opened another hidden popunder window. This window can wait until the main site closes, and then start listening in without asking for permission. This can be done in a window that you never saw, never interacted with, and probably didn’t even know was there.

Even if the user does notice that window (which can end up disguised as a common banner), Chrome does not show any visual indication speech recognition is on in such windows — only in regular Chrome tabs.

Ater discovered that such an attack was possible last September, while working on a JavaScript Speech Recognition library. He shared his discovery with Google, and they confirmed the existence of the flaws and apparently prepared a fix less than two weeks later.

But the fix did not release. When he asked what the holdup was, they answered they are still debating with the W3C (World Wide Web Consortium) whether it should release.

Four months later, they still have not made a decision, so Ater revealed the existence of these flaws and to provide the source code for the exploit to the public, in the hope that this will prompt Google to finally do something about it.

Google has now responded by saying that “the feature is in compliance with the current W3C specification,” and that they continue to work on improvements.

Any Chrome user can change the browser’s settings to prevent websites from spying on them in this way (Settings > Show advanced settings > Content Settings > select: Do not allow sites to access my camera and microphone).



Leave a Reply

You must be logged in to post a comment.