Updated: Time to disconnect the microphone?
Chrome and the open source variant Chromium were downloading audio listening software without permission, not in the extensions list, and with audio set to 'enable'.
Updated: Time to disconnect the microphone?
When it comes to sex and surveillance, if it's possible, then someone somewhere will try it, so when researchers reported this month that Google had secretly installed software on PCs enabling listening to conversations in the room and export of the audio without any permission being granted, concerns remained after the ‘bug fix'.
Open source developers found that Google's Chrome downloaded software to support its “OK, Google” hotword detection – including in the open source version Chromium browser – but complained that it did not appear in the extension list.
Initially, they claimed it activated audio without user permission.
While surveillance was not the intention and hotword has since been removed from Chromium – and fixed to prevent automated download in Chrome – concerns about ‘blobs' with rootkit downloaders remain, and there are even calls to remove microphones or install hardware off switches.
On the Google developer boards, a developer called Anatol said that the hotword extension to Chromium v43 caused a binary blob to silently install itself,
“without: a) asking for user permission b) any sort of notification c) the extension being shown in the extension list,” but with “ability to record audio.”
He added, “I almost fell out of my chair when I saw that. Great strategy to erode trust of any user who is even slightly concerned with security (which, I assume, a lot of Chromium users are).”
Rick Falkvinge, the Pirate Party founder, described the issue in his blog as making PCs “stealth configured to send what was being said in your room to somebody else... without your consent or knowledge, an audio transmission triggered by… an unknown and unverifiable set of conditions”.
In an email to SCMagazineUK.com Falkvinge adds, “The screenshot was actually from my own computer, not from the Debian bug report I had linked to. There had been no question, no opt-in, not even a notification.”
Google did post a link showing developer Yoshino Yoshihito had reported in the Open Source Debian Bug Tracking System that Chromium unconditionally downloads a binary blob. Yves-Alexis Perez notes on the same forum that: “There seems no opt-out config,” adding, “That's definitely not the stuff we'd like installed by default, without the user knowing (even if it's supposedly not installed).
Vincent Bernat commented: “Audio Capture Allowed is set to yes, and both the extension and the shared module are marked as ‘enabled' are definitely bothering me.”
Then on June 15 Michael Gilbert said, “We believe that the bug you reported is fixed in the latest version of Chromium browser, which is due to be installed in the Debian FTP archive.”
While some developers continued to say that the default was microphone enabled, one clarified: “Extension State: ‘ENABLED' means the extension *can run*. It does not mean the extension is currently running.” He added, “The important one here is ‘Hotword Search Enabled'. If that says No, then the proprietary NaCl module is not running. If it says Yes, the module can run (but it only runs when you are on Google.com or New Tab Page).”
Falkvinge told SC: “As it turns out this module was never enabled on my system, because of the "NaCl: No" (see above) which I didn't understand at the time. I was alarmed enough by a module that - according to how I interpreted "Microphone: Yes" and "Audio Capture Permitted: Yes" - had given itself access to my microphone and considered itself allowed to use it to capture audio when it saw fit to do so.
“After all, when a company that does something like that - download a binary black box to my clean install, without as much as a notification, a black box whose stated purpose is to access the microphone and send captured audio back to the mothership, I have a very hard time trusting them in the future. It was probably a dumb mistake, but their unwillingness to admit it as such - even when -confronted with the issue - contributes significantly to my non-trusting beyond the initial downloading of a black box.”
Another commentator on the developer site, Christoph Anton Mitterer, said, since no one really knows which binaries have been downloaded there and what they actually do, and since it cannot be excluded that it was actually executed, such systems are basically to be considered compromised.
“I seriously ...wonder whether it can be considered trustworthy enough to be part of Debian or whether it should be banned from it. More or less silently bundling proprietary code with open source software (especially but not only when enabled per default) can already be considered quite bad behaviour.
“But secretly downloading it leads to the question of possible malicious intent (and everyone knows that Google & Co do voluntarily and/or forcibly cooperate with NSA and friends). And I guess no one can prove that this blob didn't contain any rootkit, and even if – the rootkit'ed version may have been just distributed to certain people. The downloading makes it more or less impossible for the admin/user and especially for our maintainers to notice what's happening here (otherwise they'd need audit every line of code for any such occasions).
“Worse, Chromium isn't the only such rootkit-downloader,..."
Regarding potential hijacking of this capability, or interception of the messages transferred back under it, Falkvinge told SC, “The NSA has already done this for other Google traffic. So unless Google uses a completely different infrastructure for this particular part of its service - and developing it that way would make no sense at all, except in this particular hindsight - then it's already happening.
“(However) Developing an expensive technical hijack of the traffic is rather expensive, compared to providing Google with an infamous National Security Letter legally forcing them to providing it anyway. The technical route would probably be far more expensive than the "give us what we want" legal route.”
After further complaints, Google responded: “While we do download the hotword module on startup, we *do not* activate it unless you opt in to hotwording.”