When it comes to sex and surveillance, if it's possible, then someone somewhere will try it, so when researchers reported this month that Google had secretly installed software on PCs enabling listening to conversations in the room and export of the audio without any permission being granted, concerns remained after the ‘bug fix'.
Open source developers found that Google's Chrome downloaded software to support its “OK, Google” hotword detection – including in the open source version Chromium browser – but complained that it did not appear in the extension list.
Initially, they claimed it activated audio without user permission.
While surveillance was not the intention and hotword has since been removed from Chromium – and fixed to prevent automated download in Chrome – concerns about ‘blobs' with rootkit downloaders remain, and there are even calls to remove microphones or install hardware off switches.
On the Google developer boards, a developer called Anatol said that the hotword extension to Chromium v43 caused a binary blob to silently install itself,
“without: a) asking for user permission b) any sort of notification c) the extension being shown in the extension list,” but with “ability to record audio.”
He added, “I almost fell out of my chair when I saw that. Great strategy to erode trust of any user who is even slightly concerned with security (which, I assume, a lot of Chromium users are).”
Rick Falkvinge, the Pirate Party founder, described the issue in his blog as making PCs “stealth configured to send what was being said in your room to somebody else... without your consent or knowledge, an audio transmission triggered by… an unknown and unverifiable set of conditions”.
In an email to SCMagazineUK.com Falkvinge adds, “The screenshot was actually from my own computer, not from the Debian bug report I had linked to. There had been no question, no opt-in, not even a notification.”
Google did post a link showing developer Yoshino Yoshihito had reported in the Open Source Debian Bug Tracking System that Chromium unconditionally downloads a binary blob. Yves-Alexis Perez notes on the same forum that: “There seems no opt-out config,” adding, “That's definitely not the stuff we'd like installed by default, without the user knowing (even if it's supposedly not installed).
Vincent Bernat commented: “Audio Capture Allowed is set to yes, and both the extension and the shared module are marked as ‘enabled' are definitely bothering me.”
Then on June 15 Michael Gilbert said, “We believe that the bug you reported is fixed in the latest version of Chromium browser, which is due to be installed in the Debian FTP archive.”
While some developers continued to say that the default was microphone enabled, one clarified: “Extension State: ‘ENABLED' means the extension *can run*. It does not mean the extension is currently running.” He added, “The important one here is ‘Hotword Search Enabled'. If that says No, then the proprietary NaCl module is not running. If it says Yes, the module can run (but it only runs when you are on Google.com or New Tab Page).”
Falkvinge told SC: “As it turns out this module was never enabled on my system, because of the "NaCl: No" (see above) which I didn't understand at the time. I was alarmed enough by a module that - according to how I interpreted "Microphone: Yes" and "Audio Capture Permitted: Yes" - had given itself access to my microphone and considered itself allowed to use it to capture audio when it saw fit to do so.
“After all, when a company that does something like that - download a binary black box to my clean install, without as much as a notification, a black box whose stated purpose is to access the microphone and send captured audio back to the mothership, I have a very hard time trusting them in the future. It was probably a dumb mistake, but their unwillingness to admit it as such - even when -confronted with the issue - contributes significantly to my non-trusting beyond the initial downloading of a black box.”
Another commentator on the developer site, Christoph Anton Mitterer, said, since no one really knows which binaries have been downloaded there and what they actually do, and since it cannot be excluded that it was actually executed, such systems are basically to be considered compromised.
“I seriously ...wonder whether it can be considered trustworthy enough to be part of Debian or whether it should be banned from it. More or less silently bundling proprietary code with open source software (especially but not only when enabled per default) can already be considered quite bad behaviour.
“But secretly downloading it leads to the question of possible malicious intent (and everyone knows that Google & Co do voluntarily and/or forcibly cooperate with NSA and friends). And I guess no one can prove that this blob didn't contain any rootkit, and even if – the rootkit'ed version may have been just distributed to certain people. The downloading makes it more or less impossible for the admin/user and especially for our maintainers to notice what's happening here (otherwise they'd need audit every line of code for any such occasions).
“Worse, Chromium isn't the only such rootkit-downloader,..."
Regarding potential hijacking of this capability, or interception of the messages transferred back under it, Falkvinge told SC, “The NSA has already done this for other Google traffic. So unless Google uses a completely different infrastructure for this particular part of its service - and developing it that way would make no sense at all, except in this particular hindsight - then it's already happening.
“(However) Developing an expensive technical hijack of the traffic is rather expensive, compared to providing Google with an infamous National Security Letter legally forcing them to providing it anyway. The technical route would probably be far more expensive than the "give us what we want" legal route.”
After further complaints, Google responded: “While we do download the hotword module on startup, we *do not* activate it unless you opt in to hotwording.”
Regarding downloading a binary blob into an open source application, ie Chromium on Linux, it is noted that “We [Google] do not directly distribute it [Chromium], or make any guarantees with respect to compliance with various open source policies... If a third party (such as Debian) distributes it, it is their responsibility to enforce their own policy. And I see that they have now done that by disabling the hotword module.”
As to not showing the extension on the extension list, Google says, “We consider component extensions to be part of the basic Chrome experience,” ie, the listening code is considered not part of the open source audit process.
Another commentator said, “As long as this NaCl module remains closed source there is nothing that Google can do to reassure users that this is 100 percent benign... Therefore any privacy conscious users should ensure that the NaCl module is not loaded, but along that line, should also remove the microphone from their system.”
Chromium decided to remove the hotwording component entirely from Chromium saying: “As it is not open source, it does not belong in the open source browser.”
But the exercise has demonstrated yet another potential avenue of attack, and one where physical rather than software defences may be the only assured prevention route.
In an email to SCMagazineUK.com, Sarb Sembhi, director at STORM Guidance observed: “When it comes to collecting data, vendors find it all too easy to do without having to ask for permission first, yet when it comes to ensuring privacy, it seems to be all too hard. This is just not the right or acceptable balance that should be allowed or accepted by anyone. And is one of the issues the EU Data Protection Regulation is attempting to deal with and equally why the big data collectors are fighting it.”
Falkvinge warns: “All and every collection of data must be regarded in terms of what its worst-case abuse is. A voice search feature is certainly useful, by any measure. But at the same time, it enables eavesdropping of a billion rooms, at the identified-individual level.(Chromium and Chrome have about a billion installs.) And if we've learned anything at all from the Snowden files, it is that every single technical surveillance capability will be abused to its full extent.
He concludes: “I do not believe they (Google) have the slightest bad intent, but there are other shady people in the background that might use this for their own purposes. Which is why I advocate that webcams need a physical hard shield before the lens now, and microphones need a hard switch that severs the electrical connections.” Like many in the industry, he follows his own advice and uses removable and reusable stickers from the EFF.
For his desktop microphone, he has a hard switch usually in the MUTE position. And he comments: “I still don't know of a hard switch for laptops. Software switches are no longer good enough.”