Friday, January 24, 2014

Is Google Chrome Actually Listening?

If you've been watching security news this week, you've probably seen a number of articles about this exploit that the writer claims allows Google chrome to be turned into a surveillance tool. If true, this could be very concerning for Chrome users, but with all things cyber-security related, it's best to apply some analysis to the situation before one runs to the hills. Here is some of the analysis and questions I asked myself going through this exploit.



What exploit is being presented?

This might seem simple, but it's an important question to start with. What are you being told is actually broken and exploitable? Most demonstrations of an exploit require lots of other technologies to make them possible and the media will often mix these other technologies into their articles as being vulnerable too. So what should be focused on? In this case, the author is claiming that when you have given permission to a website to use your microphone, if a second window is popped up, it doesn't always display the "recording" icon in popups (Does anyone not close popups with a vengeance? I thought humans have hated them since the 90's).

Are non-vulnerable technologies being presented as scary?

Now it sounds a little less scary. It's really just saying Chrome isn't confirming your permissions setting to you (a bug, no doubt, but far short of turning chrome into an automated surveillance tool against the user's will and without their knowledge). If you watch the youtube video on the bug, most of the video is spent on voice recognition and popups and demonstrating how the library the author is using can highlight predefined words as the library recognizes your speech. While this has it's own implications for privacy, we are now very far away from what the exploit is actually about.

As a side note an easy way to raise fear in a person when you're telling them about a vulnerability is to make it personal and to use buzz words from current events. Whether your discussing a facebook, email, google, gmail, or other kind of vulnerability telling someone you can catch their conversation about finances, boys they think are cute, or the NSA and Syria is a sure fire way to get attention. If someone does this, you should question how solid their exploit is and their motives in presenting it.

Does the presenter have anything to gain?

Motives in cyber-security are an oh-so-interesting topic, but let's stay focused to Chrome and it's reluctance to show us that it's recording.

It took me a couple times reading through the article to really catch this line:


Now that's interesting. It's not an empty boast, his library is on github and has a number of downloads. But it is interesting that his library comes up twice in a not-so-long article, and is significant focus of his demonstration of a vulnerability that is only tangentially related. His demo code also has calls to Google analytics, allowing him to see how many people are running his demo.

He also discusses a rewards:


Mr. Ater isn't just crying wolf, this is an issue. Google needs to fix it. But it is also possible he used a few fear tactics to generate media attention for his work.