An Israeli programmer has identified a bug in Google Chrome that allows malicious websites or hackers the ability to stealthily record conversations by accessing the device's microphone. The bug should be of serious concern for Google, especially given Chrome's current status as the browser du jour.
An Israeli programmer has identified a bug in Google Chrome that allows malicious websites or hackers the ability to stealthily record conversations by accessing the device's microphone. The bug should be of serious concern for Google, especially given Chrome's current status as the browser du jour.
The YouTube video released by programmer Tal Ater walks viewers through the dangerous exploit that allows anyone to access your microphone through Google's voice recognition software embedded in Chrome. Ater discovered the problem while working on a JavaScript Speech Recognition library called "annyang". They discovered the speech recognition software could be run continuously by third parties. Even more interesting is the fact it could lay dormant and only activate upon certain keywords being said.
In what may turn out to be the most disturbing part of this story, Ater alerted Google's security team privately to this issue back on September 13, 2013, and the team readily acknowledged its existence only six days later on the 19th. Google's team had a patch that fixed the exploit on September 24th, and Ater was nominated by Chromium's Reward Panel for the find. Problem solved, right? Not so much.
Within just two weeks of Ater reporting the bug, Google's engineers had confirmed the exploit and fixed it. But as the weeks passed, the fix was still not being released to desktop users. Six weeks after the initial inquiry into the matter, Ater again contacted the team at Google to ask why the exploit had not been fixed across the board. They responded in a rather convoluted manner. They stated that an ongoing discussion was going on within the "Standards" group, but nothing has been decided.
Finally, after four months of no response and a feeling of being stonewalled by Google, Ater released the YouTube video exposing the exploit to the world on January 22, 2014. The question still remains however if Google plans on releasing the patch they have been sitting on for 4 months. Now that Ater has exposed the inherent dangers to the world, let's hope that Google makes the correct decision to rapidly deploy the fix, or else they risk alienating their security-conscious users.
We'll be keeping up with the news at National Technologies Group. If you're worried your systems are compromised, or would like to take proactive measures to protect your information, contact us for advice on internet and data security. We can help.
