An expert in speech recognition states that Google Chrome users are exposed to various attacks and malware infections that can hijack the computer’s microphone. With this, all conversations in the room can be recorded for extended periods of time.
In order to gain access to the microphone however, users need to click a button to accept and give access to the microphone. Chrome usually notifies the user with a blinking red light in the browser tab and displays a camera icon in the address bar to indicate the given permission(s). As a normal behaviour, once the tab is closed, it should stop recording and drop permissions for any devices used. However, it will do the exact opposite.
As shown in the video above, Google Chrome can be used as the perfect tool for spying on anybody using the speech recognition on “shady” websites and afterwards closing the tab window. There will be no indication whatsoever about the recording feature still being enabled, and your privacy will be non-existent as long as you are still operating the browser. Israeli researcher Tal Ater said, the audio is sent to Google for analysis before being sent to the site that made the request. Once permission has been granted, Chrome can be programmed to begin recording only after certain keywords—say, “Iran” or “National Security Agency” are spoken.
“As long as Chrome is running, the transcripts of anything that is said next to your computer can be recorded by the malicious site—your private phone conversations, meetings, anything within earshot of your computer is compromised,” Ater wrote in an e-mail. “This is a unique vulnerability, as it essentially turns Chrome into an espionage tool with consequences on the physical world.”
Ater has notified Google about the security issue in September, though not even today has the bug been fixed. He wrote to Google once again in November in an attempt to find out what is taking so long to release a patch for the security breach. Their latest statement on the matter was as following:
“The security of our users is a top priority, and this feature was designed with security and privacy in mind. We’ve re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements.”
From the statement given, in my opinion, Google displays a lack of interest in patching their security issues, overriding their continuous statements of focusing primarily on user privacy and security. Although it corresponds to the current W3C standards, Google should also consider intermediate and novice users, who most certainly don’t even know how a browser works. If Google was to focus on user privacy, patches and fixes for every security risk should have been issued with the highest priority, even for the low risk glitches and bugs such as this one.