Security Hole: Using Chrome? Google Can Hear Everything In Your Room Without Your Consent

A hidden code in Google Chrome (also in Chromium) enables Google to eavesdrop everything that’s going on in your room without you even know about it. Google’s response: we can but we won’t.

Updated Mar 30, 2017News1Security
Google Chrome hears you

About a month ago, a new bug has been received by Debian’s bug tracking system that in essence reported the following:

“After upgrading chromium to 43, I noticed that when it is running and immediately after the machine is on-line it silently starts downloading ‘Chrome Hotword Shared Module’ extension, which contains a binary without source code. There seems no opt-out config.”

[ Before we go on, it’s probably a good idea to note that this is merely the open source version of Chrome that’s referenced above.

I.e it’s a much more ‘transparent’ version of the browser where at least most of the source code is visible to the interested individual.

In case you’re using Google’s product Google Chrome, then you should consider that the aforementioned “Hotword” module will be there right from the start prebuilt into your browser. ]

Now back to the main issue, it later turned out that the downloaded module actually granted the browser ability to access your microphone (if you have one connected) and also permission to capture audio.

Google’s Response

Google’s answer to that issue has been received by two separate responses:

  1. They introduced a new switch to opt out of this behavior.
  2. They gave their rational and thoughts behind the questionable move which essentially sums up into 3 parts:
  • Although you can’t control the prepackaged module, you do have control over the entire browser which in Chromium’s case (only) is open sourced.
  • “Google Chrome (as opposed to Chromium) is not open source. It contains various bits of proprietary binary code, and always has”.
    In other words, ‘by using a non open sourced software, you have in fact brought it on yourselves to take the risk of being eavesdropped’.
  • “We call [ this kind of ] extensions ‘component extensions’ … we do not show them in the extension list by design … we consider component extensions to be part of the basic Chrome experience”.
    In other words, ‘we deliberately made the extension hidden, but only because we consider it part of the basic Chrome experience”.

So the bottom line is, without informing you, the user, Google has practically took the liberty of stealthy planting an eavesdropping feature without notifying you about it.

And of course, yet another important thing to note here, is that Google is not only able to hear you but also record you, since the information gathered by the browser isn’t executed by your computer but is sent to Google servers for processing and execution.

How Will I Know If My Version Of Chrome Has That Feature?

To verify whether your Chrome / Chromium browser has the feature which enables Google listening on you, simply open up your browser and type the following inside the address field:

chrome://voicesearch

Now, if you see that the features “NaCl Enabled“, “Microphone” and “Audio Capture Allowed” are enabled, i.e. their lines has the word “Yes” right next to them, then your browser has the feature and it’s ready for use. (see image below, mine has the microphone unplugged and NaCI disabled)

Chromium voiceSearch

How Can I Disable / Prevent Google Chrome From Eavesdropping?

The best thing you could do, to remain safe, not just from Google Chrome, but from any other software which has the ability of listening on your room is to simply – unplug your microphone if it’s unpluggable.

The next best thing you could do is one of the following:

If you’re using either Chrome or Chromium, you can go inside the browser settings and disable the feature which activates the listening –

To do so, click on the menu icon (3 bars) to the top right corner of the browser, then click on Settings.

Under Search option look for the line that says ‘Enable “Ok Google” to start a voice search‘ (which should be unchecked by default) and uncheck it, this should deactivate the hotwording feature.

Disable - "Ok Google"

Another thing you could do, if you’re more of a technical user who knows how to use Chrome flags, is to also use Google’s new switch to opt out –

pass “enable_hotwording=0” in your GYP_DEFINES, or “enable_hotwording = false” in your GN config.

 

To sum up, in the words of a Disqus commenter Tark McCoy: “Bad Google! No browser cookie for YOU!

Source: Privacy online News

COMMENTS (beta 4)

?
Add your comment here...

More In