Problem solve Get help with specific problems with your technologies, process and projects.

Chrome bug highlights speech-recognition security risks

A Chrome bug that leverages the browser's speech-recognition feature reportedly threatens mobile device security. Learn how to combat the threat.

I read that attackers can snoop on phone calls and conversations using Google Chrome. Is this cause for concern? In what ways can my enterprise mitigate it?

Researcher Tal Ater's blog post claims that "Chrome bugs allow sites to listen to your private conversations." Google, however, says Chrome's speech-recognition feature is safe and complies with W3C's Web Speech API Specification.

Whether this is a security or design flaw or indeed neither, users must be aware of Chrome's speech-recognition feature and how to use it without endangering personal or enterprise information.

Visit Google's homepage and there in the search box is a speech-recognition microphone icon whose tooltip says "Search by voice." Click it and Chrome will display a bar at the top of the browser asking permission to use the device's microphone. If the user clicks "Allow," he or she can control the site with his or her voice. Chrome shows an icon in the browser while speech recognition is on and, once the user turns it off or leaves the site, Chrome stops listening.

Ater's claim, though, is that as long as Chrome is running, a malicious site could potentially abuse microphone access and record conversations, meetings or phone calls taking place near the device even after the user has left the malicious site. According to Ater, once permission has been granted, a malicious or compromised site could open a hidden pop-up window underneath the main browser window that could go unnoticed by the user. Google maintains that any such exploit would require a user to first enable microphone use on a website and second, permit pop-ups (Chrome, like most other browsers, disables pop-ups by default).

It may be a matter of opinion whether Chrome does enough to alert users when a site is accessing their camera or microphone, but clouding this issue is the fact that the Web Speech API Specification is currently not a W3C standard and so is still subject to change (it isn't scheduled to become a W3C recommendation until late this year). Implementing cutting-edge technologies is vital for browser vendors, and early feedback can help shape and improve the relevant specification. While Ater's observations focus on a relatively minor user-centric issue, a successful microphone-based attack could collect highly confidential information without a user's knowledge. Implementing the correct behavior of a standard is important, but so too is ensuring users are protected from those looking to exploit the less vigilant or security unaware. Granting permission for a website to use the microphone is a persistent setting if it is accessed via HTTPS, and it's unlikely that every user will remember to turn his or her microphone on and off each time he or she accesses a site.

Enterprises must decide whether speech recognition is really a necessary feature for corporate use. Is it going to improve productivity, or be an annoying distraction for those working in an open-plan office? Until a full risk assessment has been completed, ensure Group Policy settings enable Chrome's Advance settings option: "Do not allow sites to access my camera and microphone," except of course for those users who have a legitimate, documented use case.

Ask the Expert!
Want to ask Michael Cobb a question about application security? Submit your question now via email! (All questions are anonymous.)

This was last published in July 2014

Dig Deeper on Mobile security threats and prevention

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Is speech recognition security a concern for your organization?