Infosec dramas are getting more and more tiresome. Between this and the Singapore Airlines story, it just seems like people need to ratchet everything up to 11.
You have two options, choose one:
- 1. Google wants to spy on you with a hidden mic
- 2. They had future plans for the mic, but it was disabled, so it wasn't mentioned by the marketing department
For the Singapore Airlines story, you have two options, choose one:
- 1. Singapore Airlines wants to record you
- 2. The infotainment devices in the seats are just off the shelf Android devices
One option gets you lots of clicks and let's the infosec drama crowd tweet obnoxious things and sound insightful. The other is the pretty obvious explanation.
For Google, I'm not sure how option 2 is supposed to be acceptable either. It is perfectly reasonable to be concerned about introducing an internet-connected microphone into your house. It doesn't even require assuming a malicious Google to see potential problems with this. You're one decent security flaw (in an IoT device no less) from anybody having a microphone in your house.
> You're one decent security flaw (in an IoT device no less) from anybody having a microphone in your house.
Many people already have Android smartphones, so there is already a Google microphone in your house. The big difference is that you know that it has a microphone.
Which of course makes a big difference. We are all adults. We can weight pros and cons and then make an informed decision. Not so if we don’t know all the details. This is what you’re betting on when leaving “details” like this out.
Lots of technology now incorporates the idea that people are better not given too many choices. DRM/trusted computing, root-locked phones, software and operating systems that decide what information they send where, without any explicit consent or choice to disable.
The smartphone requires a battery, which drains away noticeably if it is sending all your conversations. The Nest is connected to the house power, so it can stream audio non-stop.
Additionally a user is likely to pay a lot more attention to their phone than to their Nest devices. A compromised Nest device will likely stay compromised until Google find the exploit...
A malicious actor could easily conceal their activity by making 24-hour-long recordings and sending them in the night (or whenever connected to WiFi and plugged into power).
The main trick smartphones use to have their battery last long enough, is to power off every piece of hardware that's not in use, for as long as possible. Doing a 24-hour-long recording would require the main CPU to be awake far more often than usual (and in fact, I would suspect it would have to be pretty much constantly awake, unless the phone had a large dedicated hardware buffer for the recorded audio samples).
Not to mention, that Android phones seem to pick up "ok google" activation pattern from random conversations, and start sending voice to Google's servers for speech-to-text processing. Even after repeated attempts to find and turn off voice activation from settings.
While true, the upgrade situation for Android is way better than for most IoT devices, which is saying something. And this is the sort of thing you may well keep for a decade. While you may still have other Google microphones, I would be a lot more worried about this one specifically being vulnerable at some point.
I don't know which specs exactly people are referencing, but if its marketing specs or the specs you would see on the box then I don't expect consumer products to have "microphone (disabled)" for unused hardware just as I wouldn't expect it to list some unused PCB circuitry.
It might be reasonable to be concerned about this kind of thing in the tech crowd, but the vast majority of people aren't.
> I don't expect consumer products to have "microphone (disabled)" for unused hardware
This should absolutely be the expectation. A note of "microphone (disabled in software)" at minimum. Since when is it OK for a company to sell you a product with hidden functionality that can be used to harm you by either the manufacturer or third parties?
(The obvious defense is that they're not selling it to you, they're renting it out. Such is the pathology of turning products into services. It's a sick market dynamic.)
How many things built into products have obsolete hardware or unused functionality that would have to be listed? I understand being reactionary to a microphone but where is the line? How do you draw it?
Do I need to list all the capabilities of some SoC even if I don't take any advantage of them? If a component has thermal sensors I'm not using do I have to list every one of them on the box?
I think Google is well past conspiracy territory. They are a company whose bottom line depends on collecting as much user data as possible; in an economy that compels them to improve their bottom line by any means available.
Is there really any doubt that google can and will spy on you if given the slightest opportunity?
"Yes, I have 100% doubt anyone is spying on anyone."
You can not possibly examine the evidence and claim 100% that there is no interest in spying on anyone.
Doubt that this particular case has that as the core issue? Sure. But be utterly convinced that literally no one, in any intelligence agency, against any target that might be near some sort of microphone-enabled device, has ever had the thought cross their mind that these things might be useful? No intelligence agency has ever looked at one of these companies hoovering up all the data they can get and installing all this stuff everywhere they can and stroked their chin for a moment?
You're basically claiming the NSA, CIA, Mossad, KGB, MI5, and all other such things have never existed, do not exist, and will not exist. The evidence for this is pretty poor.
I'm not asking you to wake up tomorrow and worry about whether your toaster is secretly sending all your thoughts to the alien overlords, but come on. Live in the world a bit. We're 7-ish billion people here on Planet Earth and they are not anywhere near all to a person nice, wholesome people who wish you all the best and would never even dream of exploiting you even a tiny little bit while they joyously enable you on your life journey of exploration and wonder. You're begging for exploitation.
" they are not anywhere near all to a person nice, wholesome people who wish you all the best"
that is exactly how most people are.
working and travelling around the world taught me as much.
>We should be sharing more, not hiding in our caves.
Ironic coming from a non-eponymous account, and in an era when we share two orders of magnitude more stuff than any other, even pictures of what food we had at diner...
A better version of humanity wouldn't be risking anything by sharing excessively and would get all the benefits of transparency. The humanity of reality is still plagued with bad actors who would throw away everyone's future, throw away civility, seek out despotic rule, etc. We have an elaborate system of incentives and disincentives we rely on to maintain good faith participation in society, and despite our best efforts that system is flawed and also fragile enough that it could worsen dramatically. The way we are centralizing wealth, data, knowledge and power right now is really dangerous in my opinion.
>Yes, I have 100% doubt anyone is spying on anyone.
Really? Did you ever hear of a guy named Snowden? Do you understand that our government spends tens of billions of dollars annual to spy on people? Do you understand that Google, Facebook and every other search, advertising and social media company have billion-dollar business models based almost entirely on surveillance and information hashing? I hope you are being sarcastic here.
this is exactly what i was writing about: the paranoia.
what does Snowden and the billions of dollars spent on spying have to do with what i buy and what i consume?
nothing. no one is coming for us. we're way too unimportant.
Tell it to the Chinese and rapidly expanding system of total surveillance and social credit scores. On the contrary, they are coming for all of us, only here we are opening the door and inviting them in.
Yelling "Conspiracy" at everything is quickly becoming the new "Think of the children"
It is in no way close to conspiracy to question if Google or any other company supported by Targeted Ads where they need massive amounts of Human Intelligence to perfect their ad targeting, would want to spy on their consumers
Yes? Obviously it's not far fetched to fear that Google will spy on their alarm users, as its core business depends on it.
Conspiracys is not a nutcase dellusion it happens all the time but the term is somehow tainted, which in itself is somewhat of a conspiracy...
"the microphone has never been on", Google say about a passive device as it matters. More accurate would be "we did not record the microphone" but that might sound bad ...
They depend on having at least some reputation left so that they can siphon huge amounts of ad targeting data a lot more then on getting a few dark secrets in a super underhanded manner.
That said, "conspiracy territory" gets close to a knee jerk reaction.
History is full of conspiracies.
A conspiracy is just many people doing each other favors under the table and taking covert action to promote their private interests or political beliefs, something which happens all the time.
Heck, didn't a President resign because he conspired (including eavesdropping) against the other party?
Wasn't another in bed with mafia leaders? [2]
Haven't a third had friends profiteering of a trillion+ dollar war effort (Haliburton, etc), even using false testimony [3, 4]?
Don't tons of ex-politicians usually end up on boards of private companies they helped pass favorable legislation for and done favors to?
Haven't large corporations strong-armed whole nations, toppled governments, pushed for their own lackeys, etc [5]?
Wasn't the head of the FBI targeting, spying on, and blackmailing his personal opponents and for his personal gain? [6]
Just to mention a few examples, just the tip of the iceberg...
As Gore Vidal once wrote: "Americans have been trained by the media to go into Pavlovian giggles at the mention of the word "conspiracy," because for an American to believe in a conspiracy, he must also believe in flying saucers or, craziest of all, that more than one person was involved in the JFK murder" (Gore Vidal)
I think there are two ends on a diagram of skepticism and scrutiny.
On one end you have individuals who will find nearly any conspiracy viable for whatever reason. That most conspiracy theories are eventually shown to be false doesn't really seem to bother them. On the other end you have individuals that will never believe anything could possibly be true, so long as a government or corporation has plausible deniability. The lengthy list of conspiracy theories that turned out to be true, or other conspiracies that nobody knew of - only revealed decades after due to declassification, don't really seem to bother them.
I suppose we could call both ends naive. Naively trusting to naively untrusting. The 'right' degree of scrutiny is somewhere in the middle. In this case you have the largest ad delivery corporation in the world. They've "accidentally" engaged in behavior such as snooping and logging data from unsecured wifi connections with their street view vehicles, continued to track users' locations on Android devices even when tracking was "disabled", and so on. Google is also one of the companies that known is known to be collaborating with intelligence agencies including, but not limited to, the NSA. Most recently they were one of the first companies fined for refusing to abide the GDPR regulations for a variety of actions including lack of legal basis for the information they were collecting, lack of transparency in what/how it was collected, and enrolling users in tracking without their permission. And while not directly related, I think it speaks to the true character and ethos of the company that one of the words they plan/planned to black-list in their tracking enabled censorship driven search engine in China is literally "human rights." [1]
And now they "accidentally" forgot to include on the packaging information that an internet connected device installed centrally within homes also had a recording device. I mean given the context of who you're talking about where do you think the idea that this device, and omission might be less the benign, ranks on the scale of 'naively trusting -> naively untrusting' scale? The connotation of conspiracy theory, as in your usage, is implying it's naively untrusting. I do not think this is a logical conclusion.
>That most conspiracy theories are eventually shown to be false doesn't really seem to bother them.
Which "conspiracy theories" are eventually shown to be false?
The ones concerning aliens and lizard overloads or illuminati?
Because there are plenty corporate, political, and economic conspiracies going on all the time, including tons of "conspiracy to commit fraud/murder/etc" at smaller and larger scales, as acknowledged by courts of justice every single day.
The big ones are things that are shown to have a timeline. For instance one conspiracy theory is that Operation Jade Helm 15 [1], a military training exercise, was really a precursor to imminent declaration of martial law or some sort of a government takeover of Texas. There were lots of derivatives of this including Obama somehow trying to hold onto the presidency beyond his term limits.
Needless to say this did not come to pass.
Another one I found amusing was people believing that SpaceX's retropulsive landings, when they were first being successfully executed, were actually just launches played back in reverse. This conspiracy died pretty fast after they did it over and over, to say nothing of people being able to freely go and watch the landings. But it could also be shown to be false beyond any doubt by reversing the landing footage which, suffice to say, looked nothing like a takeoff. There were also more technical ways to debunk these things such as by looking at individual phenomena (birds, etc). It wasn't a good conspiracy theory, but there were plenty of people that believed it for a while.
But yeah, I'm not really sure what's up with people who seem to think that conspiracies don't happen and on an extremely regular basis. Even some absolutely awful things. Operation Northwoods [2] was very much a real idea that made it way all the way through the intelligence agencies and joint chiefs of staff. It was literally one signature away from being carried out. If we had a president of lesser moral character, not only would it likely have been carried out but we'd probably be none the wiser today. JFK was a great man.
> 2. They had future plans for the mic, but it was disabled, so it wasn't mentioned by the marketing department
If you design in something which is later not used, you don't populate that part of the circuit board. Not unless you're intending to use it later, anyway. Components cost money.
A software equivalent would be "we had plans to offer an integrated backup system but that didn't happen, although we still upload your contacts list and the contents of your SMSes to our servers."
You can add hardware features in order to support features you want to support in the future, but not advertise them in case those features for some reason don't come to fruition. If they had advertised "contains a microphone" there could be users who claim false advertising if they can't use the microphone. It's stupid but I can see a lawyer making the argument.
As long as the microphone never recorded anything, they're no legal downside to including it and not documenting it. There could be a slim but potential issue with advertising a microphone that the customer can never use.
The response to this incident is showing that that view is changing though.
An extra co-processor or something, sure. A device which the capacity to invade the user's privacy and/or compromise their security? Not so much. It'd be like having a 3G connection hidden in a security camera and not telling anyone.
Tesla has a suite of sensors installed that are not currently used because they intend to solve the self-driving car problem with them in the not-too-distant future.
Nintendo released multiple generations of consoles in the US with expansion ports for peripherals that ended up not making market sense to bring to the US.
A fair point, but then again, if people don't react to #2 now, how long until it turns into #1?
Things would be much simpler if companies were up front about what they're selling, instead of giving you incomplete information optimized to placate the unsophisticated buyers.
Disclosure of things like microphones on internet-connected devices is the type of no-brainer regulation that our regulatory bodies should be promoting. No need for real behavior changes, no need for giant Surgeon General's warnings, just a mention in printed user documentation, the same way products attest that they aren't in violation of FCC regulations on airwaves. There can be a healthy debate about whether this needs to go even further, e.g. legally requiring what Apple does for its laptop cameras in that a hardware light is lit whenever the recording system is powered up. But at least documentation-level transparency seems like a no-brainer. Unfortunately our regulatory bodies seem incapable of common sense these days, but that's a topic for another day.
This is not really about infosec, this is about privacy and data protection. And you can try to play this down as much as you want, but I think this is another symptom how much the current discussion about how much data gathering is OK is needed.
Right. If it's ended up on a production board that means one of two things.
1. They intend to use the microphone in the future
2. They disabled the microphone after having the boards manafactured right before shipping - what changed?
If they knew they weren't going to use it, why didn't they leave the microphone unpopulated? It would save on their BOM cost too, there had to be a reason.
This is the most accurate explanation. In other words, it's a mic like any other. The 'disabled' in this context means nothing. Just wait till Google gets served with a warrant. Suddenly, those mics won't be disabled anymore.
Maybe if companies like google weren't so creepy and privacy invading they'd get the benefit of the doubt. But in the world of constantly expanding corporate surveillance I default to believing the worst. Only occasionally am I pleasantly surprised to be wrong.
I don't get why you've got downvoted, I have the same opinion. There were a lot of scandals related to privacy lately (and I'm not talking only about Google), it's easy to understand why people stop trusting large corporations. It's sad that we use the downvote button to suppress opinions that are different, instead of using it for marking low quality content.
option 3 >> Tech companies get special treatment from governments when they include potential surveillance capabilities that are 'disabled for general use'.
> - 1. Google wants to spy on you with a hidden mic
You mean "gaining consumer insights to continually develop and improve our products".
Given the existence of a whole industry sector that is all about covertly gathering information about users and selling them off, I don't see what would be that particular far-fetched about this scenario.
False choice. Google has future plans for the mic: to spy on you. Singapore Airlines is using off the shelf spyware/Android devices [but I repeat myself] because it wants to record you.
Your analysis is sensible. Where we should choose the most likely explanation, it might become sharper:
- In case you're not familiar with it, one helpful tool is prior probability (Bayesian thinking). This video is short and accessible: https://www.youtube.com/watch?v=BrK7X_XlGB8
- There is a public intelligence budget in 2018 of $54.9 billion in the United States[1], as compared with the combined annual R&D expenditure of Apple, Google, Intel, and Microsoft at $53.2 billion[2]. This employs over 100,000 people[3].
- According to Snowden, they covertly use microphones.[4] He had reporters put their mobile phones in a fridge/microwave, since they could be turned on remotely.
A sensible assumption is that you are unlikely to chance upon a covert surveillance mechanisms if one is installed. (For example, speakers could also be used as microphones.) Where a bug is present, I think assigning 1% to the probability of finding it is reasonable.
In view of the above, after you find an undisclosed and apparently (but not physically) disabled microphone in a product, which is more likely?
1. One of the 100,000 people mentioned, using some of the $59,900,000,000 annual budget mentioned, put it there. They do this thousands of times per year, and you've just found one of them. However, the chances of your finding it are low. (1%).
2. It was put in there as part of normal product design but left unused. Perhaps it will be legitimately enabled in a future version. Perhaps Google will use it for OK Google, its voice assistant. It has no covert intention. Google spends a lot of effort on ensuring privacy. The chances of your finding it are very high (90%) - it's not meant to be hidden and is no secret.
If the chances of your finding a covert device is 1% in case there is one, and the chances of your finding an unused but not physically disconnected microphone is 90% if there is one, then to complete your analysis of which is more likely, you should know how many times the scenarios in 1 and 2 occur.
I hope these additional tools - Bayesian probability and some figures about the base rate, could make your analysis sharper. Personally, I feel it's likely that a 1% chance of discovering a covert bug, multiplied by the thousands of such bugs (devices) out there, makes it more likely than the 90% chance of finding a totally unused and unadvertised microphone in a product, since there would be few such cases.
Infosec dramas are getting more tiresome? Are you really saying this on hacker news in an environment where we know governments, corporations, etc are actively trying to spy more and more on everyone?
It's strange how you think the latter options are the pretty obvious explanations. "Google wants to spy on you with hidden mic" seems to be the fairly obvious one to me.
What's strange is the amount of pro-government and pro-google comments on hacker news the past few years. I wonder what the two options for why that is?
Also, you are offering a false dichotomy. This isn't an either-or situation. There could be other reasons. Could be that "google wants to spy on you with a hidden mic AND they planned it for the future". Another option is "The mic was put there by mistake". Another is that "the supplier screwed up". Or another is that the "supplier intentionally put it there".
I'm saying this on a site where I assume people are able to think a little beyond the basics, yes.
Google spying on its customers would result in an amazing lawsuit. People tear apart and reverse-engineer these things for fun and it would have been discovered in due course. Google knows this. So, no, it's not an "obvious" option at all.
You're starting from a position of "of course google is evil". I'm starting from "how much sense does that make?". We've reached different conclusions because of this.
Pedantically listing a bunch of other options is missing the point, and they basically all fall under option 2.
As for your perceived "pro-government" and "pro-google" views on HN: people have different views on many topics. Maybe this is the only place you encounter views that differ from your own?
I agree with you that Google, an advertising company, would benefit greatly from secretly including a microphone (a-la Facebook giving you ads for stuff you've only spoken about out loud) however I disagree with your insinuation that the person you're replying to is a pro-government or pro-Google shill. I think Occam's razor in this scenario can lead you to two different conclusions.
Cameras in a public space? Oh no! Call the police right now!
On the other hand, Google conveniently forgetting about the mics they installed in people's private residences is actually a big deal. This is exactly the reason I would never buy garbage devices like this. Google couldn't make a better case against such devices if they tried. There's no hint that the disabling of the mic wasn't or couldn't be reversed by Google or other parties. But even if it was secure and didn't record anything, Google broke customers' trust by including a hidden mic. Whether they had future plans or not, they lied to all their customers. If they came out and offered free replacements of any systems, I'd maybe buy their apology. As it stands, it's clearly PR bullshit that this was a mistake. One would have to be extremely stupid, gullible, or both to buy that especially given Google's history. That mic was put there on purpose. I also don't buy it that they never recorded anything with it. Of course, we won't be able to prove it and Google won't tell. But once again, their history tells all.
You have two options, choose one:
- 1. Google wants to spy on you with a hidden mic
- 2. They had future plans for the mic, but it was disabled, so it wasn't mentioned by the marketing department
For the Singapore Airlines story, you have two options, choose one:
- 1. Singapore Airlines wants to record you
- 2. The infotainment devices in the seats are just off the shelf Android devices
One option gets you lots of clicks and let's the infosec drama crowd tweet obnoxious things and sound insightful. The other is the pretty obvious explanation.