Chromium suddenly starts downloading a binary blob

By Jake Edge
June 17, 2015

A Debian bug that was filed at the end of May serves as a reminder that even open-source software is not immune to some of the problems of proprietary software. In this case, Chromium 43 was silently downloading a browser extension to enable the "OK Google" voice activation "feature" of the browser, which is somewhat reminiscent of the various sideloading schemes that plague downloads of "free" software, particularly on Windows. The download was a binary blob, of course, so its contents cannot be vetted in any real sense. As might be guessed, Debian developers were not amused, but it should also serve as a bit of a wakeup call to all of the free-software world.

The extension in question is called "Chrome Hotword" and the download is a native client (NaCl) shared module that includes executable content. Starting with version 43, Chromium could only be built with the extension, which would download the shared module at its first opportunity—all without user intervention or notification. Perhaps even weirder still, the extension did not show up in the usual chrome://extensions/ page. Its controls were available at chrome://voicesearch/, but users have to know it was installed and where to find that page.

To summarize, a popular open-source web browser does a surreptitious download of a program and hides the download and the existence of the program from the user. Even if the binary only does what it is purported to do, it can turn on the microphone and upload what it hears to a remote site to search for a key phrase. That description sounds a lot like one for the latest malware outbreak—or National Security Agency (NSA) eavesdropping program.

It is not (yet) clear how this came about—prosaic explanations seem most likely, in truth—but it did make its way into Debian unstable without being noticed. It was reported to the Chromium team on May 22 and fixed by adding a build option to disable the Hotword extension on June 9. The extension is still enabled by default, though, so builders who don't want that functionality need to turn it off before starting the build. By June 15, Debian had done just that and updated its version of Chromium.

There is plenty to be disturbed about here, but it seems pretty unlikely this was some deliberate scheme by Google (or the Chromium team). It would be hard to hide something like that in an open-source program like Chromium. But it is clear that the amount of independent review of the changes going into Chromium is less than what we might hope for. The value of open source is lessened if "many eyes" really turns out to be "zero eyes".

The contents of the executable should also be scrutinized, but there is no real way to do that. Even if Google is completely trustworthy with respect to what the program does (and there is no reason to believe it isn't) it is still a bit worrisome that your browser can simply execute whatever code its corporate master orders it to. Though, in some ways, that isn't terribly different from Flash or JavaScript. We are increasingly required to trust the various sites, companies, and organizations that we deal with on a daily basis on today's internet.

Given the way Chromium uses certificate pinning, a man in the middle would not have been able to deliver some other version of NaCl executable. It should be noted that locally stored root certificates for proxies and the like are not subject to pinning, though. It's a pretty far-fetched attack mechanism, since having access to install certificates locally would allow anything else to be installed at the same time. Being able to sign certificates for any site and have them accepted by all of the affected browsers would also seem to provide endless avenues of exploitation.

This incident is a little disheartening, overall. The web is a big, scary place these days; we depend on browsers that are working to protect their users. Undoubtedly Google doesn't see this executable download as a violation of that—rather it is probably seen as a nifty feature—but many outside the Googleplex quite reasonably disagree. As long as we have the source, and are vigilant about reviewing it, we can be reasonably assured of having browsers (and other programs) that do protect their users. That may, at some point, require a fork-and-rebrand effort for a browser or other open-source project if the organization developing it won't back down from some kind of anti-feature. Thankfully, that seems to be a problem for down the road—if ever.

Index entries for this article
Security	Web browsers

to post comments

Enabled by default or not?

Posted Jun 18, 2015 8:18 UTC (Thu) by ber (subscriber, #2142) [Link] (4 responses)

Google's explanation says that the "hotword" module in question was not enabled by default. Their points and reaction seem to be reasonable, so we should still thank Google for providing a good Free Software webbrowser alternative. If this was a slip by Google (which is quite likely), it shows that that peer review enabled by Free Software is important. A good example of how the Debian folks being thorough are contributing to the IT world.

Enabled by default or not?

Posted Jun 18, 2015 16:16 UTC (Thu) by testsilicon (guest, #96703) [Link] (3 responses)

It's not clear to me from the bugreport if any audio was ever unintentionally transmitted back to Google by unsuspecting Chromium users. If it was, then that was a serious breach of privacy. Can anyone clarify? Also can anyone confirm if hotword detection is done locally or in the cloud?

Enabled by default or not?

Posted Jun 19, 2015 3:06 UTC (Fri) by kokada (subscriber, #92849) [Link] (1 responses)

I think it is pretty clear that no audio was transmitted, since by default this feature is disabled. Quoting from the bug report:

"First and foremost, while we do download the hotword module on startup, we *do not* activate it unless you opt in to hotwording. If you go into "chrome://settings", you will see a checkbox "Enable "Ok Google" to start a voice search". This should be unchecked by default, and if you do not check it, the hotword module will not be started."

Speaking strictly from Android (using Google Now, that has a similar feature), the hotword detection is done locally. After the user does a query (that happens after the user says "Ok Google", signaling that the user wants to ask something), this data is send to Google. I think something similar happens in Chrome.

Enabled by default or not?

Posted Jun 19, 2015 14:18 UTC (Fri) by jwarnica (guest, #27492) [Link]

Just tested it here in Chrome (installed from Google directly on opensuse). One must enable the setting, and on a new tab "OK Google" starts a search. But Chrome asks if google.ca can have access to the microphone, like it would for any other site wanting access.

So the feature really only enables the microphone on the canned google search page, shown on (not quite) blank new tabs.

Enabled by default or not?

Posted Jun 19, 2015 18:05 UTC (Fri) by ranmachan (guest, #21283) [Link]

If you have the collection of audio samples enabled ("Allow google to use this data to improve the recognition" or somesuch), then you can actually look at your voice search history for your account at https://history.google.com/history/audio.

Chromium suddenly starts downloading a binary blob

Posted Jun 18, 2015 13:58 UTC (Thu) by raven667 (subscriber, #5198) [Link] (1 responses)

> But it is clear that the amount of independent review of the changes going into Chromium is less than what we might hope for. The value of open source is lessened if "many eyes" really turns out to be "zero eyes".

This is an attitude that is starting to bug me, there is a cognitive dissonance between expectation and reality that I think should be explored, in what way is this change being discovered, investigated, fixed, deployed and commented upon by our Glorious Editor, "zero eyes" of review? Sure, this wasn't detected by some sort of code review before it was compiled but one of Debian Unstable's purposes is to build and deploy code so that it can be tested in the field and problems discovered, which this one was, if there is an expectation for something different that this issue has failed then I think it makes more sense to re-align expectations to reality than to take a negative attitude toward success.

I mean if this had fallen through the cracks and been discovered by an end user in Debian Stable 8 maybe that would indicate a review failure but something being wrong in a test system seems appropriate to me, we can never not make mistakes but we can detect, fix and learn from them after the fact.

Chromium suddenly starts downloading a binary blob

Posted Jun 23, 2015 2:27 UTC (Tue) by jebba (guest, #4439) [Link]

It appears to download non-free binaries in Debian Jessie (8) too. I have this on my system:

./chromium/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg/0.3.0.5_0/_platform_specific/x86-64_/hotword-x86-64.nexe

Chromium suddenly starts downloading a binary blob

Posted Jun 18, 2015 14:24 UTC (Thu) by fuhchee (guest, #40059) [Link]

"Though, in some ways, that isn't terribly different from Flash or JavaScript. We are increasingly required to trust the various sites [...] The web is a big, scary place these days..."

The latter follows partly from the former.

Chromium suddenly starts downloading a binary blob

Posted Jun 18, 2015 15:45 UTC (Thu) by cry_regarder (subscriber, #50545) [Link]

Jake says "The contents of the executable should also be scrutinized, but there is no real way to do that." Why isn't there a real way to do that? At the worst, assuming none of the free software alternatives works, it could be reverse engineered with IDAPro.

If the code is so obfuscated that that isn't tractable, then I would take it as a strong signal that something nefarious is present.

Chromium suddenly starts downloading a binary blob

Posted Jun 18, 2015 22:14 UTC (Thu) by josh (subscriber, #17465) [Link] (1 responses)

While this is definitely a Free Software issue, in that a Free Software browser should not be silently downloading and installing a proprietary blob (*especially* when the user isn't actually using that functionality), it isn't a security issue at all.

Unlike Flash and other plugins, Native Client is sandboxed. Barring a sandbox-escape bug in NaCl (which would be a critical security bug in Chrome), the extension in question could not run arbitrary code on the system.

Chromium suddenly starts downloading a binary blob

Posted Jun 23, 2015 11:03 UTC (Tue) by nix (subscriber, #2304) [Link]

It can't run arbitrary code, but the browser explicitly grants it permission to listen to the microphone and talk to the network! I'd call that a pretty big permission. (One that it obviously needs in order to do its job, but still.)

Chromium suddenly starts downloading a binary blob

Posted Jun 18, 2015 22:18 UTC (Thu) by JohnLenz (guest, #42089) [Link]

For other concerned Arch Linux users, I investigated and found hotwarding was disabled in an update a few days ago.

https://projects.archlinux.org/svntogit/packages.git/comm...

Chromium suddenly starts downloading a binary blob

Posted Jun 18, 2015 22:49 UTC (Thu) by gilbert (guest, #81446) [Link] (1 responses)

Fortunately native client is disabled (i.e. not built at all) in the Debian chromium packages, so even if the downloaded nacl executables were in fact malicious (and capable of escaping the nacl sandbox), there is no interpreter in Debian actually capable of triggering the hidden badness.

In addition as one of the chromium developers mentions, concerning other distributions with chromium+nacl, all nacl executables are sandboxed, so this is much like navigating to any nacl webpage (except that hotword automatically gets microphone permission which is not really so great itself):
https://code.google.com/p/chromium/issues/detail?id=50092...

The aspect of this "incident" that I find disheartening is LWN jumping onto the security overhype bandwagon so quickly without fully rationalizing the problem.

p.s. I am the maintainer of the Debian chromium package.

Chromium suddenly starts downloading a binary blob

Posted Jun 23, 2015 11:06 UTC (Tue) by nix (subscriber, #2304) [Link]

Quite. The open source nature of Chromium helps here, too: it is really not hard to prove, even from a position of total unfamiliarity with the codebase, that that executable is only executed at all if the setting is on, no matter *what* it might do. So the frothing about howgoogle is no better than a rootkit vendor or the NSA from Falkvinge and similar commentators is unjustified and says more about the tendency of said commentators to see conspiracies everywhere rather than doing a few minutes of actual research than anything else.

Chromium suddenly starts downloading a binary blob

Posted Jun 19, 2015 14:40 UTC (Fri) by flussence (guest, #85566) [Link] (4 responses)

This is unfortunate, I was getting ready to jump ship back in their direction after Mozilla's recent spree of similar bad behaviour.

NetSurf looks mighty appealing right now...

Chromium suddenly starts downloading a binary blob

Posted Jun 25, 2015 7:03 UTC (Thu) by oldtomas (guest, #72579) [Link] (3 responses)

Heh. I'm too desperately looking for alternatives to Firefox. But leaving Firefox to land on Chromium would be to "leap out of the pan to land in the flames" as an old Spanish saying goes :-)

The problem is not the bad intentions of the makers. I assume the best intentions from the Mozilla and the Google folks involved. Still, their vision is skewed by the POV of their "companies", and by the shiny and the technically interesting (which I sympatize tooroughly with).

I think this needs some counterweight to stay viable and socially useful (IOW to "keep them honest), that's all.

Chromium suddenly starts downloading a binary blob

Posted Jun 25, 2015 22:03 UTC (Thu) by Wol (subscriber, #4433) [Link] (2 responses)

> would be to "leap out of the pan to land in the flames" as an old Spanish saying goes :-)

"Out of the frying pan, into the fire" is the English version of the saying.

Cheers,
Wol

Chromium suddenly starts downloading a binary blob

Posted Jun 27, 2015 2:42 UTC (Sat) by dashesy (guest, #74652) [Link] (1 responses)

"Getting out of a ditch only to fall into a pit" is the Persian version.

Chromium suddenly starts downloading a binary blob

Posted Jun 29, 2015 8:41 UTC (Mon) by jezuch (subscriber, #52988) [Link]

> "Out of the frying pan, into the fire" is the English version of the saying.

> "Getting out of a ditch only to fall into a pit" is the Persian version.

In Poland it's "Out from the rain to under the downspout".

Good example of FS enabled Review and Iridium Browser

Posted Jun 24, 2015 14:04 UTC (Wed) by ber (subscriber, #2142) [Link]

Given what I know today, it is a good example of Free Software review by the Debian people and it explains why this is important for IT-security.

It would be interesting to research this issue further, e.g. how many groups are there that do some review of Chromiums code base. Wikipedia provides a list of chromium derivatives. A newcomer from Germany is Iridium Browser which claims a focus on privacy and security.

Correction

Posted Jun 25, 2015 23:39 UTC (Thu) by scientes (guest, #83068) [Link]

Please note that the Debian package has never built the NaCl runtime, so this program was never runnable. Still a DFSG violation, but it was never possible to execute. (Yes I know this correct is late, but I don't have a subscriptions.) We don't enable the NaCl runtime because doing so in a DFSG-compliant manner would double the compile time and source package size of what is already Debian's largest package. Also, NaCl really isn't that important or desired by people.

that is not all

Posted Nov 18, 2016 2:31 UTC (Fri) by anarcat (subscriber, #66354) [Link]

It is interesting to note that this mostly harmless issue (disabled by default in Debian) was fixed quickly while the more serious phone home bug still hasn't seen any progress after over a year of exposure... I have resolved to adding the following to my /etc/hosts, probably a good practice anyways:

127.0.1.1 www-google-analytics.l.google.com stats.l.doubleclick.net clients1.google.com

It is fascinating to see that I *still* have to have doubleclick.net in my hosts file...