|
|
Subscribe / Log in / New account

Bouzas: PipeWire, the media service transforming the Linux multimedia landscape

Bouzas: PipeWire, the media service transforming the Linux multimedia landscape

Posted Mar 6, 2020 10:08 UTC (Fri) by roc (subscriber, #30627)
Parent article: Bouzas: PipeWire, the media service transforming the Linux multimedia landscape

What can a malicious app do with Pulseaudio access?

to post comments

Bouzas: PipeWire, the media service transforming the Linux multimedia landscape

Posted Mar 6, 2020 10:23 UTC (Fri) by Baughn (subscriber, #124425) [Link]

Record audio, for one.

Bouzas: PipeWire, the media service transforming the Linux multimedia landscape

Posted Mar 6, 2020 10:40 UTC (Fri) by smurf (subscriber, #17840) [Link] (4 responses)

Record audio (both microphones and speakers). DDoS your network without network access. Play loud sound (hearing endangering levels) on your headphones. Find a resonant frequency in your living room and cause property damage.

Bouzas: PipeWire, the media service transforming the Linux multimedia landscape

Posted Mar 6, 2020 15:21 UTC (Fri) by dezgeg (subscriber, #92243) [Link] (3 responses)

Does anybody know if that is any different from what apps on OS X and Windows are allowed to do by default?

At least I do not remember Windows asking permission for any of those (have not used Windows Store apps, though) so quite frankly, these seem like a non-issue to me...

Bouzas: PipeWire, the media service transforming the Linux multimedia landscape

Posted Mar 6, 2020 16:30 UTC (Fri) by andrel (guest, #5166) [Link]

Almost every laptop I see has something opaque taped over the camera. The concern about being surreptitiously recorded is very widespread. Which is why phones ask the user to authorize an app accessing the camera/mic.

Bouzas: PipeWire, the media service transforming the Linux multimedia landscape

Posted Mar 6, 2020 19:18 UTC (Fri) by ocrete (subscriber, #107180) [Link]

The goal is not to reproduce Windows/macOS, both of which has designs that date from the same era as X11 and PulseAudio. In that era, the idea was that all applications were trusted and could have almost full access to the computer. PipeWire is trying to bring the Linux OS to the era of Android and iOS, where you can run less trusted applications, because they only have access to the minimal persmissions.

Bouzas: PipeWire, the media service transforming the Linux multimedia landscape

Posted Mar 7, 2020 9:26 UTC (Sat) by comex (subscriber, #71521) [Link]

It’s relatively new (added in the 2018 release), but macOS does have a per-app permission prompt for microphone access. (And another one for camera access.)

Bouzas: PipeWire, the media service transforming the Linux multimedia landscape

Posted Mar 6, 2020 11:46 UTC (Fri) by alexl (subscriber, #19068) [Link] (3 responses)

All sort of stuff, like:
* Record audio from a microphone.
* Listen to the output of other running apps
* Turn down the volume of other apps
* Load and configure modules into the pulseaudio daemon

Bouzas: PipeWire, the media service transforming the Linux multimedia landscape

Posted Mar 6, 2020 17:10 UTC (Fri) by mcatanzaro (subscriber, #93033) [Link] (2 responses)

"Load and configure modules into the pulseaudio daemon"

Does this mean: "execute arbitrary code"? It sure sounds like that's what it means.

Bouzas: PipeWire, the media service transforming the Linux multimedia landscape

Posted Mar 6, 2020 17:45 UTC (Fri) by smurf (subscriber, #17840) [Link]

No, the module are loaded from /usr/lib/pulse-VERSION/modules. The problem is that nobody prevents you from loading 1000 modules, linking their streams in interesting ways, and sending them some CPU- or network-intense data.

Bouzas: PipeWire, the media service transforming the Linux multimedia landscape

Posted Mar 9, 2020 15:29 UTC (Mon) by alexl (subscriber, #19068) [Link]

Not by design, you can't just point it to some .so and load that. However, I wouldn't be shocked if there is an exploit somewhere in some module you can trigger.

Bouzas: PipeWire, the media service transforming the Linux multimedia landscape

Posted Mar 6, 2020 12:01 UTC (Fri) by kazer (subscriber, #134462) [Link]

I would imagine it would be annoying in a vehicle if malicious app hijacked your navigator audio and substituted it with something else..
It looks like the automotive-people have a lot more concerns to handle than what PA can (check the video in the linked article).


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds