Slashdot Mirror
Shazam Keeps Your Mac's Microphone Always On, Even When You Turn It Off (vice.com)
An anonymous reader quotes a report from Motherboard: What's that song? On your cellphone, the popular app Shazam is able to answer that question by listening for just a few seconds, as if it were magic. On Apple's computers, Shazam never turns the microphone off, even if you tell it to. When a user of Shazam's Mac app turns the app "OFF," the app actually keeps the microphone on in the background. For the security researcher who discovered that the mic is always on, it's a bug that users should know about. For Shazam, it's just a feature that makes the app work better. Patrick Wardle, a former NSA hacker who now develops free Mac security tools, discovered this issue thanks to his latest software OverSight, which is designed to alert users when apps use their webcam and microphone. After he released OverSight, Wardle received an email from a user who noticed that the security app alerted him that Shazam was still listening even after he had switched the toggle to "off." Curious about this discovery, and worried his own software might be issuing a false alarm, Wardle reverse engineered the Shazam app to figure out what was happening. After a few hours analyzing the code, Wardle found out that, in fact, Shazam never stops listening, as he explained in a blog post published on Monday. James Pearson, VP of global communications for Shazam, said in a statement to Motherboard: "There is no privacy issue since the audio is not processed unless the user actively turns the app 'ON.' If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users 'miss out' on a song they were trying to identify."
Shazam might be listening?
For the security researcher who discovered that the mic is always on, it's a bug that users should know about.
I see what you did there.
Could be useful to know who needs to get an ad.
It does sound like a legitimate reason rather than something nefarious. When someone uses a program like Shazam, they probably want it to start analyzing the song as soon as possible in case they only catch it at the end. If the initialization process takes too long, there might not be enough song information available before the track finishes. I've had the same issue with a slower phone which took to long to load Shazam before the song ran out. For this reason, keeping the mic buffer available is probably a good idea AS LONG AS it's not keeping an exclusive lock that prevents other apps from requiring the mic.
Google has its own 'what's this song' feature, but for a while I sued sound hound. Initially it was the only one, and it had better features like lyrics search. Then I found that unless I force closed the app (app switching or closing did not work), the mic was unavailable for ok google searches. Forcing the app closed released the mic. Bug or intentional, I don't know. The last time I used the app was a year or more so it could have changed, but this behavior no longer surprises me.
Silence is a state of mime.
The reason is understandable, but there should an opt-in or some kind of disclosure. Something like "This app keeps your microphone initialized for a better user experience. This "feature" can be disabled in the programs settings."
it's a bug that users should know about.
That's what it is. A bug. But not a coding error.
Seven puppies were harmed during the making of this post.
If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users 'miss out' on a song they were trying to identify."
Well of course the company owning the app would like everything to be fast for their one particular purpose, devil may care what other malicious or incompetent shit it does, or who other than their target users might object to it.
Malware / spam trying to sell you could similarly argue that they're making the user experience great for their customers to buy their Viagra / porn, who cares whether the side effect is your computer being hijacked or flooded with spam.
I don't know what you kids are listening to nowadays, but when I want to know a song's title, I punch in four key words from the lyrics into a search engine and presto, it's the first result.
I was the Sun sysadmin for maybe 17 workstations in a Windows shop. Sun came out with workstations that had a mic. I told my boss I needed to open every box up and cut a wire. He didn't believe me. Told him to call his secretary and talk to her for a minute or two. When he hung up I went into his office and replayed the audio I'd recorded off his workstation.
// why do you ask?
/// did you think I was just bored one day, or something?
Spent maybe an hour cutting a wire in every workstation we'd bought. Ahhh, the days of usenet, otherwise I'd have never thought of it.
/ why yes, the camera on my laptop has tape over it
Disclosure is no substitute for software freedom. It's so easy to disclose something, give the user a bogus UI for "controlling" the program, and then do whatever the proprietor really wants done (which could include covertly recording audio from unsuspecting users who believe they control their computer's mic). There's no substitute for being free to run, share, inspect, and modify the program at any time for any reason. Software freedom is the only thing that will keep proprietors from taking advantage of computer users because when the proprietors don't know who is inspecting the code, improving the code, or distributing improved versions they know they can be caught.
Digital Citizen
It's just a shame they don't pay the phone users a cut of the take.
Have gnu, will travel.
If the requirement to be listening permanently is reasonable, then surely their users would understand and accept this as part of using their application?
This is why I get all my apps from the profiles of nameless faceless losers on GitHub instead, because when amateur coders make stupid mistakes like leaving the microphone on, I can believe it was an honest mistake.
Fuck the tech billionaires to hell!
and we know how lame the new OSX are
It wouldn't surprise me if they just decided that since people are willingly putting permanent audio listeners in their house, nobody would care if they kept the computer mic on too.
I'm a conspiracist, but I'm also something a fatalist and in many cases I kind of shrug my shoulders at the latest privacy dustup. But I really can't grasp why someone would buy an audio device capable of listening in their house all the time and sending it back to who knows where.
That's not the point. He could be a total idiot and still reap the benefits of open software in that the proprietor cannot control just who has access to the software. They know that someone somewhere could inspect the source and find whatever they might try to hide, and as a result are on their best behavior and the masses of people that look on the keyboard for the "any" key still get the benefits.
It's 2016 and mics are soldered onto the motherboard, you can't open the case of the device, let alone cut a wire.
And if you tape over the mic hole(s) it makes ZERO difference, because enough sound comes through the case and the screen and the USB socket to drive the microphones regardless.
Try it, tape over every hole on a tablet, start a recording app, speak into it, play it back....nearly crystal clear!
Every device with a microphone should have a physical, hardwired switch with an indicator that tells when it's enabled or disabled.
Loading...
Cameras are easy: A bit of quality black electrical tape, easily removed later, and they are blind. Microphones are far more difficult. You basically have to blind them with excessive noise or disconnect them. Since the internal microphones of laptops are never very good, I will start doing that for mine, no loss. And the microphone on my main computer is only plugged in when I use it.
Smartphones, on the other hand, are a problem here. I still have one with a removable battery (only way to be really sure it is off), and I will keep it that way as long as possible.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
This news doesn't surprise me at all. On Android, I uninstalled Shazam soon after installing it, because it wanted way too many permissions on my phone, most of which made no sense. Why on earth, for example, did it want access to my address book? NO!
It reminds me of RealAudio, which was once king of computer audio, but then became such an advertising nuisance that it became unbearable.
Besides, any Android device has music identification built in. Just say "OK Google...What song is this?" It responds by listening for a few seconds, then shows you the song, artist, and album info.
Your {device} loads a data stream that when decoded and sent through whatever audio hardware/software combination, thence to the speaker/s, makes noise - spoken word, music, whatever.
Then the device's microphone "listens" to this audio, re-converts it to a digital stream that then gets sent off to a company who presumably run it past a big database of recorded music, to match it up, and report back to you that the audio is named "Purple Rain" recorded by the artist formerly blah blah blah.
Doesn't anyone look at tags anymore? You know, the metadata? Or didn't anyone think to um, bypass the whole conversion to actual sound waves and back to digital stream.
They sentenced me to twenty years of boredom
... the security implications?
What if they'd actually turned off the microphone instead of fooling the end-user into thinking it was off. And, then, if user's complained about missing the first 0.25s (or whatever) of the tune, Shazam responded to the users that there was a slight delay but that it was necessary to protect them from potentially being eavesdropped on? How many users would have found that reasonable and been fine with that? Well, we'll never know because Shazam didn't, apparently, care too much about the end user's privacy. But making sure they could identify an effin' song? Well, that's of paramount importance!
CUR ALLOC 20195.....5804M
Shazam could be right, it may not be an issue if they have some kind of exclusive hook into the mic and it's on but not sending data anywhere and it's not accessible by any other app than Shazam due to the isolation mechanisms of the OS. If the mic is on, the data is reaching the driver, what happens from there is unclear but it's already on the device in some kind of digital format. Whether it's accessible by another program at that point is the real question. It should be easy(*) to prove this is a security risk by writing a demo malware that finds the audio stream in memory and spies on you without ever technically initializing the microphone itself, helping it stay under the radar, ultimately exposing Shazam's decision as unwise. I'm not a mobile developer but I'd imagine this is virtually impossible, as it would mean that any application can access the data of any other application.
It's funny how virtually every laptop camera has a little light to indicate whether something is watching you, but virtually no microphones have this, nor do cameras on phones. Maybe that needs to change.
Did this "security researcher" used to work for the NSA? Or did he attack the NSA in the past?
P.S. In either case I would hesitate to install anything he wrote on my machine.
you post this stupid shit every chance you get... do you even think it's funny? go back to the 19th century where your shit might make sense, instead of polluting the comments sections here at /.
If a car "didn't really" put itself into park when you moved the gear selector there a car company would get their buts handed to them. Why does Shazam think they're any different? It may be difficult for a phone to actually kill you (even a car not in park is only going to actually injure/kill in a very small number of cases) but it can do a number on your life, catching intimate conversations/noises, crass viewpoints, etc and possibly leaking them to the web for the world to see/hear.
What I think is surprising is the fact that the app with this serieus security/privacy issue can be installed from Apple's walled garden.
Not that I really trusted the efficiency and accuracy of the policies to allow or block apps, but I would at least expect that Apple restricts apps from this kind of spying on the users.
Said a million users as they deleted the app from their phones and computers.
There's nothing 'great' or 'legitimate' about keeping the mic on when you say it's off. Let's review, shall we?
"If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users 'miss out' on a song they were trying to identify."
What a load of horse hockey that is! How long is a song? 2-5 minutes, and much longer for classical music. How long does it take to initialize the mic and then start buffering audio? Try, 2-5 seconds, and that's being generous. There is such a small window for a user to 'miss out' on a song that it is not a use case worth supporting. Your users will understand if they activate the app so late in the song they miss it. "Oh, I missed it" will be the response, not "damn this app, I'm never using this POS ever again!"
Now consider that the app maker labelled the mic as being Off, when it is actually On. That seems like more than a small transparency problem, right there, don't you think? And no, labelling the mic as Kinda Sorta Off Only Not Really is a terrible answer. This is a straightforward issue, don't lie about the device status, and don't use weasel words to do something that should not be done.