In June, 2015 there was an alarming bit of news when people over at the Debian project realized that Chromium silently downloaded a closed source NaCl binary extension. It was the hotword extension which implements speech recognition techniques. When someone says “OK Google” within range of the microphone, Chrome interprets what follows as a command. This is an essential component of the hands free voice search feature offered in newly opened tabs or on Google’s homepage. It was not just alarming that open-source Chromium was installing a closed-source module, but also that this module could use your microphone to passively listen to you.
In Using Deviare to Create a Temporary Zero Day Patch we used Deviare to show how you can prevent an attack before a patch is available (without shutting down your computers). Here we show a simple and fast way to sandbox Google Chrome and know if it wants to listen to you. The Python code is available here.
A quick perusal of the Chrome project reveals that Core Audio APIs are used to obtain low-level access to recording hardware. Chrome instantiates an IMMDeviceEnumerator object and then uses the IMMDevice::Activate() method to instantiate an IAudioClient object. IAudioCaptureClient is instantiated through IAudioClient::GetService(). We hook CoCreateInstance() so that the call to create an IMMDeviceEnumerator is ignored and all interaction with microphones is blocked. More fine-grained control and monitoring capabilities can be achieved by hooking more specific functions.
Prerequisites
- Windows Vista or later (1)
- Python 3 (tested with Python 3.4.3) with its pywin32 bindings
- Deviare COM registration, see below
- Chrome (tested with Chrome 43.0.2357.130)
Deviare COM Registration
Navigate to the bin directory of Deviare2 and execute regsvr32 DeviareCOM.dll. If you are using a 64-bit operating system, execute regsvr32 DeviareCOM64.dll.
You must also configure Chrome to enable the hotword “OK Google” extension. To do so, go to chrome://settings and set the default search engine to Google. A checkbox should appear just below. “Enable “OK Google” to start a voice search.” After you check it, the hotword NaCl extension module should load automatically whenever you visit Google’s homepage or open a new tab, provided that your country is supported. If this is not the case (you won’t see “Say “OK Google”” within the search textbox, or any equivalent in your language), you will have to use http://www.google.com.
Using the Script
There are two ways to run the demonstration script.
The first method is without arguments. In this case, the script will try to guess the path to the Chrome executable and launch it. Immediately after that, the hooks are created and attached to the process.
The second way (2) is to invoke it with a list of PIDs in this fashion:
python3 ChromeAudioCaptureSandbox.py pid1 pid2 pid3 … pidn
In this case, it will attach the created hooks to the specified PIDs.
Credits
Thank you for our teams Windows driver development and custom development software.
Notes
- This script was not written for Windows XP, and presumably will not work since it hooks APIs available in Windows Vista or later. However, it should not be difficult to hook the API used in XP.
- Hooking the Chrome processes when the hotword NaCl module is running may cause Chrome to crash because Chrome assumes the existence of a recording device. We trick it into thinking there is no such device, which is outside the possible normal execution flow.