Privacy , Risk Management , Technology

The music application Shazam has a nifty feature that identifies songs just by listening to a few seconds of it. The downside is that it's also always listening to you, according to new research.

See Also: Avoid Theft of Your Privileged Credentials

To identify songs, Shazam turns on a Mac's microphone. But Patrick Wardle, director of research for the security company Synack, says that even when users toggle a selection to turn the microphone off, Shazam is still recording in the background.

It doesn't appears that Shazam actually processes the sounds it hears when the microphone is ostensibly turned off. But Wardle contends it would be trivial for someone to write malicious software to collect that sound.

"'OFF' should mean off, and due to their actions, we could get creative and easily design a piece of malware that steals this recoding without having to initiate a recording itself," Wardle writes.

Wardle notified Shazam before he went public. He writes that he is somewhat conflicted about whether the behavior is a big deal. But the finding illustrates that apps don't always do what they say they do, which can irk more technical users.

Close Oversight

Shazam's interaction with the microphone would have gone unnoticed if not for a tool that Wardle wrote. In his free time, Wardle writes macOS security tools that he makes available for free on his Objective-See website.

He recently released one called OverSight, which alerts users when a new process tries to access a Mac's webcam. It's evident when a webcam on a Mac is in use, as a green light comes on (see Defending Against Mac Webcam Hijacks).

But Wardle found there's no additional alert if some other application, such as malware, tries to access a webcam at the same time. That behavior helps attackers, as they would also only be recording what would likely be something of interest. OverSight shows an alert if that situation occurs, and users can either allow or block the access.

Since the tool's release, Wardle says it has been downloaded more than 50,000 times. One user discovered that when Shazam's microphone selection is toggled to off, it actually is still on as detected by OverSight.

On a long flight to Argentina, Wardle dug into Shazam's code and determined the finding was accurate, although the application does not appear to be exporting the audio.

"Again, though it appears that Shazam is always recording even when the user has toggled it 'OFF' I saw no indication that this recorded data is ever processed (nor saved, exfiltrated, etc)," Wardle writes. "However, I still don't like an app that appears to be constantly pulling audio off my computer's internal mic. As such, I'm uninstalling Shazam as quickly as possible!"

Shazam Responds

Wardle posted Shazam's low-key response to his notification, saying that it would "address this issue in a future update." It attributed the behavior to a shared software development kit it uses across macOS and iOS, Apple's mobile operating system.

"The iOS and Mac apps use a shared SDK, hence the continued recording you are seeing on Mac," Shazam writes. "We use this continued recording on iOS for performance, allowing us to deliver faster song matches to users."

Shazam couldn't be immediately reached for comment.

DDoS , Network & Perimeter , Risk Management

Enterprise firewalls from major vendors could be jammed by a type of distributed denial-of-service attack that could be launched from a single laptop, says TDC Group, one of Denmark's largest telecommunications companies. Luckily, the attack doesn't rely on a software vulnerability and can be blunted by configuration changes.

See Also: Avoid Theft of Your Privileged Credentials

The attack, which TDC has dubbed BlackNurse, is powerful because it does not rely on sending enormous volumes of junk data traffic but rather a select stream of data packets that are computationally intensive for firewalls to process.

Even though the number of data packets per second is low, "this attack could keep our customers' operations down," TDC Group writes in a technical paper. "This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack."

Over the last two years, TDC Group saw 95 such attacks targeted against its customers.

ICMP Packets

Several recent massive DDoS attacks have relied on masses of internet-connected devices, such as digital video recorders with poor security controls. Those devices, which often have default passwords, are easy to infect with malware that can be remotely commanded to attack other services.

These botnets have generated record levels of attack traffic that have been difficult to counter. In October, web users found it difficult to reach services, including Spotify and Twitter, after a DDoS attack against Dyn, a networking company that provides Domain Name Systems management services (see Botnet Army of 'Up to 100,000' IoT Devices Disrupted Dyn).

In contrast, TCP Group says the BlackNurse attack doesn't rely on crushing volumes of traffic. Instead, the attack sends Internet Control Message Protocol data packets. ICMP is used for "ping," a diagnostic test to detect whether another host is available. This attack is different than an ICMP flood, where an attacker tries to take down a server by sending many pings.

BlackNurse is executed with ICMP Type 3 Code 3 packets, TCP Group says. If a firewall responds to that type of traffic, it doesn't require much bandwidth from the attacking machine. Less than 50,000 packets per second is enough to hamper a vulnerable firewall.

"The impact we see on different firewalls is typically high CPU loads," TDC Group writes. "When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops."

It's unclear why firewalls in certain configurations have trouble with these packets. Johannes Ullrich, the dean of research at the SANS Technology Institute, says that the firewalls could be trying to perform stateful analysis of the packets.

"ICMP unreachable packets include as payload the first few bytes of the packet that caused the error," Ullrich writes in a blog post. "A firewall can use this payload to determine if the error is caused by a legit packet that left the network in the past. This analysis can take significant resources."

In its testing, TDC Group finds that a reasonably sized laptop could generate 180 megabits per second attacks. It also tried an attack using a Google Nexus 6 mobile phone, which could only generated 9 Mbps and "therefore cannot single-handedly perform the BlackNurse attack."

Defenses

Firewalls that have only one CPU would appear to be more vulnerable that those with two or more. Keeping logging on means a greater chance that a firewall under attack will run out of steam, TDC Group writes. Having much available bandwidth also doesn't mitigate the attack effectiveness.

"Many firewall implementations handle ICMP in different ways and different vendors can be subject to attacks," the company writes. "Distributed attacks from larger botnets can be a major problem because botnets which are located on low bandwidth uplinks can come into play."

The best mitigation is to only allow other trusted machines to send ICMP packets. TDC Group recommends disabling ICMP Type 3 Code 3 traffic on WAN interfaces.

×Close

Request to Republish Content

An analysis of how the Donald Trump administration will address health IT security and privacy leads the latest edition of the ISMG Security Report.

In the report, you'll hear (click on player beneath image to listen):

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out our Nov. 8 and Nov. 11 reports, which respectively analyzed how the FBI likely reviewed 650,000 emails found on a computer used by a top Hillary Clinton aide and the cybersecurity challenges Donald Trump faces as the 45th president. The next ISMG Security Report will be posted on Friday, Nov. 18.

Theme music for the ISMG Security Report is by Ithaca Audio under the Creative Commons license.