Privacy , Risk Management , Technology
Music App Scoops Up Mic Input Even When It's OffThe music application Shazam has a nifty feature that identifies songs just by listening to a few seconds of it. The downside is that it's also always listening to you, according to new research.
See Also: Avoid Theft of Your Privileged Credentials
To identify songs, Shazam turns on a Mac's microphone. But Patrick Wardle, director of research for the security company Synack, says that even when users toggle a selection to turn the microphone off, Shazam is still recording in the background.
It doesn't appears that Shazam actually processes the sounds it hears when the microphone is ostensibly turned off. But Wardle contends it would be trivial for someone to write malicious software to collect that sound.
"'OFF' should mean off, and due to their actions, we could get creative and easily design a piece of malware that steals this recoding without having to initiate a recording itself," Wardle writes.
Wardle notified Shazam before he went public. He writes that he is somewhat conflicted about whether the behavior is a big deal. But the finding illustrates that apps don't always do what they say they do, which can irk more technical users.
Close Oversight
Shazam's interaction with the microphone would have gone unnoticed if not for a tool that Wardle wrote. In his free time, Wardle writes macOS security tools that he makes available for free on his Objective-See website.
He recently released one called OverSight, which alerts users when a new process tries to access a Mac's webcam. It's evident when a webcam on a Mac is in use, as a green light comes on (see Defending Against Mac Webcam Hijacks).
But Wardle found there's no additional alert if some other application, such as malware, tries to access a webcam at the same time. That behavior helps attackers, as they would also only be recording what would likely be something of interest. OverSight shows an alert if that situation occurs, and users can either allow or block the access.
Since the tool's release, Wardle says it has been downloaded more than 50,000 times. One user discovered that when Shazam's microphone selection is toggled to off, it actually is still on as detected by OverSight.
On a long flight to Argentina, Wardle dug into Shazam's code and determined the finding was accurate, although the application does not appear to be exporting the audio.
"Again, though it appears that Shazam is always recording even when the user has toggled it 'OFF' I saw no indication that this recorded data is ever processed (nor saved, exfiltrated, etc)," Wardle writes. "However, I still don't like an app that appears to be constantly pulling audio off my computer's internal mic. As such, I'm uninstalling Shazam as quickly as possible!"
Shazam Responds
Wardle posted Shazam's low-key response to his notification, saying that it would "address this issue in a future update." It attributed the behavior to a shared software development kit it uses across macOS and iOS, Apple's mobile operating system.
"The iOS and Mac apps use a shared SDK, hence the continued recording you are seeing on Mac," Shazam writes. "We use this continued recording on iOS for performance, allowing us to deliver faster song matches to users."
Shazam couldn't be immediately reached for comment.