{"id":1190,"date":"2009-03-13T16:47:50","date_gmt":"2009-03-14T00:47:50","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=1190"},"modified":"2009-03-13T16:47:51","modified_gmt":"2009-03-14T00:47:51","slug":"security-review-google-voice-2","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/03\/13\/security-review-google-voice-2\/","title":{"rendered":"Security Review: Google Voice"},"content":{"rendered":"<p><em>Apologies for reviewing the same technology.  The <a href=\"http:\/\/cubist.cs.washington.edu\/Security\/2009\/03\/13\/security-review-google-voice\/\">other Google Voice review<\/a> just appeared for me, which was after I wrote my own.  I did check prior to starting this review, and it wasn&#8217;t up then.<\/em><\/p>\n<p><strong>Summary:<\/strong><\/p>\n<p><a href=\"http:\/\/www.computerworld.com\/action\/article.do?\ncommand=viewArticleBasic&amp;articleId=9129578\">ComputerWorld<\/a> had an article about <a href=\"http:\/\/googleblog.blogspot.com\/2009\/03\/here-comes-google-voice.html\">Google Voice<\/a>.\u00a0 Google Voice is a new service offered by Google to make people\u2019s phones more usable.\u00a0 Google Voice will automatically transcribe a user\u2019s voicemail into text form, using speech recognition software.\u00a0 Because the transcription is done with software, there may be some mistakes in the text versions.\u00a0 The transcriptions will be made available in the user\u2019s inbox.\u00a0 The service can also e-mail or SMS the messages to you.  If I user desires the service can be turned off.<\/p>\n<p>Google Voice builds on the technology of GrandCentral, a company that Google bought a few years ago.\u00a0 This technology allows a user to have a single number for all of their phones.\u00a0 When this number is dialed, all of the associated phones also ring.\u00a0 In this way, a user can be contacted regardless of which phone (home, work, cell, etc&#8230;).\u00a0 Google Voice will initially be offered to current users of GrandCentral.<\/p>\n<p><!--more--><\/p>\n<p><strong>Assets:<\/strong><\/p>\n<p>The assets involved are a significant amount of a user\u2019s personal data.<\/p>\n<ul>\n<li>User\u2019s phone numbers: this is obviously necessary for the technology to work.\u00a0 Though this information can be found in phonebooks, some people value the privacy of this data.\u00a0 A person\u2019s phone number can be used for telemarketing, stalking, or (sometimes) even physical tracking using <a href=\"http:\/\/www.google.com\/latitude\/intro.html\">Google Latitude<\/a>.<\/li>\n<li>User\u2019s e-mail address: this is needed in order to e-mail transcriptions to a user.\u00a0 These are valued to avoid spam and other unwanted communications.<\/li>\n<li>User\u2019s personal information: this is the big one!\u00a0 Recording a user\u2019s messages may include incredibly sensitive information (perhaps messages from a mistress or creditors).\u00a0 This information is now converted from sound to text, stored on Google\u2019s servers, sent by e-mail.<\/li>\n<\/ul>\n<p><strong>Adversaries\/Threats:<\/strong><\/p>\n<ul>\n<li>Stalker: a person motivated to snoop into the details of your life could learn quite a bit about you from this service.\u00a0 This personal information could be used to embarrass, blackmail, or incarcerate the user, depending on what was found.<\/li>\n<li>Government: the government could break into Google Voice, or perhaps subpoena Google into releasing its databases to law enforcement.\u00a0 This could be used to monitor suspected terrorists or punish petty crimes.<\/li>\n<\/ul>\n<p><strong>Potential Weaknesses:<\/strong><\/p>\n<ul>\n<li>I assume that a user\u2019s transcriptions are password accessible, even if not sent by e-mail.\u00a0 If this is true, then all the normal password weaknesses apply: the user may have chosen a poor password, it may be a password shared with another site, etc.<\/li>\n<li>If transcriptions can also be accessed directly from one of the phones included in the GrandCentral list, then this phone must send some signal to Google.\u00a0 This signal could be recorded, and it is likely that a successful replay attack could then be staged.<\/li>\n<li>Users are frequently a weak link in the security of any system, and this will hold true for Google Voice as well.\u00a0 Many users are unlikely to think about the possible security consequences associated with this service.\u00a0 This may lead them to make especially poor security choices.<\/li>\n<li>If a user opts for transcriptions to be e-mailed or SMSed to them, there is the additional possibility that these messages can be intercepted.\u00a0 Google may have very little control of the security of these services, which likely makes this a weak link.<\/li>\n<\/ul>\n<p><strong>Potential Defenses:<\/strong><\/p>\n<ul>\n<li>The transcription database should be encrypted and otherwise properly protected.\u00a0 It should be secure from physical access, and few employees within Google should have any kind of access to it.<\/li>\n<li>Google should take steps to properly educate the users of Google Voice of the security concerns.\u00a0 Specifically, it should mandate \u201cgood\u201d passwords and attempt to inform users about the risks inherent in converting private conversations to text, which can easily parsed by computers.\u00a0 Similarly, it should warn users about the additional risks involved in e-mailing the transcriptions.<\/li>\n<\/ul>\n<p><strong>Evaluate Risks:<\/strong><\/p>\n<p>I think that the risks posed above have the potential to cause users significant harm.\u00a0 However, much of the personal information above can be found by other means already.\u00a0 The fact that we already have voicemail means that precisely this information is already in databases somewhere, albeit in voice rather than text form.\u00a0 Moreover, much of this information is likely redundant to other sources of information on a person, which could be found using Google searches, dumpster diving, and general stalking.\u00a0 For this reason, the biggest risk of Google Voice is that it makes personal information more accessible to adversaries than previously possible, assuming the adversaries can compromise Google\u2019s security measures.<\/p>\n<p><strong>Conclusions:<\/strong><\/p>\n<p>I am highly suspicious of this service and will not be using it myself.\u00a0 However, it should be noted that the vast majority of this information is already available in voicemail databases.\u00a0 I do not think that this technology, if appropriately implemented, poses any new significant threats to the assets listed above.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Apologies for reviewing the same technology. The other Google Voice review just appeared for me, which was after I wrote my own. I did check prior to starting this review, and it wasn&#8217;t up then. Summary: ComputerWorld had an article &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2009\/03\/13\/security-review-google-voice-2\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":112,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,9,5],"tags":[],"class_list":["post-1190","post","type-post","status-publish","format-standard","hentry","category-current-events","category-privacy","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/112"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=1190"}],"version-history":[{"count":8,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1190\/revisions"}],"predecessor-version":[{"id":1203,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1190\/revisions\/1203"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=1190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=1190"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=1190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}