Security Review: Google Voice

By eapter at 4:47 pm on March 13, 2009Comments Off on Security Review: Google Voice

Apologies for reviewing the same technology. The other Google Voice review just appeared for me, which was after I wrote my own. I did check prior to starting this review, and it wasn’t up then.

Summary:

ComputerWorld had an article about Google Voice.  Google Voice is a new service offered by Google to make people’s phones more usable.  Google Voice will automatically transcribe a user’s voicemail into text form, using speech recognition software.  Because the transcription is done with software, there may be some mistakes in the text versions.  The transcriptions will be made available in the user’s inbox.  The service can also e-mail or SMS the messages to you. If I user desires the service can be turned off.

Google Voice builds on the technology of GrandCentral, a company that Google bought a few years ago.  This technology allows a user to have a single number for all of their phones.  When this number is dialed, all of the associated phones also ring.  In this way, a user can be contacted regardless of which phone (home, work, cell, etc…).  Google Voice will initially be offered to current users of GrandCentral.

Assets:

The assets involved are a significant amount of a user’s personal data.

  • User’s phone numbers: this is obviously necessary for the technology to work.  Though this information can be found in phonebooks, some people value the privacy of this data.  A person’s phone number can be used for telemarketing, stalking, or (sometimes) even physical tracking using Google Latitude.
  • User’s e-mail address: this is needed in order to e-mail transcriptions to a user.  These are valued to avoid spam and other unwanted communications.
  • User’s personal information: this is the big one!  Recording a user’s messages may include incredibly sensitive information (perhaps messages from a mistress or creditors).  This information is now converted from sound to text, stored on Google’s servers, sent by e-mail.

Adversaries/Threats:

  • Stalker: a person motivated to snoop into the details of your life could learn quite a bit about you from this service.  This personal information could be used to embarrass, blackmail, or incarcerate the user, depending on what was found.
  • Government: the government could break into Google Voice, or perhaps subpoena Google into releasing its databases to law enforcement.  This could be used to monitor suspected terrorists or punish petty crimes.

Potential Weaknesses:

  • I assume that a user’s transcriptions are password accessible, even if not sent by e-mail.  If this is true, then all the normal password weaknesses apply: the user may have chosen a poor password, it may be a password shared with another site, etc.
  • If transcriptions can also be accessed directly from one of the phones included in the GrandCentral list, then this phone must send some signal to Google.  This signal could be recorded, and it is likely that a successful replay attack could then be staged.
  • Users are frequently a weak link in the security of any system, and this will hold true for Google Voice as well.  Many users are unlikely to think about the possible security consequences associated with this service.  This may lead them to make especially poor security choices.
  • If a user opts for transcriptions to be e-mailed or SMSed to them, there is the additional possibility that these messages can be intercepted.  Google may have very little control of the security of these services, which likely makes this a weak link.

Potential Defenses:

  • The transcription database should be encrypted and otherwise properly protected.  It should be secure from physical access, and few employees within Google should have any kind of access to it.
  • Google should take steps to properly educate the users of Google Voice of the security concerns.  Specifically, it should mandate “good” passwords and attempt to inform users about the risks inherent in converting private conversations to text, which can easily parsed by computers.  Similarly, it should warn users about the additional risks involved in e-mailing the transcriptions.

Evaluate Risks:

I think that the risks posed above have the potential to cause users significant harm.  However, much of the personal information above can be found by other means already.  The fact that we already have voicemail means that precisely this information is already in databases somewhere, albeit in voice rather than text form.  Moreover, much of this information is likely redundant to other sources of information on a person, which could be found using Google searches, dumpster diving, and general stalking.  For this reason, the biggest risk of Google Voice is that it makes personal information more accessible to adversaries than previously possible, assuming the adversaries can compromise Google’s security measures.

Conclusions:

I am highly suspicious of this service and will not be using it myself.  However, it should be noted that the vast majority of this information is already available in voicemail databases.  I do not think that this technology, if appropriately implemented, poses any new significant threats to the assets listed above.

Filed under: Current Events,Privacy,Security ReviewsComments Off on Security Review: Google Voice

Comments are closed.