Security Review – Google Voice

By Tim Crossley at 10:19 am on March 13, 2009 | 1 Comment

Product Page: http://www.google.com/voice/about

Recently, Google has rolled out another product designed to change the way people use existing technologies. This time, it’s called Google Voice, a replacement/advancement of an existing technology called GrandCentral. Google Voice aims to centralize phone calls and SMS text messages between many different phones, allowing routing of incoming calls to different lines, advanced voicemail boxes, and numerous other features.
Like many Google products, Voice suffers from a fundamental security problem in that personal user data is stored completely outside the user’s realm of control. Call logs, voicemail, contacts: everything is stored on Google’s servers. Google Mail suffers from the same problem: that the end user must place trust in a corporation whose internal procedures are mostly kept secret.

Assets and Goals

  • Personal Information – This is a huge category, and can include call logs, contact lists, the user’s own phone numbers, SMS history, and voicemail messages.
  • Identity – Only calls/text messages from the valid user should appear to come from that user’s Voice number.
  • Availability – The service must be kept running constantly, or else a user could not receive calls directed to his or her Voice number.
  • Correct routing information – Calls and text messages should go to the person for whom they are intended.

Adversaries

  • Advertising Agencies – Advertising agencies are not well known for their high standards of privacy. Spam email/phone calls/texts are all very possible if untrustworthy agencies get access to privileged information. And seeing as Google’s income primarily comes from advertising, this is not an unlikely scenario. Note that Google itself can fall under this category (although it would probably violate their privacy policy).
  • Malicious Insiders – Even if Google sticks to their privacy policy, insiders with sufficient access could still gain privileged information about users of the service.
  • General “Crackers” – Some people will break a system just to see if they can. The larger the system, the more tempting it is. These attackers would be the group most likely to stage DoS attacks against the Voice service.
  • Malicious Users – Voice includes a service which allows a call to be recorded. Currently, turning on the call recording feature plays a short message stating to both parties that the call is being recorded. A user could get around the notification by simply turning on the recording feature at a time when the other party is not able to hear the notification (i.e. if the other party leaves the phone for a few seconds).

Weaknesses

  • Centralized data storage – With all data stored on Google’s servers, it would only take one sufficiently privileged insider to leak information about many users. Or a single security breach caused by an exploit in the data storage mechanisms.
  • Centralized point of failure – Similar to the centralized data storage, routing all incoming phone calls through Voice creates a single point of failure for all of a user’s phone lines. If a DoS attack was successful against the main Voice system, then users would not be able to receive incoming calls.
  • Voicemail transcripts – Voicemail is converted to a text transcript via a speech recognition engine. A text format is far easier for a computer program to analyze and use in some data mining scheme.

Potential Defenses

  • Expand infrastructure to include multiple levels – In the event that some part of the routing infrastructure goes down (whether due to attack or something else), fall back to a different layer. The goal is to provide alternative methods for calls to go through.
  • Security audits of data usage/retention – If you are worried about what Google might be doing with your personal information behind closed doors (and you should be, no matter what the company is), then the only real defense is a strong and clearly defined audit that shows users exactly how personal information is used.
  • Careful selection of advertising partners – This lies close to the above defense, in that it’s important that Google chooses advertisers who have good security practices as well. Either that, or have some way of disallowing anything but the simplest information to get back to the advertiser.

Evaluation and Conclusion
For most people, the major security concern with Voice is the same concern as many have over Google Mail: Do you really want a company to have unlimited access to your very personal data? Sure, Google’s privacy policy states that they won’t do harmful things with the data they do collect, but it requires some amount of trust just to believe that privacy policy is even followed. No auditing process can be truly believed, either, until it is the user himself who has performed the audit. But I don’t think this will stop many people from utilizing the service, just as it doesn’t stop people from using Google Mail. For the majority of potential users, the convenience of the service outweighs the potential security risks.

Filed under: Security Reviews1 Comment »

1 Comment

RSS feed for comments on this post