In a move made to improve security, the team behind the OpenBSD operating system have disabled microphone-based audio recording functions in the new OpenBSD 6.4, released yesterday, October 18.
The thinking behind this decision is that OpenBSD is mostly an operating system installed on servers and research environments, systems that are almost never required to record environmental sound via built-in or attached microphones.
In many data centers or enterprise environments, system administrators often go to great lengths to prevent any surreptitious recording and will sometimes physically pull out microphones from sensitive systems. This happens quite often for air-gapped setups.
The reasoning is simple and resides in a fear that if the system gets infected with malware, attackers might use this access to record nearby conversations.
In cases where the server resides in a data center, where there's little chance of eavesdropping on nearby conversations, system administrators are just paranoid.
There have been several academic papers released in the past years that have abused microphones for various theoretical attacks, such as MOSQUITO, DiskFiltration, or Fansmitter, to list just a few. For some administrators with a broad threat model, it's better to be on the safe side of things.
But while audio recording is now disabled by default in OpenBSD 6.4, it is not a permanent setting. Server owners can still enable microphone recording by flipping a kernel flag (KERN_AUDIO_RECORD) whenever they need the feature.
Furthermore, this was also not the only security-related feature that made it into OpenBSD 6.4. The OpenBSD team also shipped support for Retpoline, a Google-developed technique for mitigating Spectre v2 attacks, which has now been enabled for clang and in assembly files on amd64 and i386 builds.
- Zero-day in popular jQuery plugin actively exploited for at least three years
- Kaspersky says it detected infections with DarkPulsar, alleged NSA malware
- Chrome, Edge, IE, Firefox, and Safari to disable TLS 1.0 and TLS 1.1 in 2020
- Microsoft JET vulnerability still open to attacks, despite recent patch
- Microsoft Windows zero-day vulnerability disclosed through Twitter TechRepublic
- These popular Android phones came with vulnerabilities pre-installed CNET
- GitHub security alerts now support Java and .NET projects
- Open source web hosting software compromised with DDoS malware