*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: gnome-screensaver
This is an enhancement request related to a low-risk security
vulnerability. Nothing serious but still would be nice to have this
implemented.
Currently you can password-protect your screen and input devices like
keyboard and mouse using the Gnome Screensaver. This is useful when you
need to leave the computer unattended for a while in a moderately
insecure environment. But the audio input/output is not locked by the
screensaver and that opens up a vulnerability.
Here is a use case.
You talk with Bob using Ekiga Softphone (an Internet telephony client).
Then you lock your computer's screen and go out for a short while. If
someone approaches your computer while you're out, they can use your
headphones and microphone and may be able to impersonate you to Bob or
hear some confidential talk that Bob intended only for you to hear.
Gnome Screensaver should have an option to control whether audio input
and output are enabled while your screen is locked.
If you are aware of the risk, an easy (albeit often inconvenient) work-
around exists: disconnect your Ekiga call before leaving — and generally
make sure that running programs neither use the audio input from the
microphone nor emit any confidential sounds. If the user doesn't have a
security mindset, however, there is a chance that she won't think of
this risk at all and will remain exposed.
Although technically it is true that if the attacker can physically
access your machine you're lost from the security point of view,
actually there are many environments (like your home or maybe your
workplace) where a screensaver lock is enough to stop casual
eavesdroppers because they are not technically competent or because they
wouldn't risk to mount a more serious attack which might involve opening
up the case, connecting suspicious devices to it, etc. After all, nobody
says that the screensaver password locking feature is _useless_. If it
is useful to some extent, so will be the feature suggested here.
Feel free to copy this suggestion to the upstream bug tracker. I just
wanted to collect some feedback here first.
** Affects: gnome-screensaver (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
** Description changed:
Binary package hint: gnome-screensaver
This is an enhancement request related to a low-risk security
vulnerability. Nothing serious but still would be nice to have this
implemented.
Currently you can password-protect your screen and input devices like
keyboard and mouse using the Gnome Screensaver. This is useful when you
need to leave the computer unattended for a while in a moderately
insecure environment. But the audio input/output is not locked by the
screensaver and that opens up a vulnerability.
Here is a use case.
You talk with Bob using Ekiga Softphone (an Internet telephony client).
Then you lock your computer's screen and go out for a short while. If
someone approaches your computer while you're out, they can use your
headphones and microphone and may be able to impersonate you to Bob or
- hear some confidential talk that Bob intended only you to hear.
+ hear some confidential talk that Bob intended only for you to hear.
Gnome Screensaver should have an option to control whether audio input
and output are enabled while your screen is locked.
If you are aware of the risk, an easy (albeit often inconvenient) work-
around exists: disconnect your Ekiga call before leaving — and generally
make sure that running programs neither use the audio input from the
microphone nor emit any confidential sounds. If the user doesn't have a
- security mindset, there is a chance that she won't think of this risk at
- all and will be leaving Ekiga running.
+ security mindset, however, there is a chance that she won't think of
+ this risk at all and will remain exposed.
Although technically it is true that if the attacker can physically
access your machine you're lost from the security point of view,
actually there are many environments (like your home or maybe your
workplace) where a screensaver lock is enough to stop casual
eavesdroppers because they are not technically competent or because they
wouldn't risk to mount a more serious attack which might involve opening
up the case, connecting suspicious devices to it, etc. After all, nobody
says that the screensaver password locking feature is _useless_. If it
is useful to some extent, so will be the feature suggested here.
Feel free to copy this suggestion to the upstream bug tracker. I just
wanted to collect some feedback here first.
--
Gnome Screensaver should optionally disable audio input and output
https://bugs.launchpad.net/bugs/275560
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
