Shhh! Shazam is always listening – even when it's been switched 'off'

But it's totally benign, say developers


A security researcher has discovered that when the Mac version of Shazam is switched off, it simply stops processing recorded data. The recording itself continues.

The music identification service admits the behaviour but says it only keeps recording purely for technical reasons.

Patrick Wardle, a former NSA staffer who heads up research at infosec biz Synack, confirmed Shazam's "always listening" behaviour following a tip-off from a user of his webcam/mic monitoring tool, OverSight.1

This person didn't see a "Mic Off" alert when they turned off Shazam on their Mac, which prompted Wardle to do some digging.

"In short, turns out that when Shazam (macOS) is toggled 'OFF' it simply stops processing recorded data... However, recording continues," Wardle told El Reg.

Shazam lends its ears to your Mac

Waddle reached this conclusion after reverse engineering Shazam and closely examining how it worked, as detailed in a blog post here. "I saw no indication that this recorded data is ever processed (nor saved, exfiltrated, etc)," Wardle concluded. "However, I still don't like an app that appears to be constantly pulling audio off my computer's internal mic."

Shazam confirmed Wardle's findings that its Mac app is continually recording even when "off" but told The Register that this behaviour was benign.

For the Mac, the mic is left on for technical reasons explained below but no audio is processed, so the user's decision not to leverage our app's functionality is fully respected. As such, there is no privacy issue since the audio is not processed unless the user actively turns the app "ON". If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users "miss out" on a song they were trying to identify.

James A Pearson, VP of global communications at Shazam, added: "There is no 'recording' bug. Shazam takes user privacy very seriously. Shazam does not save or send audio samples; only digital fingerprint summaries of the audio are sent to Shazam's servers to identify media content in Shazam's databases. As always, for user privacy, the original audio cannot be reconstructed from Shazam audio fingerprints."

Shazam's techies promised Wardle that a forthcoming update would change the problematic behaviour, an assurance not contained in its statement to El Reg, which generally downplays the situation. Wardle remains at least mildly concerned.

"My whole problem with Shazam was, when I turn the app to 'OFF' I'd expect it to stop recording," Wardle said. "But instead, they continue recording – and just stop processing the data. IMHO this is not ideal as the app is still recoding – it's nice of them to stop processing that data, but yah, they are still recording all the time."

This raises "valid privacy concerns" as well as creating a potential security risk, according to Wardle.

"A piece of malware could easily inject into the app and 'steal' or 'clone' that recording, without having to initiate its own recording (thus avoiding any recording alerts)," he warned.

James A. Pearson, VP Global Communications, Shazam, got in touch to say: "Contrary to recent rumors, Shazam doesn’t record anything. Shazam accesses the microphone on devices for the exclusive purpose of obtaining a small fingerprint of a subset of the soundwaves, which are then used exclusively to find a match in Shazam’s database and then deleted.

"We are always sensitive to what our users experience and we respect these concerns and take them very seriously. Even though we don't recognize a meaningful risk, the company will be updating its Mac app within the next few days. Shazam has always learned from and listened to our global community. More importantly, we want our fans to always feel secure about using Shazam on a Mac Desktop." ®

Bootnote

1Separate recent research by Wardle showed how advanced Mac malware might be able piggy-back on to legitimate webcam sessions in order to surreptitiously record the local user. OverSight was developed as a free tool to thwart this potential line of attack, as previously reported.


Tech Resources

Apps are Essential, so your WAF must be effective

You can’t run a business today without applications—and because apps are critical to strategic business imperatives and commerce, they have become the prime target for attackers.

Webcast Slide Deck | How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Top 20 Private Cloud Questions Answered

Download this asset for straight answers to your top private cloud questions.

Biting the hand that feeds IT © 1998–2021