Google this morning unveiled a pair of new Android features for people who are deaf or hard of hearing. As the company notes in a blog post this morning, the WHO estimates that 900 million people will be living with hearing loss by 2055. The ubiquity of mobile devices — Android in particular — offers a promising potential to help open the lines of communication.
Live Transcribe is, perhaps, the more compelling of the two offerings. As its name implies, the feature transcribes audio in real time, so users with hearing loss can read text, in order to enable a live, two-way conversation. It defaults to white text on a black background, making it easier to read, and also can connect to external microphones for better results.
The feature leverages much of the company’s work in speech to text and translation. It starts rolling out today in limited beta for Pixel 3 users. It will be available in more than 70 languages and dialects.
Announced back at last year’s Google I/O, Sound Amplifier is designed to filter out ambient and unwanted noise, without boosting the volume on already loud sounds. The feature works with headphones, letting users manually adjust the settings for the right fit. That one is available now via the Play Store.
Google announced an update on Wednesday to the Stable channel of its Chrome browser that includes a fix for an exploit that exists in the wild.
CVE-2022-2856 is a fix for “insufficient validation of untrusted input in Intents,” according to Google’s advisory. Intents are typically a way to pass data from inside Chrome to another application, such as the share button on Chrome’s address bar. As noted by the Dark Reading blog, input validation is a common weakness in code.
The exploit was reported by Ashley Shen and Christian Resell of the Google Threat Analysis Group, and that’s all the information we have for now. Details of the exploit are currently tucked behind a wall in the Chromium bugs group and are restricted to those actively working on related components and registered with Chromium. After a certain percentage of users have applied the relevant updates, those details may be revealed.
Google says the update—104.0.5112.101 for Mac and Linux and 104.0.5112.102/101 for Windows—will “roll out over the coming days/weeks,” but you can (and should) manually update Chrome now (check the “About” section of your settings).
There are 10 other security fixes included in the update. Dark Reading notes that this is Chrome’s fifth zero-day vulnerability disclosed in 2022.
A security researcher says that Apple’s iOS devices don’t fully route all network traffic through VPNs, a potential security issue the device maker has known about for years.
Michael Horowitz, a longtime computer security blogger and researcher, puts it plainly—if contentiously—in a continually updated blog post. “VPNs on iOS are broken,” he says.
Any third-party VPN seems to work at first, giving the device a new IP address, DNS servers, and a tunnel for new traffic, Horowitz writes. But sessions and connections established before a VPN is activated do not terminate and, in Horowitz’s findings with advanced router logging, can still send data outside the VPN tunnel while it’s active.
In other words, you’d expect a VPN to kill existing connections before establishing a connection so they can be re-established inside the tunnel. But iOS VPNs can’t seem to do this, Horowitz says, a finding that is backed up by a similar report from May 2020.
“Data leaves the iOS device outside of the VPN tunnel,” Horowitz writes. “This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6.”
Privacy company Proton previously reported an iOS VPN bypass vulnerability that started at least in iOS 13.3.1. Like Horowitz’s post, ProtonVPN’s blog noted that a VPN typically closes all existing connections and reopens them inside a VPN tunnel, but that didn’t happen on iOS. Most existing connections will eventually end up inside the tunnel, but some, like Apple’s push notification service, can last for hours.
The primary issue with non-tunneled connections persisting is that they could be unencrypted and that the IP address of the user and what they’re connecting to can be seen by ISPs and other parties. “Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common,” ProtonVPN wrote at the time.
ProtonVPN confirmed that the VPN bypass persisted in three subsequent updates to iOS 13. ProtonVPN indicated in its blog post that Apple would add functionality to block existing connections, but this functionality as added did not appear to make a difference in Horowitz’s results.
Horowitz tested ProtonVPN’s app in mid-2022 on an iPad iOS 15.4.1 and found that it still allowed persistent, non-tunneled connections to Apple’s push service. The Kill Switch function added to ProtonVPN, which describes its function as blocking all network traffic if the VPN tunnel is lost, did not prevent leaks, according to Horowitz.
Horowitz tested again on iOS 15.5 with a different VPN provider and iOS app (OVPN, running the WireGuard protocol). His iPad continued to make requests to both Apple services and to Amazon Web Services.
ProtonVPN had suggested a workaround that was “almost as effective” as manually closing all connections when starting a VPN: Connect to a VPN server, turn on airplane mode, then turn it off. “Your other connections should also reconnect inside the VPN tunnel, though we cannot guarantee this 100%,” ProtonVPN wrote. Horowitz suggests that iOS’s Airplane Mode functions are so confusing as to make this a non-answer.
We’ve reached out to both Apple and OpenVPN for comment and will update this article with any responses.
Horowitz’s post doesn’t offer specifics on how iOS might fix the issue. For his part, Horowitz recommends a $130 dedicated VPN router as a truly secure VPN solution.
VPNs, especially commercial offerings, continue to be a complicated piece of Internet security and privacy. Picking a “best VPN” has long been a challenge. VPNs can be brought down by vulnerabilities, unencrypted servers, greedy data brokers, or by being owned by Facebook.
Does Google enjoy teasing and sometimes outright torturing some of its products’ most devoted fans? It can seem that way.
Tucked away inside a recent bleeding-edge Chrome build is a “Following feed” that has some bloggers dreaming of the return of Google Reader. It’s unlikely, but never say never when it comes to Google product decisions.
Chrome added a sidebar for browsing bookmarks and Reading List articles back in March. Over the weekend, the Chrome Story blog noticed a new flag in Gerrit, the unstable testing build of Chrome’s open source counterpart Chromium. Enabling that #following-feed-sidepanel flag (now also available in Chrome’s testing build, Canary) adds another option to the sidebar: Feed.