In a move made to improve security, the team behind the OpenBSD operating system have disabled microphone-based audio recording functions in the new OpenBSD 6.4, released yesterday, October 18.
The thinking behind this decision is that OpenBSD is mostly an operating system installed on servers and research environments, systems that are almost never required to record environmental sound via built-in or attached microphones.
In many data centers or enterprise environments, system administrators often go to great lengths to prevent any surreptitious recording and will sometimes physically pull out microphones from sensitive systems. This happens quite often for air-gapped setups.
The reasoning is simple and resides in a fear that if the system gets infected with malware, attackers might use this access to record nearby conversations.
In cases where the server resides in a data center, where there’s little chance of eavesdropping on nearby conversations, system administrators are just paranoid.
There have been several academic papers released in the past years that have abused microphones for various theoretical attacks, such as MOSQUITO, DiskFiltration, or Fansmitter, to list just a few. For some administrators with a broad threat model, it’s better to be on the safe side of things.
But while audio recording is now disabled by default in OpenBSD 6.4, it is not a permanent setting. Server owners can still enable microphone recording by flipping a kernel flag (KERN_AUDIO_RECORD) whenever they need the feature.
Furthermore, this was also not the only security-related feature that made it into OpenBSD 6.4. The OpenBSD team also shipped support for Retpoline, a Google-developed technique for mitigating Spectre v2 attacks, which has now been enabled for clang and in assembly files on amd64 and i386 builds.
OpenBSD amd64 builds also received mitigations against SpectreRSB, L1TF, and Lazy FPU, three other CPU-related speculative execution attacks, while i386 builds received Meltdown mitigations.