Like any portable computing device, there are going to be questions about privacy and security. The Steam Deck is no exception. The Steam Deck has been quite popular lately, and is an interesting change up for Valve, the device’s manufacturer. The fact that the Steam Deck runs Linux has pushed the Proton project further and helps to greatly improve the quality of gaming on Linux. The Steam Deck even has a desktop mode which allows users to access a full Linux desktop environment!
All of this is pretty great in my opinion. The Steam Deck is also relatively cheap too, at $399.00 for the model with 64GB of storage.
But as I said, with any computing device, there are going to be questions about its privacy and security. So, in this blog post, I aim to explore some aspects of the Steam Deck from the perspective of user privacy.
Online Visibility
The Steam Deck doesn’t have any device specific settings for controlling how others see you online. Instead it leverages the global Steam account settings that will apply to any device that you run Steam on.
However, it isn’t exactly obvious how to access these settings from the Steam Deck itself, so let’s walk through that real quick.
The controls for online visibility and privacy settings are not found under the device’s settings menus. Instead you have to click on your Steam profile icon found in the top right corner of the status bar.
Once you do that you will be taken to a menu which has various options regarding your profile, such as “do not disturb” mode which will mute all chat notifications. You can also set your online status from here, which controls how you appear to other people. For example, I tend to keep mine set to Invisible so that I can still use chat, but I appear offline to others. From this page you can also dig into the privacy settings of your Steam account, and view and modify account details as well.
When you dive into the Privacy Settings menu, this will take you to a webpage where you can control various aspects of your Steam profile, such as whether or not your profile is public, who can view your friends and games lists, and so on.
That is really all there is with respect to managing your online privacy from the Steam Deck. The device doesn’t have any additional online features that are special to it, so the settings are the same as they would be on any device on which you were to use Steam.
Microphones
It’s hard to tell, but the Steam Deck does actually have two microphones built-in. The device doesn’t really call attention to this fact, but the Valve Steam Deck demo game ‘Desk Job’ does make use of them.
Obviously, microphones on a device are a potential privacy concern, especially since there is no hardware mute on the Steam Deck. In order to mute the microphones, you will need to go into the device Audio Settings or the Quick Settings and simply turn the mic volume slider all the way down.
One privacy concern over the microphones is that many online games will default to your mic being on in the lobby or in game. If you weren’t aware that the Steam Deck has microphones built in, then it’s possible that you could enter a game and everyone could hear you without you realizing it! So, if this is a concern for you, make sure to set the mic volume slider all the way down to mute the microphones, and only unmute them when you want to be heard. It would be a welcome feature if Valve were to implement a push-to-talk key mapping for the microphones on the Steam Deck.
Device PIN (Physical Device Security)
Any good mobile device has a lockscreen, and the Steam Deck is no different. It’s not enabled by default, but it is pretty easy to set up. Which I recommend that you do, especially given the portable nature of the Steam Deck, and the fact that Steam often has access to your bank account!
The device PIN can be considered a security and privacy control all in one. The Deck has 3 device PIN options, which you can find in the device’s security settings menu.
As you can see there are the options to set the PIN ‘On system wake and power up’, ‘Before showing login screen’, and ‘When switching to Desktop mode’. These settings do what the names imply. ‘On system wake and power up’ will prevent someone from being able to access the Deck when waking it up or powering it on without entering the PIN. (Side note: when using the device power button to lock the Steam Deck while in Desktop mode, the PIN screen will not display when waking the device up! Be mindful of this if using the Steam Deck as a personal computer and leverage the desktop OS’s locking mechanism) At a minimum you should enable this option. ‘Before showing login screen’ will cause the PIN prompt to be shown before the account login screen. The Steam Deck supports multiple steam users, however, the PIN is tied to the device, not a specific user, so all shared users of the device would need to know the PIN to access the device. Lastly, ‘When switching to desktop mode’ will prompt the user for the device PIN when attempting to switch the device to desktop mode. This is important since the desktop mode is a full fledged Linux Desktop environment, which can access any data on the system and make power-user level changes to the device’s operating system.
Lack of Drive Encryption
One additional security and privacy concern that I have is that the Steam Deck lacks any user friendly options for drive encryption. Given the portable nature of this device and the fact that some users may be using it as an affordable Linux PC in addition to a gaming device, the lack of disk encryption by default is somewhat worrisome. The portable nature of the device means that it is more likely to be stolen or lost. While the Deck does have the device PIN features, that does nothing to prevent someone from removing the M.2 SSD and simply dumping all the data off of it and then potentially stealing Steam access tokens that are on the filesystem to keep a user’s session alive, or compromising other potentially sensitive data that a user may have on the filesystem.
It’s not entirely impossible to set up disk encryption on the Steam Deck, though. After all it is a Linux PC with access to a Linux desktop environment. However, to do this a user would need to be technically savvy enough to set up disk encryption via Desktop Mode in Linux. This will leave many users without disk encryption at all.
Conclusion
The Steam Deck is an interesting device, which has helped to push Linux gaming forward. It’s an excellent portable gaming system, and an affordable Linux PC should you choose to use it as such. Overall, I would say that the Deck doesn’t pose many concerns for user privacy, but there are a few tweaks you can make to protect yourself even further. Two improvements I would like to see, however, is a push-to-talk feature for the microphones, and the option to easily enable full disk encryption from the main device settings, or even better, full disk encryption by default.
Look out for more Steam Deck content as I take a deep dive into the security of the device in future posts!
If you have any basic questions about the services we offer check out our Knowledge Center. If you’re looking for training in various application and network security topics check out our training catalog on Antisyphon. Finally, if you’re looking for a penetration test, professional training for your organization, or just have general security questions, please Contact Us.