January 11, 2014 2 Comments-
Kristian A. Bognaes, Director, Norman Safeground Development Center
- December came and went with quite a few of the expected malware attacks, data breaches, and break-ins to round the year off. I have picked a few of December’s events as examples that I find especially interesting and that may be interesting to you as well.
Android Jelly-Bean vulnerability
The company Curesec in Berlin has demonstrated a vulnerability in the Android operating system that lets an app remove the locking mechanism of a device in versions up to and including 4.3 ‘Jelly Bean’. While the exploit may not be very useful for perpetrators, it is serious enough that it has been fixed in version 4.4 of Android.
In itself, this is neither unexpected nor unusual. However, it points to another discussion that comes around frequently: the pros and cons of an open OS as opposed to a closed OS ecosystem. The top two contenders in the smartphone- and tablet markets today are Apple and Android. Apple continues to keep a rather tight control on the software that is distributed through its app store. In addition, important patches to the OS itself are automatically rolled out to all devices as needed. Android, on the other hand, is used by many different device manufacturers. Patches and updates are frequently supplied, but it is up to each manufacturer to distribute these to their users. Some vendors do this slowly, creating ‘windows of opportunities’ for various malware to exploit known weaknesses in the platform. Additionally, some manufacturers only support patching of the latest few models, leaving users of older devices in the dark. These are factors that should be considered when choosing a new tablet or phone.
MacBook camera spying
Another news story that caught my interest in December was one that points to another problem with modern computer equipment. As computers become more sophisticated, many of the devices in your computer have their own computers to do the job. This can be devices like your DVD reader, modem, camera, and even your fingerprint reader. These little computers are often firmware upgradeable, just like the BIOS in the ‘main’ computer. Malware can exploit this, and in a recent demo at Johns Hopkins University, this was demonstrated. By changing the firmware on the cameras of some older MacBook and iMac computers, it was possible to turn the built-in cameras on without turning on the little green light that tells you that you are being watched. How to solve this problem? A simple piece of tape over the lens!
Cracking encryption using computer noise emissions
The final story that was a bit out of the ordinary in December was one talking about a research paper that was just released. Scientists demonstrate how a decryption key can be picked up remotely using audio equipment and listening to the high-pitched sounds a laptop power supply makes when a computer performs the decryption operations. Each CPU operation puts a certain load on the power supply, causing it to emanate different sounds depending on what it does. The built-in microphone of a cellphone placed near the computer may be sufficient to record the key, making it possible to decrypt future ‘secure’ communication by e-mail or other means. The paper is quite technical, but the concept is nevertheless scary. It’s time to dig out your tinfoil hats, everyone!
Norman Safeground Blogs Archive