Google’s been marketing its Chrome OS as more secure than traditional PCs. And they’re right, in a sense- It is a lot more secure than your standard, run of the mill operating platform. That doesn’t mean that Chromebooks- and their users- are completely invulnerable. I’ve cautioned before against making such assumptions, and stories like this only drive home what I’ve been saying. Whitehat Security researcher Matt Johansen doesn’t believe for a second that the Chrome OS is safe or secure- and he claims he’s found evidence to prove it.
The Reuters Piece
Johansen discovered and demonstrated how a vulnerability in the operating system could be used to gain total control of a Gmail account. Though Google patched their OS and repaired the flaw immediately after it was reported, Johansen still isn’t quite satisfied. Why? Applications. Johansen believes one of the key elements of Google’s prolific cloud-based operating system it also the key to its vulnerability. He feels that there’s a rather crippling design flaw inherent in the browser, one which gives extensions completely and total access to all data stored on the cloud.
“I can get at your online banking or your Facebook profile or your e-mail as it’s being loaded in the browser” Johansen said to Reuters. “If I can exploit some kind of web application to access the data, then I couldn’t care less what is on the hard drive.”
CNet got in touch with Google after hearing about Johansen’s claims, and a Google spokeswoman confirmed that what the researcher reported was patched months ago, at the same time questioning why Chrome should be labeled as vulnerable simply because it uses extensions. She felt it wasn’t a particularly fair analysis- after all, all modern browsers run extensions. “If anything,” she told Cnet “this is more about Chrome the browser and what we do to protect extensions running in Chrome. All modern browsers run extensions, and all major computer lines support browsers. These kinds of web attacks are also valid on other browsers and devices, as even extension reviews are not foolproof.” She’s contacted the writer of the Reuters piece to ask for the proof that Johansen claims to have of Chrome’s fundamental security flaws.
Furthermore, she cited Chrome’s ‘sandboxed’ method of running extension. You know the drill by now- applications and extensions run in isolation to each other. They can’t interact with each other, and can’t access any data other than that which specifically pertains to them. Furthermore, she stated, there’s a mode on Chrome known as Incognito. Basically, only extensions explicitly allowed by the user can be run. Now, I’m going to play devil’s advocate for a moment here- yes, the applications are sandboxed. But at the same time, it’s been demonstrated multiple times that there are ways to smash the walls of the sandbox, if you will- means by which malicious software can break out of the mold and run amok through the user’s system.
To this end, Google’s been looking to find ways of tagging ‘questionable’ extensions without causing distribution difficulties for their developers.
A Question Of Security
Naturally, there are a few folks within the Whitehat organization that are looking to perform a bit of damage control on Johansen’s…rather blunt article. “The Black Hat talk (which spurred the Reuters piece) is really about how moving the OS to the cloud presents different security challenges.” said a spokeswoman for Whitehat Security. “We’re not trying to ‘call out’ Google for anything. Tell that to Johansen. I don’t deny that he raises a few good points about Chrome’s security foibles, but overall the tone of his article just seems too…well, alarmist. What’s more, it doesn’t exactly paint a pretty picture of the Chrome operating system.
I mean, yeah. Extensions do have access to a lot of data. And yes, there is the potential- I repeat, potential- for them to be abuse. But does that mean that Chrome is inherently vulnerable? Does that mean it’s any less secure than a Windows or Mac PC?
Final Thoughts: Is Chrome Secure?
“I wouldn’t say Chrome OS is ‘not secure,’ but it certainly isn’t the end-all of security issues,” Johansen said to Cnet. “All of the steps to remove access to the hard drive and all of the sandboxing that Google does are great security improvements. The part where security issues arise, other than browser exploits, which will likely come out in the future and Chrome patches frequently, is the fact that these extensions, which are mostly developed by third parties that have a permission set that sometimes is pretty wide open. All browsers and Web-based apps face similar issues with vulnerabilities. But with Chrome OS, since you can’t install software on the hard drive, extensions are the only way to add functionality outside of the browser.”
So, basically…Johansen is echoing what I’ve been saying myself- at least to a degree. While Chrome is definitely the most secure browser out there, there’s no way it’s completely invulnerable. The fact that data is all stored on the cloud means that a whole new avenue is opened up to potential attackers- even as an old avenue is shut tight before them. Furthermore, the folks who develop malware are, I hate to say it, crafty as all hell. The belief that they’ll just sit back and accept that Google’s Chrome operating system can’t be taken down is a foolish one, to say the least.
The problem with malware is that, just like the internet, it evolves. I wouldn’t be at all surprised if, once the Chromebook has picked up speed and caught on in the mainstream, we started seeing Chrome-tailored viruses and malicious software/web-apps. So, ultimately? Yes, Chrome is secure- in spite of what Johansen unintentionally implied in the Reuters article. At the same time, though….those using the Chrome platform should remember that security doesn’t equate to invincibility.
Fact is, there’ll always be a snake in the grass when it comes to the world of computing.