We are presenting a paper at SPSM next week that shows that, on average over the last four years, 87% of Android devices are vulnerable to attack by malicious apps. This is because manufacturers have not provided regular security updates. Some manufacturers are much better than others however, and our study shows that devices built by LG and Motorola, as well as those devices shipped under the Google Nexus brand are much better than most. Users, corporate buyers and regulators can find further details on manufacturer performance at AndroidVulnerabilities.org
We used data collected by our Device Analyzer app, which is available from the Google Play Store. The app collects data from volunteers around the globe and we have used data from over 20,000 devices in our study. As always, we are keen to recruit more contributors! We combined Device Analyzer data with information we collected on critical vulnerabilities affecting Android. We used this to develop the FUM score which can be used to compare the security provided by different manufacturers. Each manufacturer is given a score out of 10 based on: f, the proportion of devices free from known critical vulnerabilities; u, the proportion of devices updated to the most recent version; and m, the mean number of vulnerabilities the manufacturer has not fixed on any device.
The problem with the lack of updates to Android devices is well known and recently Google and Samsung have committed to shipping security updates every month. Our hope is that by quantifying the problem we can help people when choosing a device and that this in turn will provide an incentive for other manufacturers and operators to deliver updates.
Google has done a good job at mitigating many of the risks, and we recommend users only install apps from Google’s Play Store since it performs additional safety checks on apps. Unfortunately Google can only do so much, and recent Android security problems have shown that this is not enough to protect users. Devices require updates from manufacturers, and the majority of devices aren’t getting them.
Only slightly overdue, this post is about our recent IEEE Security and Privacy 2015 paper, CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. We’ve previously written about how our CHERI processor blends a conventional RISC ISA and processor pipeline design with a capability-system model to provide fine-grained memory protection within virtual address spaces (ISCA 2014, ASPLOS 2015). In our this new paper, we explore how CHERI’s capability-system features can be used to implement fine-grained and scalable application compartmentalisation: many (many) sandboxes within a single UNIX process — a far more efficient and programmer-friendly target for secure software than current architectures.
I’m at Decepticon 2015 and will be liveblogging the talks in followups to this post. Up till now, research on deception has been spread around half a dozen different events, aimed at cognitive psychologists, forensic psychologists, law enforcement, cybercrime specialists and others. My colleague Sophie van der Zee decided to organise a single annual event to bring everyone together, and Decepticon is the the result. With over 160 registrants for the first edition of the event (and late registrants turned away) it certainly seems to have hit a sweet spot.
Each year we divide our masters of public policy students into teams and get them to write case studies of public policy failures. The winning team this year wrote a case study of the care.data fiasco. The UK government collected personal health information on tens of millions of people who had had hospital treatment in England and then sold it off to researchers, drug companies and even marketing firms, with only a token gesture of anonymisation. In practice patients were easy to identify. The resultingscandal stalled plans to centralise GP data as well, at least for a while.
Congratulations to Lizzie Presser, Maia Hruskova, Helen Rowbottom and Jesse Kancir, who tell the story of how mismanagement, conflicts and miscommunication led to a failure of patient privacy on an industrial scale, and discuss the lessons that might be learned. Their case study has just appeared today in Technology Science, a new open-access journal for people studying conflicts that arise between technology and society. LBT readers will recall severalpostsreporting the problem, but it’s great to have a proper, peer-reviewed case study that we can give to future generations of students. (Incidentally, the previous year’s winning case study was on a related topic, the failure of the NHS National Programme for IT.)
Today we unveil a major report on whether law enforcement and intelligence agencies should have exceptional access to cryptographic keys and to our computer and communications data generally. David Cameron has called for this, as have US law enforcement leaders such as FBI Director James Comey.
This policy repeats a mistake of the 1990s. The Clinton administration tried for years to seize control of civilian cryptography, first with the Clipper Chip, and then with various proposals for ‘key escrow’ or ‘trusted third party encryption’. Back then, a group of experts on cryptography and computer security got together to explain why this was a bad idea. We have now reconvened in response to the attempt by Cameron and Comey to resuscitate the old dead horse of the 1990s.
Our report is also highly relevant to the new ‘Snoopers’ Charter’ that Home Secretary Teresa May has promised to put before parliament this fall. Mrs May has made clear she wantsaccess to everything.
However this is both wrong in principle, and unworkable in practice. Building back doors into all computer and communication systems is against most of the principles of security engineering, and it also against the principles of human rights. Our right to privacy, set out in section 8 of the European Convention on Human Rights, can only be overridden by mechanisms that meet three tests. First, they must be set out in law, with sufficient clarity for their effects to be foreseeable; second, they must be proportionate; third, they must be necessary in a democratic society. As our report makes clear, universal exceptional access will fail all these tests by a mile.
Launched in 2010 by Per Thorsheim, Passwordscon is a lively and entertaining conference series dedicated solely to passwords. Passwordscon’s unique mix of refereed papers and hacker talks encourages a kind of cross-fertilization that I’m sure you’ll find both entertaining and fruitful.
Paper submissions are due by 7 September 2015. Selected papers will be included in the event proceedings, published by Springer in the Lecture Notes in Computer Science (LNCS) series.
In late April 2010 users of the Yahoo and Microsoft IM systems started to get messages from their buddies which said, for example: foto ☺ http://firstname.lastname@example.org
where the email address was theirs and the URL was for some malware.
Naturally, since the message was from their buddy a lot of folks clicked on the link and when the Windows warning pop-up said “you cannot see this photo until you press OK” they pressed OK and (since the Windows message was in fact a warning about executing unknown programs downloaded from the Internet) they too became infected with the malware. Hence they sent foto ☺ messages to all their buddies and the worm spread at increasing speed.
By late May 2010 I had determined how the malware was controlled (it resolved hostnames to locate IRC servers then joined particular channels where the topic was the message to be sent to buddies) and built a Perl program to join in and monitor what was going on. I also determined that the criminals were often hosting their malware on hosting sites with world-readable Apache weblogs so we could get exact counts of malware downloads (how many people clicked on the links).
Full details, and the story of a number of related worms that spread over the next two years can be found in the academic paper (and are summarised in the slides I used for a very short talk in Barcelona and a longer version I presented a week earlier in Luxembourg).
The key results are:
Thanks to some sloppiness by the criminals we had some brief snapshots of activity from an IRC channel used when the spreading phase was complete and infected machines were being forced to download new malware — this showed that 95% of people had clicked OK to dismiss the Microsoft warning message.
We had sufficient download data to estimate that around 3 million users were infected by the initial worm and we have records of over 14 million distinct downloads over all of the different worms (having ignored events caused by security monitoring, multiple clicks by the same user, etc.). That is — this was a large scale event.
We were able to compare the number of clicks during periods where the criminals vacillated between using URL shorteners in their URLs and when they used hostnames that (vaguely resembled) brands such as Facebook, MySpace, Orkut and so on. We found that when shorteners were used this reduced the number of clicks by almost half — presumably because it made users more cautious.
From early 2011 the worms were mainly affecting Brazil — and the simple “foto ☺” had long been replaced by other textual lures. We found that when the criminals used lures in Portuguese (e.g. “eu acho que é você na”, which has, I was told in Barcelona, a distinctive Brazilian feel to it) they were far more successful in getting people to click than when they used ‘language independent’ lures such as “hahha foto”
There’s nothing here which is super-surprising, but it is useful to see our preconceptions borne out not in a laboratory experiment (where it is hard to ensure that the experimental subjects are behaving quite the way that they would ‘in the wild’) but by large scale measurements from real events.
Today we unveil two papers describing serious and widespread vulnerabilities in Android mobile phones. The first presents a Security Analysis of Factory Resets. Now that hundreds of millions of people buy and sell smartphones secondhand and use them for everything from banking to dating, it’s important to able to sanitize your phone. You need to clean it when you buy it, so you don’t get caught by malware; and even more when you sell it, so you don’t give away your bank credentials or other personal information. So does the factory reset function actually work? We bought a couple of dozen second-hand Android phones and tested them to find out.
The news is not at all good. We were able to retrieve the Google master cookie from the great majority of phones, which means that we could have logged on to the previous owner’s gmail account. The reasons for failure are complex; new phones are generally better than old ones, and Google’s own brand phones are better than the OEM offerings. However the vendors need to do a fair bit of work, and users need to take a fair amount of care.
Attacks on a sold phone that could not be properly sanitized are one example of what we call a “user-not-present” attack. Another is when your phone is stolen. Many security software vendors offer a facility to lock or wipe your phone remotely when this happens, and it’s a standard feature with mobile antivirus products. Do these ‘solutions’ work?
Four years ago, Guido blocked an attempt to legislate for a central hub for medical records that would have enabled doctor A to see the records of doctor B on a simple pull model; there would have been a hub at the ministry with read access to everything. Other countries have wrestled with this problem, with greater and lesser degrees of success; for example, Norway just passed a medical data-sharing law and are starting to figure out what to build. In Britain of course we had thecare.datafiasco. And in the Netherlands, they’re revisiting the issue once more. This will become a live issue in one country after another.