Scientists
have developed a novel method that allowed them to successfully hack
into Gmail with up to 92 percent accuracy. A team of researchers,
including an assistant professor at the University of California,
Riverside Bourns College of Engineering, have identified a weakness
believed to exist in Android, Windows and iOS mobile operating systems
that could be used to obtain personal information from unsuspecting
users. They demonstrated the hack in an Android phone.
The
researchers tested the method and found it was successful between 82
per cent and 92 percent of the time on six of the seven popular apps
they tested. Among the apps they easily hacked were Gmail, CHASE Bank
and H&R Block. Amazon, with a 48 percent success rate, was the only
app they tested that was difficult to penetrate. The researchers believe
their method will work on other operating systems because they share a
key feature researchers exploited in the Android system.
The
researchers believed there was a security risk with so many apps being
created by so many developers. Once a user downloads a bunch of apps to
their smartphone they are all running on the same shared infrastructure,
or operating system.
“The
assumption has always been that these apps can’t interfere with each
other easily,” Zhiyun Qian, of the Computer Science and Engineering
Department at UC Riverside said. “We show that assumption is not correct
and one app can in fact significantly impact another and result in
harmful consequences for the user,” said Qian.
The
attack works by getting a user to download a seemingly benign, but
actually malicious, app, such as one for background wallpaper on a
phone. Once that app is installed, the researchers are able to exploit a
newly discovered public side channel – the shared memory statistics of a
process, which can be accessed without any privileges.
The
researchers monitor changes in shared memory and are able to correlate
changes to what they call an “activity transition event,” which includes
such things as a user logging into Gmail or taking a picture of a check
so it can be deposited online.
Augmented
with a few other side channels, the authors show that it is possible to
fairly accurately track in real time which activity a victim app is in.
There
are two keys to the attack. One, the attack needs to take place at the
exact moment the user is logging into the app or taking the picture.
Two, the attack needs to be done in an inconspicuous way. The
researchers did this by carefully calculating the attack timing.
Posted by : Gizmeon
No comments:
Post a Comment