Number: IRCNE2014082297
Date: 2014-08-23
According to “zdnet”, US researchers have discovered a flaw which may exist across Android, Windows, and iOS operating systems, and could allow popular services such as Gmail to become compromised.
Security experts from the University of California Riverside Bourns College of Engineering and the University of Michigan identified a weakness believed to exist in all of the above operating systems, which could allow a cyberattacker to steal sensitive data through malicious applications.
The weakness was tested through an Android smartphone, but the researchers claim the method could be used across all of the platforms -- as each OS shares a similar feature: the ability for applications to access a mobile device's shared memory. However, no tests have yet been conducted on other systems.
The attack works through a user downloading a seemingly harmless application, such as background wallpaper. Once installed, the researchers were able to exploit a newly discovered public side channel, the shared memory of a process, which can be accessed without permissions or app privileges.
Changes within the shared memory are then monitored, and these changes are correlated with what the team calls an "activity transition event." In other words, when a user is actively using an app, for example, to log into Gmail or take a picture of a cheque so it can be deposited online via Chase Bank, activity changes are noted.
There are two stages to this attack: firstly, the attack needs to take place in real time, such as the moment when the user is logging into Gmail. Secondly, the hack needs to be done so it is undetectable by the user -- which can be achieved through good timing.
The method used to exploit the flaw was successful "between 82 percent and 92 percent of the time" on six of the seven apps tested. Among the applications that were successfully infiltrated were Gmail, Chase Bank and H&R Block.Attacks on Gmail were successful 92 percent of the time, as were attacks on H&R Block.
The only app that was difficult to penetrate was Amazon, with a 48 percent success rate.
- 2