The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Chromebook - A New Class of Risks

Costin Raiu
Kaspersky Lab Expert
Posted May 12, 12:53  GMT
Tags: Google

We are certainly living in interesting times. It was less than a week ago that a rumor appeared that Apple is going to switch to ARM processors for its next generation of laptops.

Obviously, this has very interesting implications for the future of computing and seems to indicate the increasing need for a computing platform that uses less power and that can be used for a day without the need for charging.

Earlier today, Google surprised the world by announcing the Google Chromebook – a netbook (huh, aren’t netbooks dead?) computer concept, built for now by Samsung and Acer around the Atom N750 CPUs. With 2GB of RAM and 16GB of SSD storage, the specifications are somehow low-end, however, this might not be a problem because as Google says in their promo, the web has more storage space than any computer. The price, when these will be available, is believed to be in the range of $400-$500.

When I saw the announcement, I thought to myself – why would anybody ever buy something like this?

Low end hardware, more expensive than other netbooks and definitively not as attractive as an iPad? Follow me on Twitter

Obviously, the answer here is in the “cloud”. Google Chrome OS is the first commercially available consumer cloud-centric OS. It is designed around the concept of “expendable” terminals that you can lose, drop or simply throw away without fear of losing your data, which is safely stored into the cloud. From this point of view, the operating system could get damaged or even infected with malware and all you have to do is to reinstall it and re-authenticate with the cloud storage to get exactly the same computing experience as before the crash. Here, I would like to make a mention about the “infected with malware” part. Interesting, Google’s promo claims “it doesn’t need virus protection”.

Sadly, this claim comes at a pretty bad time, since the French company VUPEN Security having announced only a few days ago that they’ve cracked the security protections build by Google into Chrome and are now able to infect a computer through a malicious page when it’s browsed.

Of course, some might say, “even if I get infected, I’ll just reinstall, put back my credentials and bye bye virus!”. I agree that is absolutely true – Chrome OS has been designed in such a way that it’s extremely resilient to modifications and has a good self healing capability.

Several years ago, I wrote an article saying that malware evolves based on three conditions:

• When hardware and operating system evolve (eg. Windows 95 killed boot viruses)
• When security defenses change (eg. firewalls killed network worms)
• When people start using computers in a different way (eg. Social networks)

With the Chromebook, we have an interesting case, when all these three conditions are met. It’s a (somehow-)new operating system, it has new security defenses into place (self healing, updates) and it’s used in a different way – the data is not on the computer but in the cloud.

So, what can we expect from a security point of view? Obviously, with all your data being available into the cloud, in one place, available 24/7 through a fast internet link, this will be a goldmine for cybercriminals. All that is necessary here is to get hold of the authentication tokens required to access the cloud account; this is actually already happening with malware that has become “steal everything” in the past years. Although the endpoint is now more secure, the situation is that the data is in a more risky place and it will be much easier to silently steal it.

Most of the attacks nowadays focus on infecting the machine and then hiding the presence of the malware for as much time as possible to intercept banking transactions or credit card numbers.

With Cloud centric OS’es, the race will be towards stealing access credentials, after which, it’s game over. Who needs to steal banking accounts, when you have Google Checkout? Or, who needs to monitor passwords, when they’re all nicely stored into the Google Dashboard?

Of course, this could seem a bit gloomy, but these problems are inherent to any Cloud-centric OS. Earlier today, I got asked by a friend– “How is Chrome OS from a security point of view, better or worse?”. I answered, “It’s better, but much worse”.


Oldest first
Threaded view

Dmitry Bestuzhev

2011 May 12, 17:22

I'm just thinking about another PSN but now on Google :)
Definitely not all people would be ready to share all their data with Google Cloud, I wouldn't do it.


Debojyoti Das

2011 May 12, 17:42


Exactly. If PSN could be hacked, so could be Google. I don't want to sound cynical, but I think the Chromebook will have it's own share of problems. Not to mention it's just a matter of time when we see major security vendors making security "apps" for the Chrome Store. And then again there's the data access thing. Google is tied by international laws to pass data of any "accused" to the government/ruling body. And doesn't that mean cloud storage=life of a person? Now I am not talking about being criminal, but well there are several sadistic rulers out there in the world where Google operates. I also happen to think that the Chromebooks failure would be mostly related to unavailablity of 3G/Wifi networks than security, not to mention, if you want to live on the cloud, 100MB/month=one atom in a gallon of matter. One needs data caps of say 100GB/month, with HD videos, Flash games eating bandwidth at exponential rates. Not to mention, why spend on Chromebook when iPad3 is on the way..., and the Chrome store is so behind the App Store. Between, doesn't the Macbook Air look more chic?


Claudiu Francu

2011 May 19, 13:41

Yes and no!

Sorry, but i'm not convinced about that video yet.
From my point of view, VUPEN has not showed yet if that POC calc.exe had/hadn't chrome.exe as a parent process.
From all i know, they could have loaded that calc.exe with a keyboard shortcut, or whatever. They failed to show the most important thing for me.

Don't get me wrong: i'm not saying that DEP+ASLR+sandbox isn't exploitable, i'm just saying that the VUPEN video didn't convinced me yet.

On topic:
Costin, you're right: when the cloud goes down, EVERYTHING goes down! And unfortunately this is the new trend :(

If you would like to comment on this article you must first

Bookmark and Share