Analyst Argues Against Google's Chrome OS Security Promises

Google made a couple bold statements about its upcoming Chromebook, many of which have certainly excited consumers, particularly the promise of an end to security hassles. In the Chromebook launch announcement, Google claimed that “Chromebooks have many layers of security built in so there is no anti-virus software to buy and maintain. Even more importantly, you won’t spend hours fighting your computer to set it up and keep it up to date.” Sounds nice, right? Well, Trend Micro’s security consultant Rik Ferguson vigorously disagrees, claiming that the search giant risks repeating the same security mistakes Apple made.

The Google Chrome OS, which will be featured on Chromebooks from Samsung and Acer in June, touts a number of different security features, including process sandboxing (which keeps apps from interfering with each other), automatic updating, and a reversion back to the most-recent safe state when problems are detected. Plus, every app that runs on the Chrome OS will run in the browser, with the exception of browser plug-ins. But Ferguson warns that this spotless environment can’t last long, as Google has offered a Chrome OS SDK (software development kit) to create native apps, which, according to Ferguson, is the gateway to malware.

The sandboxing feature is meant to keep bad apps from infiltrating the rest of the system, but Ferguson suggests that sandboxing can’t keep everything safe. “Exploits that break out of sandboxing have already been demonstrated for Internet Explorer, for Java, for Google Android, and of course for the Chrome browser, to name a few,” Ferguson said. “While the Google sandbox is effective, it is not impenetrable and to rely on it for 100 percent security would be short-sighted.”

Ferguson maintains that Google’s engineering work is just a praise-worthy, but questions how Google could assume that a new OS would put an end to security woes. In fact, Ferguson refers to the shift to the cloud as merely “moving the goalposts” for scammers. Attackers will begin to focus on stealing authentication keys rather than data on a compromised device. “If I can infect you for one session and steal your keys, well then I’ll get what I can while I’m in there and then continue accessing your stuff in the cloud; after all, I’ve got your keys now, I don’t need your PC anymore,” Ferguson writes.

This isn’t to say that Google’s forthcoming Chromebooks won’t be wildly popular and successful, or that the OS will have more security issues than any other platform, but rather a friendly reminder that attackers innovate at the same rate as manufacturers. Security will likely always be a concern, until there are no more bad guys in the world, and to ignore such a thing is (in the words of Ferguson) “short-sighted.”

[via The Register]