Google Chromebook - a new class of security risks

Google Chromebook - a new class of security risks

Summary: Costin Raiu argues that Google's coming Chromebook computer concept presents an interesting new set of security problems, especially as it relates to cloud computing.


Guest editorial by Costin Raiu

We are certainly living in interesting times. It was less than a week ago that a rumor appeared that Apple is going to switch to ARM processors for its next generation of laptops.

Obviously, this has very interesting implications for the future of computing and seems to indicate the increasing need for a computing platform that uses less power and that can be used for a day without the need for charging.

Earlier today, Google followed up by announcing the Google Chromebook – a netbook (huh, aren’t netbooks dead?) computer concept, built for now by Samsung and Acer around the Atom N750 CPUs. With 2GB of RAM and 16GB of SSD storage, the specifications are somehow low-end, however, this might not be a problem because as Google says in their promo, the web has more storage space than any computer. The price, when these will be available, is believed to be in the range of $400-$500.

When I saw the announcement, I thought to myself – why would anybody ever buy something like this?

Low end hardware, more expensive than other netbooks and definitively not as attractive as an iPad?

Obviously, the answer here is in the “cloud." Google Chrome OS is the first commercially available consumer cloud-centric OS. It is designed around the concept of “expendable” terminals that you can lose, drop or simply throw away without fear of losing your data, which is safely stored into the cloud. From this point of view, the operating system could get damaged or even infected with malware and all you have to do is to reinstall it and re-authenticate with the cloud storage to get exactly the same computing experience as before the crash. Here, I would like to make a mention about the “infected with malware” part. Interesting, Google’s promo claims “it doesn’t need virus protection”.

Sadly, this claim comes at a pretty bad time, since the French company VUPEN Security announced only a few days ago that they’ve cracked the security protections build by Google into Chrome and are now able to infect a computer through a malicious page when it’s browsed.

Google Chrome hacked with sophisticated exploit ]

Of course, some might say, “even if I get infected, I’ll just reinstall, put back my credentials and bye bye virus!”. I agree that is absolutely true – Chrome OS has been designed in such a way that it’s extremely resilient to modifications and has a good self healing capability.

Several years ago, I wrote an article saying that malware evolves based on three conditions:

  • When hardware and operating system evolve (eg. Windows 95 killed boot viruses)
  • When security defenses change (eg. firewalls killed network worms)
  • When people start using computers in a different way (eg. Social networks)

With the Chromebook, we have an interesting case, when all these three conditions are met. It’s a (somehow-)new operating system, it has new security defenses into place (self healing, updates) and it’s used in a different way – the data is not on the computer but in the cloud.

So, what can we expect from a security point of view? Obviously, with all your data being available into the cloud, in one place, available 24/7 through a fast internet link, this will be a goldmine for cybercriminals. All that is necessary here is to get hold of the authentication tokens required to access the cloud account; this is already happening with malware that has become “steal everything” in the past few years. Although the endpoint is now more secure, the situation is that the data is in a more risky place and it will be much easier to silently steal it.

Most of the attacks nowadays focus on infecting the machine and then hiding the presence of the malware for as much time as possible to intercept banking transactions or credit card numbers.

With Cloud centric OS’es, the race will be towards stealing access credentials, after which, it’s game over. Who needs to steal banking accounts, when you have Google Checkout? Or, who needs to monitor passwords, when they’re all nicely stored into the Google Dashboard?

Of course, this could seem a bit gloomy, but these problems are inherent to any Cloud-centric OS. Earlier today, I got asked by a friend– “How is Chrome OS from a security point of view, better or worse?”

I answered, “It’s better, but much worse.”

* Costin Raiu is the Director of Kaspersky Lab’s Global Research & Analysis Team (GReAT) . See Ryan Naraine's disclosure.

Topics: Malware, CXO, Google, Hardware, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Not sure how Google can claim this is safe

    A malicious extension or other addon can certain get into the browser through a security flaw in Java, Flash, or some native hole, and just steal a bunch of passwords in realtime with a keylogger. Since Google tracks everything in the address bar, it wouldn't take much to steal that info either - just redirect the address bar keystrokes to another site and you can instantly track any user, keystroke by keystroke.
    • Again, the switch to the cloud is on, with our without ChromeOS.

      It is much better to access cloud applications from a secure computer rather than an insecure computer. The security problems related to the cloud are all centered around Accessing cloud applications from Windows. The number of attack vectors for Windows computers is an order of magnitude greater than just about anything else.
      • Sorry, but that's just wrong


        Chrome OS is still that: an OS, running locally on the hardware. It still has a Linux kernel, which is not immune to attacks, nor is the browser. And you have a user in front of the screen, which is 100% of the reason why social engineering attacks work. You same people that say that Chrome OS is totally safe were the same ones that said that Linux is immune to malware. Parrot it all you want. We know how well that worked for Android....
      • Fixing social engineering is another problem. But, you still need a secure

        OS. ChromeOS is not just another Linux kernel either, there are a number of important changes to make it more secure and sanbox everything possible. It is ridiculous to say that because there are other security problems, the security of the OS does not matter.
      • RE: Google Chromebook - a new class of security risks


        Keep bailing out the boat Donnie, it might not sink!
      • Security changes in Linux? Don't make me laugh.


        Google said the same thing about Android.

        Speaking about Linux, where is the source code documenting all of these changes? Oh, that's right! Google doesn't want to play fair in the FLOSS arena.

        Also, this statement makes absolutely no sense: "It is ridiculous to say that because there are other security problems, the security of the OS does not matter". With that single statement you not only contradict yourself, but you also prove my point for me.
      • Dear Donnie

        @DonnieBoy <br>Lordy' - these post would be so much more informative and interesting if you would just unplug your keyboard. Nothing personal, your entitled to your opinion. Just wish it wasn't so "anti MS" and on every topic - every article!<br><br>I'm disabled and spend allot of time using my computer. I enjoy and learn from allot of the post, but - the flamers and trolls really take the joy and educational benefit out of it! Makes me wonder if some of the posters on here even have a life away from the monitor?
  • What BS - Steven J vaughn nichols said this IS

    THE Windows killer the world's been waiting for so anything negative is just a bunch of BS from Google Haters!
    Will Pharaoh
    • RE: Google Chromebook - a new class of security risks

      @Will Pharaoh
      I personally want a Macbook air.... but you go ahead with Google... that's why competition works and it creates choices for everyone.
      • Hey, Macbook Air is great too, if you have the money.

      • I was being sarcastic

        @Hasam1991 <br>I'd take a MBA over this any day of the week! That's worth the money at least.
        Will Pharaoh
      • RE: Google Chromebook - a new class of security risks

        @Hasam1991 I think Will Pharaoh is being sarcastic.
    • RE: Google Chromebook - a new class of security risks

      @Will Pharaoh lol
  • RE: Google Chromebook - a new class of security risks

    Yet Google fanboys are all over this, condemning anyone who isn't ready to throw all our dataz at Google with open arms.

    This is exactly why ChromeOS won't take off. I for one would NOT trust my data at all to someone who has be hacked before in a high profile case.

    Should they be hacked again, and with people's data stored on their servers, which menas people will try, it's game over. You loose everything.
    The one and only, Cylon Centurion
    • People are switching to the cloud WITH OR WITHOUT ChromeOS. The problems

      with cloud computing are centered on people accessing applications from a Windows computer. Period.
      • The problem here is that you follow Google blindly

        @DonnieBoy <br>towing the company line without understanding the risks involved.<br><br>The risk to business and people is with the Google option, period.
        Will Pharaoh
      • Google is NOT the cloud, just one provider. You can use ChromeOS without

        using Google services.
      • RE: Google Chromebook - a new class of security risks

        @DonnieBoy Okay let's just agree with you for a second... the cloud is the future. What compelling things does Google bring to the table? Security? No - that's already been proven to be false just in this blog article. What "killer" application.... or rather... what "value" do we get? Also, who in their right mind is going to cut off their nose despite their face? This is a play toy concept with hopes of grandeur... let's be honest here. <br><br>Google figures it's going to invest its way into the PC space and carve out a niche. With their ability to retain customers, their roadmap of product failures, and their inability to retain search marketshare Larry and Co are in for some interesting times.... I don't think they have a chance in hell.
      • RE: Google Chromebook - a new class of security risks

        "People are switching to the could WITH OR WITHOUT ChromeOS." and rebuttal...
        People are not switching to the cloud WITH OR WITHOUT ChromeOS.

        I for one will not use Google for anything as I don't believe in their business practices on collecting data and cramming adverts in your face every chance they get. Never been a fan of commercials nor stupid ads on the net. Another thing in their privacy statement sums up that say for instance you had an idea or an invention... If you email it out over Google they have the right to your idea as theirs and can patent it and leave you out of it 100%... Sound fair? I think not. Also the need for a network connection? Nah... I like to do things at my convenience. Put all my eggs in one basket and leave it out in traffic hoping it never gets run over? Again I think not. Using half assed web apps dumbed down with limited capabilities and requirement to be online at all times being tracked on all levels? Nope again I think not. If anything cloud brings compatibility to the web but giving up all your data and rights is out of the question for most. I will be laughing when the next solar flare hits and knocks out cell towers radio signals and every fool gets to sit there and enjoy nothing as the could has thus evaporated. At least with a real computer I can still do everything offline ;)

        Also... "Google is NOT the cloud, just one provider. You can use ChromeOS without using Google services."

        How so? ChromeOS is web dependent, What is the point of buying a 400-500 dollar netbook with a crap OS that depends on the internet when you can get a netbook at 400-500 dollars that is not web dependent and does cloud and can play games like SC2 if you wanted and runs Windows? Sounds like there is really no savings from Google's offerings.
      • Tell that to the Sony Gamers

        @DonnieBoy ... who lost info from the cloud without a Windows computer in front of them. In fact, no user necessary. I don't trust other people with MY DATA!!!