Archive
The future of spyware – 3D visual maps
Years ago, when broadband first arrived, security experts warned of the dangers inherent in ‘always on’. That danger has increased exponentially with the rise of smartphones and their always-on sensors and cameras. Now a new proof of concept demonstrates the potential of 3D mobile spyware.
‘Proofs of concept’ (POCs) are developed by researchers to demonstrate what could be done in the future, in order to aid legitimate new development and to help anti-malware vendors produce defenses against less legitimate developments. What a new paper from researchers at the US Naval Surface Warfare Center in Crane, Indiana, and scientists from the University of Indiana demonstrates is spyware science fiction come true: a 3D visual map of the victim’s environment.
“We introduce,” say the researchers, “a proof-of-concept Trojan called ‘PlaceRaider’ to demonstrate the invasive potential of visual malware beyond simple photo or video uploads.” The paper describes an Android app (but suggests the concept will work equally well on iOS and Windows Phone), which it calls PlaceRaider, and “which we assume is embedded within a Trojan Horse application (such as one of the many enhanced camera applications already available on mobile app market places).” This app can then secretly and silently take photographs via the Android phone, and send them back to a C&C server for 3D processing.
PlaceRaider does three things. It collects orientation data from the Android’s sensors (“related to the accelerometers, gyroscopes, or magnetometers that a phone possesses”) in order to easily relate different photographs. It then surreptitiously takes photographs – in this case, one every 2 seconds. To remain unnoticed, it uses low resolution (so as to not use too much of the phone’s power), and temporarily mutes the shutter sound while the photo is taken. Finally, it uses a special algorithm to judge the quality of the photographs, discarding poor ones and transmitting the good ones.
Back at the main server, the received photos are compiled and used to construct a 3D map of the target’s location. Subsequent tests with volunteers showed that recognition of ‘points of interest’ is much higher from the 3D map than from static photos. However, since the original photos are of low resolution, further capabilities allow the attacker to use the orientation data to instruct the phone to take and transmit a high-resolution photo on demand – perhaps an open cheque book, or exposed documents.
What SpaceRaider does…
But after locating the low-res target, you instruct the phone to take a new high res pic…
The attraction of such spyware for both intelligence agencies and criminals is obvious – but the report also shows that there are easy defenses that the OS and hardware manufacturers could implement: making it impossible to mute the shutter sound, introducing permissions for collecting data from the sensors, and ensuring that photos can only be taken by physical interaction with the user. Furthermore, “There is no logical motivation for users to intentionally take poor-quality photos that have any combination of improper focus, motion blur, improper exposure, or unusual orientations/twist” – making heuristic detection of PlaceRaider by the anti-malware vendors a distinct probability.
PlaceRaider: Virtual Theft in Physical Spaces with Smartphones
Hat tip to Daniel Gyenesse for pointing me to the story
A Microsoft-made tablet? Big mistake
Microsoft once ruled a roost that is now dominated by that great cock, Apple. Apple dwarfs all other technology – in fact, all – companies. And Microsoft is jealous.
Apple’s secret is that it owns both the hardware and the software; and is a must-have brand. Microsoft owns only the software; and for many is a must-not-have brand. None of this is written in stone.
But Microsoft’s solution is just plain wrong. It is planning to build its own tablet, to compete with the iPad and Android.
This would be a mistake. Microsoft should remember its roots (software) and its history (it destroyed IBM’s PC-DOS, and the IBM PC, by making MS-DOS available to any and all hardware manufacturers; but made none itself). Google has learnt this lesson. Android is the antithesis – and possibly the ultimate nemesis – of iOS. It is open, cheap, and available to all hardware manufacturers.
Microsoft’s latest plan for its own tablet will merely hasten its own demise. Already, MS-fanboy Acer has said, “If Microsoft is going to do hardware business, what should we do? Should we still rely on Microsoft, or should we find other alternatives?” There’s some sort of advice here: if you want to rule the roost, don’t shit in your own hen-house.
My news stories on Infosecurity Magazine, 6/7 June 2012
My news stories yesterday and today:
Meet DDSpy, the new Android spyware
NQ Mobile has issued an alert on new phone-home Android spyware it calls DDSpy – ready and waiting with an interface for GPS uploading for future development.
07 June 2012
Bieber Hackers and the Anonymous image problem
Anonymous is engaged in a war against the abuse of authority. This concept has general appeal. But the very structure of Anonymous, and the inevitable internecine strife, means it will likely lose the battle for ‘hearts and minds’.
07 June 2012
LinkedIn leak: The next chapter
Yesterday it emerged that LinkedIn, a social network for business and professionals, has been hacked – and 6.5 million hashed passwords have been posted to the internet.
07 June 2012
Flame: why was it missed for so long?
While the in-depth analysis of Flame continues, and we learn more and more about its intricacies and capabilities, one question remains: why did the AV industry fail to spot it earlier?
06 June 2012
Google warns users about state-sponsored attacks
Eric Grosse, Google’s VP security engineering, has announced that the company will start to display a warning banner for users it believes may be subject to state-sponsored attacks.
06 June 2012
EU Regulation on eSignatures Proposed
On bank holiday Monday 4 June, the European Commission adopted a proposal for a Regulation ‘on electronic identification and trust services for electronic transactions in the internal market’.
06 June 2012
