I had just begun to think that Apple had usurped the title of Evil Empire from Microsoft when I heard about Microsoft’s patent application for a system designed “to regulate the presentation of content.” Just another digital rights management system you might think. Well, not quite.
Filed a year ago but only just now coming to media attention, this is spyware of a new magnitude. While you watch the screen, the screen watches you. And in some detail. It counts how many viewers are present. If there are more viewers than are licensed to view, it takes ‘remedial action’. What this is remains to be seen. It could simply prevent any further showing of the content – although it could equally report the matter to the content police. It could pop up a message on the screen. “Will two of you please leave the room. Close the door behind you – and don’t slam it!”
It also estimates the age of the viewers. Youngsters can be prevented from viewing adult material. Presumably, Muslims could be prevented from watching the Innocence of Muslims (or anything similar); and the Amish from watching anything (although the beards could lead to confusion between the two).
Should we worry? Yes, that any company could even dream that such a thing is acceptable is a deep concern. Expect it in a few years time, because Hollywood will love it, and governments love Hollywood’s cash-strewn lobbying.
Years ago, when broadband first arrived, security experts warned of the dangers inherent in ‘always on’. That danger has increased exponentially with the rise of smartphones and their always-on sensors and cameras. Now a new proof of concept demonstrates the potential of 3D mobile spyware.
‘Proofs of concept’ (POCs) are developed by researchers to demonstrate what could be done in the future, in order to aid legitimate new development and to help anti-malware vendors produce defenses against less legitimate developments. What a new paper from researchers at the US Naval Surface Warfare Center in Crane, Indiana, and scientists from the University of Indiana demonstrates is spyware science fiction come true: a 3D visual map of the victim’s environment.
“We introduce,” say the researchers, “a proof-of-concept Trojan called ‘PlaceRaider’ to demonstrate the invasive potential of visual malware beyond simple photo or video uploads.” The paper describes an Android app (but suggests the concept will work equally well on iOS and Windows Phone), which it calls PlaceRaider, and “which we assume is embedded within a Trojan Horse application (such as one of the many enhanced camera applications already available on mobile app market places).” This app can then secretly and silently take photographs via the Android phone, and send them back to a C&C server for 3D processing.
PlaceRaider does three things. It collects orientation data from the Android’s sensors (“related to the accelerometers, gyroscopes, or magnetometers that a phone possesses”) in order to easily relate different photographs. It then surreptitiously takes photographs – in this case, one every 2 seconds. To remain unnoticed, it uses low resolution (so as to not use too much of the phone’s power), and temporarily mutes the shutter sound while the photo is taken. Finally, it uses a special algorithm to judge the quality of the photographs, discarding poor ones and transmitting the good ones.
Back at the main server, the received photos are compiled and used to construct a 3D map of the target’s location. Subsequent tests with volunteers showed that recognition of ‘points of interest’ is much higher from the 3D map than from static photos. However, since the original photos are of low resolution, further capabilities allow the attacker to use the orientation data to instruct the phone to take and transmit a high-resolution photo on demand – perhaps an open cheque book, or exposed documents.
The attraction of such spyware for both intelligence agencies and criminals is obvious – but the report also shows that there are easy defenses that the OS and hardware manufacturers could implement: making it impossible to mute the shutter sound, introducing permissions for collecting data from the sensors, and ensuring that photos can only be taken by physical interaction with the user. Furthermore, “There is no logical motivation for users to intentionally take poor-quality photos that have any combination of improper focus, motion blur, improper exposure, or unusual orientations/twist” – making heuristic detection of PlaceRaider by the anti-malware vendors a distinct probability.
Hat tip to Daniel Gyenesse for pointing me to the story
My news stories today:
Flaming Hack: What does ‘Flame’ mean for the rest of us?
We’ve all heard about Flame, the ‘mother of all cyberweapons’, the attack tool that takes cyberwarfare to a new level. But what does it actually mean for the rest of us?
30 May 2012
Neelie Kroes Promises champagne connection – for the wealthy
Neelie Kroes, European Commissioner for the Digital Agenda, has promised a champagne connection for those who can afford it.
30 May 2012
Assange’s appeal fails: extradition lawful – everything left to play for
By a majority of 5 to 2 (Lord Mance and Lady Hale dissented) the UK supreme court has this morning ruled that Julian Assange’s extradition to Sweden is lawful, “and his appeal against extradition is accordingly dismissed.” Assange was not present in court.
30 May 2012