Google's newly announced Chromebook poses some interesting security concerns, as it protects the endpoint while leaving the data vulnerable to attackers, a Kaspersky Lab expert said.
Announced at Google I/O conference on May 11, the Chromebook is a Chrome OS-based netbook that stores all the information in the cloud. There is no local storage, so all apps are also cloud-based. The hardware is pretty low-end, with 2 GB of memory and 16 GB of SSD storage wrapped around Atom N750 CPUs.
The Chromebook user would save the data on the cloud, so if anything happens to damage the machine, the user can just re-install the operating system or get a new netbook, connect online, and have everything back to normal immediately. Google is betting that detaching data from the physical machine would improve security.
A friend asked Costin Raiu, director of the Global Research & Analysis Team at Kaspersky Lab, "How is Chrome OS from a security point of view, better or worse?"
"It's better, but much worse," Raiu said, noting that it is now easier for attackers to steal data. Cyber-attackers just need to steal the authentication tokens required to access the cloud account, according to Raiu.
It's ironic, because the entire point of the Chromebook is to keep hackers away from the user's computer. If the users are saving all their pictures, music, video and other files on Google's cloud servers, there is no need to worry about accidentally downloading malware designed to steal information. Since there is no way to install an app, there is no need to worry about keyloggers stealthily stealing passwords to banking sites.
However, that doesn't mean attackers won't go after the cloud, itself. The recent attacks on Sony's PlayStation Network proved that cloud servers are not immune from attacks, according to Raiu.
Google's promotional video claimed, "It doesn't need virus protection," which is a dangerous promise to make, according to Raiu. Most attackers nowadays focus on infecting computers with malware designed to intercept login credentials or sensitive information. With cloud-centric operating systems, attackers just need to steal the access details to the cloud. Once that is done, "it's game over" for users, Raiu said.
Recent security incidents have shown that users remain highly susceptible to phishing scams where they are tricked into entering their login credentials into a malicious site. Having all the user's data in one place on the cloud is "a goldmine for cyber-criminals" that's just a phishing attack away, according to Raiu.
"Who needs to steal banking accounts, when you have Google Checkout? Or, who needs to monitor passwords, when they're all nicely stored into the Google Dashboard?" Raiu said.
Yes, the endpoint is now more secure but the data is in a more risky place. Since users remain highly vulnerable, "it will be much easier to silently steal" data, Raiu said.
Chromebook is probably the safest operating system around, with its built-in self-healing capabilities, but Google's no antivirus claim sounds very similar to what Apple has been saying about the Mac OS for years. Because Apple has done such a good job convincing users that Macs can't get infected, attackers who are beginning to develop malware for the Mac OS X know that their victims are not likely to have an antivirus installed.
There's no need to challenge the attackers to go after the Chrome OS with a similar, misguided boast.