Google is famous for its search engine and popular web services such as Gmail and YouTube. Many are not aware of how the company is involved in shaping the world of cybersecurity. For one, the company helped Apple become more secure by prodding holes in the latter’s OS security, thus providing cyber threat assessment to test the defenses instituted in Mac OS and iOS.
On the other hand, Google released a new open-source 2FA security key platform. The company also updated the iOS Smart Lock app to provide an exciting new feature.
Google Helping Apple
Apple released critical security updates for the different versions of its operating systems recently. These updates include patches to address 32 common vulnerabilities and exposures (CVEs), around a third of which was discovered by Google’s Project Zero.
Project Zero is a group of security analysts hired by Google to search for zero-day
vulnerabilities in software. These are the bugs typically exploited by state-sponsored hackers, criminals, as well as the intelligence units of governments. The team reported 11 of the 32 CVEs in Apple’s OS. In contrast, Apple’s in-house team is credited to only 1 of these CVEs.
These new common vulnerabilities and exposures are separate from the five iPhone exploit chains reported by Project Zero in August 2019. Accordingly, Google’s Threat Analysis Group (TAG) spotted a small group of hacked websites that were used in undertaking indiscriminate watering hole attacks using the iPhone 0-day. TAG documented five separate, unique, and complete exploit chains on iPhones that were running on iOS 10 and the more recent versions of the mobile OS, until iOS 12. These findings suggest that there had been a concerted effort to hack iPhone users for quite some time.
Apple is asking all its users to get the corresponding software updates to avoid having security problems. The security patches have been available since January 8, 2020. Interestingly, Apple is able to augment its software’s security with the help of its competitor, Google.
The Google-Discovered Vulnerabilities
Several of the OS CVEs covered by the most recent Apple software update are known to enable cyber attackers to obtain considerable control over devices. They can allow hackers to terminate systems and execute arbitrary code with system privileges.
One notable security issue discovered by Google is referred to as CVE-2020-3842. This vulnerability is present in the High Sierra, Mojave, and Catalina versions of macOS. It is a
dangerous security flaw that allows cybercriminals to run arbitrary code with kernel privileges. It is attributed to a memory corruption problem.
Meanwhile, Google found many Bluetooth bugs–one of which is CVE-2019-18634, which is associated with a buffer overflow issue. What it does is to grant hackers the ability to create configurations that make arbitrary code execution possible.
Another Bluetooth-related critical problem found by Google’s team is a memory corruption issue that tricks MacOS into executing code after viewing a malware-laden JPEG image file. There’s also one CVE that facilitates the reading of restricted memory.
Google’s New 2FA Security Key Platform
Google has released a multi-factor authentication security key platform designed to enable hobbyists and hardware manufacturers to build security keys of their own. This new Google project is called OpenSK, which supports the FIDO U2F and FIDO2 standards.
To clarify, OpenSK does not replace the 2FA system available on Google accounts. Already released on GitHub, it is a different product that contains firmware based on the Rust system programming language.
OpenSK runs on TockOS, an operating system intended for the operation of multiple concurrent IoT devices. Google selected TockOS as the operating system because of its sandboxed architecture that readily allows the separation of the drivers, the security key applet, and kernel vital for defense building.
Google decided to create OpenSK as an open-source project to allow various developers to produce their own security keys. With this, they can help counter the exponentially growing number of security breaches worldwide.
iOS Smart Lock Update
Google’s latest update for the iOS Smart Lock app brings to the iPhone a useful feature that has already been on Android phones for months. This update makes it possible to replace a
physical security key with a phone (an iPhone).
The new iOS Smart Lock feature allows users to set up their phones’ built-in security key to provide two-factor protection for their Google accounts. In other words, Google account owners who use 2FA protection can sign in to their accounts without the need for an SMS code. They can use their iPhones (with the updated iOS Smart Lock installed) as the second factor for authentication.
Not purely software-based, the new iOS Smart Lock feature uses the Secure Enclave, a separate processor inside of most iPhones, which handles biometric information. This allows the software to identify and associate a Google account with a specific person.
The addition of this new feature brings iPhones to Google’s Advanced Protection Program,
which affords greater security to people who tend to be more at risk of having their data breached online. Journalists, politicians, business executives, celebrities, and others who are usually targeted by attackers can take advantage of this new feature without the need to buy separate security keys.
Google’s cybersecurity developments don’t only benefit the direct users of Google’s products and services. The company works with other players in the tech industry to pursue genuine improvements in security systems. The decision to introduce an important Android feature to iOS devices is a welcome development.
It’s important to emphasize, however, that end-users must always heed the calls of companies like Google and Apple to always keep their software up-to-date and to use advanced protection like 2FA. Otherwise, vulnerability corrections and other security upgrades don’t mean anything.