Advertisement

I'm blowing the whistle – Chromebooks have a serious security flaw, and Google knows it

Kathryn Spiers
·4 min read
AFP via Getty Images
AFP via Getty Images

We have a cybersecurity crisis – yet nobody seems to care. Every week it seems there’s a new hack in the news. If these were buildings rather than software systems collapsing, things would be dramatically different. If it turned out that construction companies had been using sub-par materials, there would be calls for prosecution. Yet in computer security, sub-par construction happens all the time without anyone batting an eyelid.

Tech executives dress up these irresponsible decisions in the language of “accepting risk”. Yet it is not their own risk they are accepting, but that of their users – and without our knowledge or consent.

Execs “accept risk” when the time or money it would take to get software right is greater than they would like. They accept risk because they know that the only consequences of things going wrong will be a bad press day, and maybe some associated costs; because they know that they’ll be fine, even if their users won’t.

Users have neither time nor ability to audit the security of every system and service they use. Meanwhile, security engineers fear being fired for blowing the whistle on a serious security problem, despite it being illegal to do so. Yet as a former Google engineer already fired for, I believe, attempting to organise my workplace, I suppose I have little to lose.

Today I am disclosing a bug that my former employer has refused to fix. With physical access to a Google Chromebook with default settings, even a hacker without technical skills can easily discover where the laptop has been.

This bug exists because Chromebooks log the names of the WiFi connections they pick up, and in a way that’s readable from guest mode. This means an attacker could combine publicly-available WiFi location data with a small amount of programming knowledge to place pins on a map of everywhere the Chromebook has been. (If you want to be secure until Google decides this bug is serious enough to fix, disable guest mode).

Google has known about this issue for years; when I tried to bring it to their attention again last year, I was told the threat is low-risk because an attack would require physical access to the laptop. Yet the bug presents endless potential risks: for someone experiencing domestic abuse, for example, the ability to easily track one’s previous locations could be life-threatening.

Google’s slowness to act epitomises the company’s double standards. The company has a team called Project Zero, whose job is to find bugs in software, both its own and third-party. When the team finds a bug, they give the company responsible for it ninety days before making the bug report public. Yet Google taking years to fix a critical bug in its own software is just another example of how the company sees itself as above the rules to which it holds the rest of the world. Google isn’t special – security must mean security for all.

If companies will not act, the rest of the industry must. Writing codes of practice for the internet would only go so far. Of course, we should define the minimums to which a company must comply. The EU’s GDPR and California Consumer Privacy Act (CCPA) are steps in the right direction, and I look forward to seeing them strengthened and applied – not only for online privacy, but also for online security. Regulators will continue to be trailing developments in technology for the foreseeable future – yet one thing they can do is give tech whistleblowers like me more protection under the law (somethingI’m incredibly happy to see Maine senatorial candidate Ross LaJeunesse include this in his tech reform agenda).

There have been nights where I’ve sat alone, trying to understand what to do with a security bug; other times when I’ve been threatened for trying to report one. Yet security engineers and researchers can’t be expected to speak out alone – they must know that when they do, they will have a community behind them.

Google has said they do not comment on claims, but will endeavour to investigate the matter further.

Read more

Google must start taking responsibility for the ads it profits from

Google encourages people to read stories on neo-Nazi website

Google joining the trillion dollar club isn’t anything to cheer