9 July 2015

CUHK Engineering Professors Revealed Sweeping Security Loopholes in Mobile Devices and Social Media

Research teams of the Department of Information Engineering at The Chinese University of Hong Kong (CUHK) have recently revealed serious security loopholes in Android devices and social media.  The findings, which have been released in the ACM Conference on Computer and Communications Security 2014 and Black Hat USA 2014, have drawn wide attention in the research community, industry and media. 

Security Loophole in Android Voice Assistant 

Prof. ZHANG Kehuan, Assistant Professor, Department of Information Engineering and his research team have identified a serious vulnerability lying in the Android built-in voice assistant module. A zero-permission malware installed on a user's smartphone could bring the Google Voice Search to the foreground and play some voice commands in the background.  Through voice feedback from Google Voice Search, a remote attacker could steal a user's private data without being noticed.  This attack method bypasses the Android permission protection mechanism.  It is estimated that over 550 million Android phones and tablets users are under threat. 

Professor Zhang’s team found that the zero-permission malware, named VoicEmployer,  once installed on a user's device, could invoke the Voice Dialer mode of Google Voice Search even though the device is locked with a password.  Through voice dialing commands, VoicEmployer can make phone calls to any arbitrary numbers.  The attacker can even send voice commands to make the victim's device send SMS/email and steal the user's private data (such as voicemail, calendar, location, etc.). For example, the attacker can send a voice command: ‘what is my next meeting?’, Google Voice Search, after recognizing the command, may give a voice feedback such as ‘your next calendar entry is ...’, 

Professor Zhang said, ‘We have reported this vulnerability and the corresponding attack schemes to the Google Security Team. The problem has been partly fixed in the subsequent versions of Google Voice Search.  We suggest smartphone users to use applications provided by the official stores only and not to install applications from untrusted sources.’ 

Security Problems in Authentication Protocol of Social Media 

Prof. LAU Wing-cheong, Associate Professor, Department of Information Engineering and his graduate students, HU Pili and YANG Ronghai, have revealed a series of security problems with the design, implementation and practical deployment of the Open Authentication protocol (OAuth 2.0) which is widely adopted by various online social networks (OSN) worldwide. Exploiting the vulnerabilities, hackers can pass themselves off as application developers to embezzle personal data from over 100 million users within a short period of time. 

OAuth 2.0 protocol has been widely adopted by OSN providers since its inception. Professor Lau’s team has recently discovered that it is vulnerable to the so-called App impersonation attack due to its provision of multiple authorization flows and token types.  Based on their study on 12 major OSN providers, the team found that App impersonation via OAuth 2.0, when combined with additional application-programming interface (API) design features or deficiencies, will enable large-scale exploitation and privacy leaks.  For example, it becomes possible for an attacker to completely crawl an OSN with more than 100 million users within a short period of time and harvest data like the status lists and friend lists which are expected to be private information. 

Professor Lau’s team has developed an automatic testing tool, OAuthTester, to systematically test the safety levels of various applications and social media. It is found that OAuth-related vulnerabilities have been widely spread.  Professor Lau said, ‘Our findings show that it is urgent for industrial practitioners to review their OAuth system design to protect users’ privacy. We have informed all the affected OSN providers and proposed solutions that can be readily deployed.’ 

CUHK Named World’s Most Impactful Research Institution in Telecoms 

The CUHK has recently been named by Thomson Reuters as one of the 10 research institutions in the world with the most impact on telecommunications. Amongst US and European universities, it is the only Asian institution on the list. The recognition was given to 10 institutions having the highest citation impact (research papers being the most highly cited by peers thereby indicating global influence) from 2004 to 2014. Details of the ranking are available in Thomson Reuters’ global innovation report ‘The Future Is Open: 2015 State of Innovation’. 

CUHK embarked on telecommunications research in 1970 when former Vice-Chancellor Prof. Charles KAO founded the Department of Electronic Engineering. Professor Kao was the innovator of the ground breaking optical fibre communication that changed the world, and at the same time, he built a long-term research strategy focusing on electronic engineering, as well as information and communications technologies at CUHK. Today, both the departments of Electronic Engineering and Information Engineering have been making great strides in both theories and applications of telecommunications and network research, including but not limited to fiber-optic communications, wireless communications, network coding and network security.

Prof. LAU Wing-cheong (left) and Prof. ZHANG Kehuan revealed sweeping security loopholes in mobile devices and social media.
Prof. LAU Wing-cheong (left) and Prof. ZHANG Kehuan revealed sweeping security loopholes in mobile devices and social media.