“The U.S. Patent and Trademark Office on Thursday published an Apple patent filing for an anti-spoofing method in which camera output, as well as data from other on-board sensors, are used to change a browser’s GUI in real-time,” Mikey Campbell reports for AppleInsider.
“As Apple’s iOS and Mac computing devices become more popular among mainstream consumers, the company has faced a number of security threats attempting to garnish sensitive user information. A new patent application discovered on Thursday addresses a specific type of Web-based attack called spoofing,” Campbell reports. “Apple’s filing for a ‘Graphical user interface element incorporating real-time environment data’ is an attempt to deal with nefarious code that can ‘spoof,’ or mimic, a Web browser’s graphical user interface. In such cases, the malicious creator can redirect a user to another spoofed webpage, tricking them into giving up personal data, like usernames, passwords and credit card numbers.”
Campbell reports, “To address the threat, Apple has devised a system which uses a device’s various on-board sensors, including cameras, ambient light sensors and microphones, among others, to constantly update a browser’s GUI — sometimes referred to as ‘chrome’ — with real-time environment data. ”
Read more in the full article here.
[Thanks to MacDailyNews Reader “Lynn Weiler” for the heads up.]
The idea of using the in-built camera to create pseudo reflections of your room to be shown on the parts of the web site that are ‘chrome plated’ certainly sounds interesting, but although I’ve read the report a couple of times, I still don’t understand how the genuine site can display these real-time pseudo reflections while a spoof site can’t.
Can anybody explain ?
It’ll project an image of what’s behind you (a watermark of sorts) onto the webpage. The patent states that this will only work if the spoofed webpage doesn’t have access to your iSight camera.
Yes I read that, but don’t understand how this acts as a security system.
If the genuine site can access the camera to overlay the image, then why can’t the spoof site ? Alternatively, if the overlay is done performed the browser, why can’t the spoof site overlay it too ?
I would add that it’s a pretty cool idea ( albeit somewhat skeumorphic ), but fail to understand the security implications.
My guess is that mojo somehow happens in Safari. Maybe part of secure socket layer? Dunno – minimal HTML experience.
Having read the article, I think I can offer the following…..
The camera is the most obvious port of call, but in order for the spoof to work, other elements of the device have to be accessed in real time for which a work around is or would be extremely difficult to achieve.
So you have spoofed the camera, you next need to spoof the gyroscope in order to maintain the spatial location of the device, followed by spoofing the accelerometer in order to correctly image the movement of the device using 3D axis and then you have to have access to the devices ID information. Having achieved all of that, each of these components have a code they transmit that is identfied by the device as an Apple hardware and therefor to be accepted, think Bonjour, think the ID chip on all the thunderbolt cables, think secure vaults onboard the processing chips, then think, “How do I overcome all of those defences?”
Just a guess, but I imagine you would have to approve the real site beforehand — say when you are signing up with your bank’s web site. Then later when someone tries to spoof the web page, it is obvious that it is not the real site even though it may look identical.
You can do something similar with a password utility like 1Password: save the site with your username and password and use it to log in to the real site each time. Then if someone spoofs the site to trick you into logging in, 1Password won’t be able to do it because the URL will not match the real site’s URL.