Google's hackers shame Samsung and others into fixing security flaws

A team of hackers devoted to making the Internet more secure is tasked with finding bugs and pressuring companies to fix them to protect users.

Rich Pedroncelli/AP
With its new SmartThings Internet-connected hub announced recently, Samsung is expanding its lineup of "Internet of things" devices, such as the SmartTV.

A team of Google's hackers devoted to making the internet more secure reported Monday that it has found 11 security issues on the Samsung Galaxy S6 Edge, Samsung’s latest and popular smart phone.

The team, called “Project Zero,” wrote on its blog, “Overall, we found a substantial number of high-severity issues.”

The hackers found that the Galaxy allowed apps to access a phone user’s contacts, photos, and other data without the user’s permission; get access to private data just by sending the phone user a text message or email; and for apps that are supposed to have access to only some of a user’s email functions (like forwarding a link to a friend) to access all email functions (like forwarding all of your emails to the app maker).

All but three of the 11 flaws have now been fixed. 

“A week of investigation showed that there are a number of weak points in the Samsung Galaxy S6 Edge,” Google said.

Google cares about security of Samsung phones because they run on Google’s open-source operating system, called Android. Since the company can’t directly control the security of Samsung’s phones, it wanted to test Samsung to see how easily it could hack the Galaxy and compromise user information.

Former Google security researcher Morgan Marquis-Boire explained the thinking behind this type of testing to Wired magazine shortly after the launch of Project Zero in 2014, “It’s a major source of frustration for people writing a secure product to depend on third party code," he said.

To hack the Galaxy, Google launched a week-long hacking competition between the North American and European members of Project Zero, with a few Google security specialists in the mix.

Google also wanted to see how quickly Samsung would fix the bugs, the company said. The search giant gives companies 60 to 90 days to fix bugs before resorting to publicly shaming them on its blog.

Samsung still has three bugs to fix, Google says on its blog, though the leftovers are not the most threatening flaws to users.

Project Zero was named for what computer security experts call a “zero-day” threat, a severe security flaw that software makers or antivirus vendors don't yet know about, but which the bad guys might already be exploiting. It's named for the amount of time software and antivirus companies have to fix the problem – none. 

You should be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” Google wrote in its announcement of the project in July 2014.

And it means it. Security experts at Google have found security flaws in Adobe Flash and Microsoft Office apps; antivirus software; Apple’s iOS, OSX and Safari; and its own Chrome operating system, according to Wired.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.