It sounds like a plot hook for a sci-fi thriller: Attackers take over security safeguards and then use the compromised guardians to break into facilities and engage in theft, sabotage or both. But according to some security researchers, this isn’t just a fictional Hollywood scenario. Popular antivirus software used by thousands of enterprises and millions of individual users is potentially vulnerable to attack.
Because these attacks take control of software intended for security protection, the attackers can bypass other protective measures, covering their tracks. They can even use the security tools to do further damage such as infecting other systems. Unlike many threat vectors, these attacks do not depend on end user shortcomings.
Antivirus Software Draws Intelligence Agency Interest
The good news, according to Lucian Constantin at InfoWorld, is that there is no direct evidence — so far — that antivirus solutions have been used in attacks. If such attacks have taken place, they were small in scale and avoided detection. But security researchers warned that such strikes are possible.
Both the U.S. National Security Agency (NSA) and British intelligence agencies are known to have examined popular commercial antivirus software packages to look for ways they could break into systems protected by these packages, The Intercept reported. It stands to reason that other international intelligence agencies, some with reputed ties to cybercrime groups, are also actively examining antivirus software for potential vulnerabilities.
The major cybersecurity firms that market these tools are well aware of the potential risks to and from their products. “Attacks on security researchers and security vendors could be a future trend in information security,” Vyacheslav Zakorzhevsky of Kaspersky Lab told InfoWorld. “However, we do not believe these will be widespread attacks.”
Sed Quis Custodiet Ipsos Custodes?
But who will guard the guards themselves? As this Latin proverb suggests, the security challenges of safeguarding protective systems are not new. In fact, they are inherent in the nature of security measures.
Security guards need passkeys, which means that one way for the bad guys to get hold of those keys is to steal them from a guard. In the same way, security software needs to have access to high-level permissions. In fact, most of the familiar Hollywood tricks for getting past the guards have their cyber equivalents, from simply taking out a guard (disabling the software) to dressing up in a guard uniform and issuing fake instructions (abusing the software’s system permissions).
This basic challenge is inherent to antivirus protections; because this software must examine a wide variety of incoming data and file types, and have multiple internal security components, the solutions have a large attack surface. They can be attacked in many ways at many points.
Protecting Against Attacks
Some security researchers questioned whether the whole idea of security based on endpoint protection, which is what antivirus software provides, is obsolete in the modern world of richly interconnected systems. Others may claim that much security software development is flawed because tools are not adequately sandboxed, or protected against unwanted outside interactions.
But it is not clear that sandboxing is practical for complex security packages. They might end up with so much self-protection that it would grind everything to a halt, making them unusable.
Other security researchers argued that antivirus software is just one layer of protection and perhaps more important to individuals and small businesses than to enterprises that have the resources — including human resources — to deploy other types of protective measures. For nearly all users, installing software updates and patches is the single most important security measure.
The fact is that antivirus software is indeed one layer of protection, not a complete security solution in itself. The security risks it poses are not peculiar to those tools but are inherent in any security system powerful enough to protect you. Effective security comes from being proactive, building in multiple levels of protection from the ground up and taking nothing for granted.