The research summary is a brief overview of interesting scholarly work.
The big idea
Organizations’ failure to properly manage the servers they rent from cloud service providers can allow attackers to receive private data, as research my colleagues and I conducted have shown.
Cloud computing allows businesses to rent servers the same way they rent office space. It’s easier for businesses to build and manage mobile apps and websites when they don’t have to worry about owning and managing servers. But this way of hosting services poses security problems.
Each cloud server has a unique IP address that allows users to connect and send data. Once an organization no longer needs this address, it is given to another customer of the service provider, possibly with malicious intent. IP addresses change hands as often as every 30 minutes when organizations change the services they use.
When organizations stop using a cloud server but fail to remove references to the IP address from their systems, users may continue to send data to that address, thinking they are talking to the original service. Because they trust the service that previously used the address, users’ devices automatically send sensitive information such as GPS location, financial data, and browsing history.
An attacker can take advantage of this by “squatting” the cloud: claiming IP addresses in an attempt to receive traffic destined for other organizations. The rapid renewal of IP addresses leaves little time to identify and fix the problem before attackers start receiving data. Once the attacker controls the address, they can continue to receive data until the organization discovers and fixes the problem.
Our study of a small fraction of cloud IP addresses revealed thousands of companies potentially leaking user data, including data from mobile apps and ad trackers. These apps initially intended to share personal data with businesses and advertisers, but instead leaked data to anyone who had control over the IP address. Anyone with a cloud account could collect the same data from vulnerable organizations.
why is it important
Smartphone users share personal data with companies through the apps they install. In a recent survey, researchers found that half of smartphone users were comfortable sharing their location through smartphone apps. But the personal information users share through these apps could be used to steal their identity or damage their reputation.
Personal data has seen increasing regulation in recent years, and users can be content to trust the companies they interact with to follow these regulations and respect their privacy. But these regulations may not sufficiently protect users. Our research shows that even when companies intend to use data responsibly, poor security practices can leave that data at the mercy.
Users should be aware that when they share their private or personal data with companies, they are also exposed to those companies’ security practices. They can take steps to reduce this exposure by reducing the amount of data they share and with how many organizations they share it.
What other research is being done in this area
Academics and industry are focused on responsible collection of user data. A recent push by Google aims to reduce the collection of users’ personal data by mobile ads, ensuring that their security and privacy are protected.
At the same time, researchers are working to better explain what apps do with the data they collect. This work aims to ensure that the data users share with apps is used the way they want by matching permission prompts with actual app behavior.
We research new technologies on smartphones and devices to ensure they protect user data. For example, research by a colleague of mine describes an approach to protecting personal data collected by smart cameras. Our perspective on public cloud traffic also enables new studies of the Internet as a whole. We continue to work with cloud providers to ensure that user data stored in the cloud is secure and introduce techniques to prevent businesses and their customers from being victimized on the cloud.
This article by Eric Pauley, PhD student in computer science and engineering, Penn State, is republished from The Conversation under a Creative Commons license. Read the original article.