Can law firms put a price on their clients’ privacy?

Law firms are a one-stop-shop for cyber criminals – not only can they get their hands on large financial transactions, but there’s plenty of sensitive, highly valuable client information to be had too. Protecting this confidential information is paramount to law firms keeping their reputation – and the reputations of their clients – intact.

Confidentiality is at the heart of the legal sector, with individuals and businesses alike placing their trust in law firms to transact securely and discreetly on their behalf. A breach of this trust can mean the end of the road for a law firm – just look at Mossack Fonseca, the firm that lost 11.5 million documents (2.6TB of data) in a 2016 breach dubbed the ‘Panama Papers’, due to weaknesses in their client portal which hadn’t been updated. The sensitive information in those documents about wealthy, famous, and public office clients was exposed to the press. Mossack Fonseca never recovered from the massive reputational damage caused by the breach, and was forced to close.

Law firms’ reliance on digitised information makes them particularly vulnerable to data breaches. They are accustomed to taking instruction and conducting transactions almost exclusively via email, including the transfer of extensive amounts of confidential, personal, and financial information. The constant movement of this information increases the risk of exposure.

The impact of the media

The affairs of high net worth individuals are temptingly lucrative targets for cyber criminals. Secrets and scandals sell newspapers. The 2017 ‘Paradise Papers’ scandal saw 13.4 million files leaked to the International Consortium of Investigative Journalists. The documents were stolen from Appleby, a major offshore law firm based in Bermuda that “specialises in advising some of the world’s wealthiest individuals”. The files showed the multitude of ways companies and affluent individuals avoid tax, and included names and financial information. Needless to say, the press had a field day.

Getting personal

It’s not just the rich and famous who are at risk of having their confidential information stolen. Enlisting the services of a law firm normally involves sharing a small library of personal information which, in the wrong hands, could easily lead to identity theft and fraud. Clients’ names, addresses, dates of birth, financial records, and sometimes medical information are all held by law firms, and usually transferred by email.

Law firms need to be particularly careful with this level of sensitive personal information, not least because of the further crimes it could be used for if stolen. The introduction of the GDPR in 2018 has already seen eye-watering fines making the headlines for Marriott and BA. Any breach of personal information must be reported, and fines are levied against the company that held the data for not adequately protecting it.

Finding the weakest link

Law firms are privy to some of the world’s most sought-after business secrets, through their contracts and transactions with multinational businesses. State-sponsored attacks are a daily occurrence against these businesses, targeting their top secret IP to gain a commercial advantage.

Cyber criminals are sometimes much more subtle in their approach than targeting the big fish straightaway. Smaller law firms are more likely to outsource certain services to external suppliers, especially for large contracts – these third party systems can provide an easy route in for cyber criminals if they’re not sufficiently secure. All it takes is a poorly protected link in the supply chain to lead to infringement of sensitive data and privileged information. Law firms need to be able to demonstrate that they can protect all client information, both up and down the supply chain.

What’s the best approach? 

Law firms are required to go through rigorous checks and certifications to transact as a law firm, which engenders implicit trust that the firm clients are dealing with is legitimate and secure. Clients don’t expect that such a pillar of security can be spoofed and compromised by cyber criminals. Law firms need to make sure they can keep hold of the secrets their clients entrust them with.

The potential cost of a data breach – including malpractice suits, significant loss of business, and hefty GDPR fines – is substantially more than the cost of implementing preventative measures. Law firms must ensure their cyber security strategy includes proactive detection methods that flag non-compliance and potential data breaches before they can cause damage. For example, law firms should use technology that scans all outbound emails to identify if multiple email addresses have been entered into the CC field, which could constitute a GDPR breach. If such an event is detected, the email can then be quarantined to prevent the breach, and the IT admin notified.

If a data breach does occur, law firms need to be able to prove compliance with strict data protection regulations, by confidently and accurately reporting exactly what information was accessed, who accessed it, and whether data was exfiltrated from their systems. Questions that need to be answered include how and where the security breach took place, what information was accessed, how systems can be recovered quickly, and how to prevent it from happening again.

Answering these questions gives a comprehensive response, enabling any law firm to report to the ICO in full. Once the issue has been resolved, the firm can reassure clients and stakeholders that its systems are secure.

Andy Pearch, Head of IA Services, CORVID



Certes Networks launches Observability as part of its encryption management solution

Certes Networks continues to bring new innovation and product features to its encryption management solutions and is proud to announce the launch of its Observability feature to deliver on its promise to keep data secure.

Many organizations are in the early adoption stages of cloud-native technologies, with the failure modes of these models still not widely understood. To successfully manoeuvre this new, but often obscure world, gaining visibility into the behaviour of applications has become more pressing than ever, and bringing better visibility into network systems through observability remains a key way to do this.

With the launch of Observability, customers can now have both visibility and observability of their data in transit. Logs, metrics and traces are useful tools that help with testing, understanding and debugging systems. However, an observable system isn’t achieved by simply having monitoring in place, nor is it achieved by having an SRE team carefully deploy and operate it.

With the Certes Networks Observability feature, organizations are now not just trying to monitor and identify threats and keep them out of their network. Through generating and defining policies, network policy enforcement will allow organizations to ensure that only authorized applications and users are communicating with one another while enabling them to meet their own governance, security and compliance requirements.

Through the export of network flows and Certes’ proprietary metadata, organizations can gain a deeper understanding of network policy deployment and enforcement and analyze every application that tries to communicate across the network, all the while monitoring pathways for potential threats, now that each policy is observable.

“Our solution allows you to program security policies in a simple and flexible way. This improves your overall security posture and makes it very difficult for attackers to make lateral ‘east-west’ moves in your WAN or data center. Our ability to visualize and observe the real-time state of the network, even when the traffic is encrypted, allows the security team to spot exfiltration attempts or unauthorized accesses easily. This greatly increases the ability of the user to prevent and manage breaches. This ability to see the impact of policy on the network significantly enhances security,” commented Sean Everson, CTO, Certes Networks.

Everson continues, “Observability is a feature that needs to be fully integrated into a network system and the launch of Certes Networks Observability addresses the security and operations concerns of our customers and delivers on our promise to keep their data secure.”



£3.5 million investment to train the next generation of forensic scientists

Cranfield University is investing £3.5 million in the latest forensic science technology at its Cranfield campus. Building on Cranfield’s distinctive strength in defence and security, this forensic science teaching and research facility will be unparalleled in the UK.

Students and staff will have access to new facilities such as a virtual reality autopsy table, crime scene investigation rooms and a simulated mass grave excavation site, from summer 2020.

Cranfield Forensic Institute is one of the world’s leading forensic science departments specialising in areas such as archaeology, ballistics, engineering failures, explosives and materials science. Students who have graduated through the Institute have gone on to leading roles in the police, the Home Office and academia.

To celebrate the investment the University is also announcing that five full scholarships will be available through to prospective students demonstrating excellence in their field.

Professor Andrew Shortland, Director of Cranfield Forensic Institute, said: “The investment in these new technologies will create unparalleled facilities for our students and staff to develop their research and learning. For decades, Cranfield Forensic Institute has been at the forefront of forensic science globally; these new facilities will enable us to raise our ambitions even further and enable our students to continue to be at the front of the queue for careers in organisations such as the police, Home Office and DSTL.”

Professor Sir Peter Gregson, Chief Executive and Vice-Chancellor, said: “Cranfield has a proud track record of leading forensic science research and education. I’m delighted that the University is able to invest in these new leading facilities for our students and our staff.”



Shining a Spotlight on UK Cyber Security Standards

Matt Cable, VP Solutions Architect and MD Europe, Certes Networks

Shining a Spotlight on UK Cyber Security Standards

Public sector organisations in the UK are in the midst of changing cyber security regulations. In mid-2018, the Government, in collaboration the NCSC, published a minimum set of cyber security standards. These standards are now mandated, along with a focus on continually “raising the bar”. The standards set minimum requirements for organisations to protect sensitive information and key operational services, which – given the way in which these services are increasingly dispersed – is driving significant changes in public sector network architecture and security.

In addition to setting today’s ‘minimum’ standards, however, the guidance also sets a target date of 2023 by which public sector organisations will be expected to have adopted a ‘gold-standard’ cyber security profile. Matt Cable, VP Solutions Architect and MD Europe, Certes Networks, therefore outlines the essential considerations that will help organisations select an encryption solution provider that can easily integrate into any network infrastructure as they migrate from Legacy MPLS to SDN or SD-WAN network architectures.

The Principles

For both public and private sector organisations, customer experience is key. From finance and utilities, to local authorities and smart cities, customer touchpoints are increasingly dispersed, remote and application-driven, necessitating a move from Legacy MPLS to SDN or SD-WAN. However, under the Government’s new minimum cyber security standards framework, ensuring sensitive information and key services are protected is a critical consideration.

The UK’s National Cyber Security Centre (NCSC) has therefore issued principles for cyber secure enterprise technology to organisations, including guidance on deploying and buying network encryption, with the aim of reducing risks to the UK by securing public and private sector networks. This guidance bears parallels with the US National Institute of Standard and Technology’s (NIST) Cybersecurity Framework and therefore applies equally to US and other federal organisations in a similar scenario.

Similar to the NIST framework, the NCSC guidance shares the same principle that networks should not be trusted. It recommends that to keep sensitive information protected, encryption should be used between devices, the applications on them, and the services being accessed. IPsec is the recommended method for protecting all data travelling between two points on a network to provide an understood level of security, with further guidance outlining a specific ‘gold-standard’ cipher suite profile known as PRIME.

The guidance is based on the network vendor being CAS(T) certified (CESG (Communications Electronics Security Group) Assured Services (Telecommunications)), which involves an independent assessment focused on the key security areas of service availability, insider attack, unauthorised access to the network and physical attack.

However, there are challenges.

Challenge #1 – Public Sector Adherence to CAS(T)

Many public sector organisations are no longer mandating CAS(T) based services and therefore the risk appetite is expected to be lowered, mainly to support the emergence of internet and SD-WAN suppliers network solutions. This is key as the current NCSC recommendation Foundation standards for IPsec will expire in 2023, and users are being encouraged to move quickly off legacy platforms.

Challenge #2 – Impact to Cloud Service Providers and Bearer Networks

This guidance, such as the protection of information flows on dedicated links between organisations, also applies to cloud service providers, or in the inter-data-centre connections in such providers’ networks.

The underlying bearer network is assumed not to provide any security or resilience. This means that any bearer network (such as the Internet, Wi-Fi 4/5G, or a commercial MPLS network) can be used. The choice of bearer network(s) will have an impact on the availability that an encrypted service can provide.

Challenge #3 – Partner Collaboration

NCSC explicitly states in its guidance that establishing trustworthy encrypted network links is not just about technology. It is also important that the management of these networks links is carried out by appropriate individuals, performing their assigned management activities in a competent and trusted fashion, from a management system that protects the overall integrity of the system. Thus, for encryption solution providers, the partner’s service credentials impact how the end user may use the technology.

The Solution

IPsec helps protect the confidentiality and integrity of information as it travels across less-trusted networks, by implementing network-based encryption to establish Virtual Private Networks (VPNs).

Under PRIME principles, devices which implement cryptographic protection of information using IPsec should:

  • Be managed by a competent authority in a manner that does not undermine the protection they provide, from a suitable management platform
  • Be configured to provide effective cryptographic protection
  • Use certificates as a means of identifying and trusting other devices, using a suitable PKI
  • Be independently assured to Foundation Grade, and operated in accordance with published Security Procedures
  • Be initially deployed in a manner that ensures their future trustworthiness
  • Be disposed of securely

Keeping the network design simple is one of the most effective ways to ensure the network provides the expected security and performance. The use of certificates generated in a cryptographically secure manner allows VPN gateways and clients to successfully identify themselves to each other while helping to mitigate brute force attacks.


There are many encryption solutions to help agencies and federal governments who want to move from Legacy MPLS to SDN or SD-WAN. Layer 4 encryption, for example, can integrate easily into any network and encrypt data in transit without disrupting performance or replacing the current network architecture.

Selecting a provider that can offer a PRIME compliant solution – such as Layer 4 encryption – is key in conforming to both today and tomorrow’s cyber security standards. And with NCSC starting to treat all networks as untrusted networks (especially those agencies using internet), PRIME is becoming the gold standard for which NCSC will measure regulatory compliance.

Therefore, it is important to consider a vendor that can offer a security solution that is not only compliant but is simple and uncomplicated, minimising disruption, resources and costs.



Proof-of-concept code for a security flaw in Docker is now public- Comment

It has been reported that security researchers are urging Docker customers to upgrade to the latest version after detailing a proof-of-concept (PoC) attack exploiting a critical vulnerability, which could lead to full container escape. The CVE-2019-14271 flaw was fixed in Docker version 19.03.1, but if left unpatched could give an attacker full root code execution on the host.

Commenting on this, Satnam Narang, senior research engineer at Tenable, said “CVE-2019-14271 is a critical code injection flaw in the Docker copy (docker cp) command, which is used to copy files between containers. Exploitation of this flaw can lead to full container escape by an attacker. It is important to note that to exploit this vulnerability, an attacker would need to include the exploit code in a malicious Docker container image or compromise a container either via another vulnerability or using previously leaked Docker secrets.

“If updating to a patched version is not feasible, users are strongly encouraged to only use trusted Docker container images that have been verified and/or signed. Additionally, please consider using non-root users when launching containers, as that would mitigate the threat this vulnerability poses.”  



Webinar: Allstate, Nationwide and Liberty Mutual on Carrier-OEM Collaboration

The wheels are now in motion and it’s sure to be an interesting journey. OEMs, insurers and new market entrants are all jockeying for position. The question is how do industry players identify a roadmap through new and different business models, data exchanges and partnership structures, that lead to workable, exciting new ecosystems; one able to deliver on customers’ high and still rising needs and expectations.


Sanjeev Mirle, Managing Director, Automotive & Mobility Strategic Partnerships, Liberty Mutual Insurance, a contributor to the upcoming Insurance Nexus by Reuters Events webinar on “Auto Insurers, OEMs and Supply Chains: Collaborating for the New Consumer” had this to say on the topic:


“Insurance can be a natural extension of many OEMs’ brand promise of safety, convenience, and peace of mind.  The growth of advanced safety systems, connected vehicle data and analytics, and online shopping for both vehicles and insurance is prompting collaboration across the auto and insurance industries to create new business models and differentiated value for their shared customers.”


Be sure to join the free webinar now “Auto Insurers, OEMs and Supply Chains: Collaborating for the New Consumer” (December 6nd, 10.00 Central US time).


Simply register for free here.


The free to listen to session which will also canvass opinions from: Stephen Applebaum, Managing Partner, Insurance Solutions Group (Moderator), Pete Frey, Commercial Telematics & Connected Business Director, Nationwide and Clint Marlow, Director, Allstate.


Key lines of questioning and debate will include the challenge of leveraging real core competencies to successfully navigate disruption and connectivity and Inter-and-cross industry partnerships; their selection, design and execution being the key differentiators. Data privacy and security are also critical; and understanding the design for these new “rules of the road.”


The session moderator, Stephen Applebaum feels this topic is a critical area for modern carriers to consider: “‘Gradually, then suddenly’ best explains how the demand for totally new and very different relationships have emerged between auto insurers, OEMs, collision repairers and the broad transportation industry supply chain – all focused on the new consumer and the data-rich connected vehicle ecosystem. The question is no longer if, but how?“


What role will you play as part of a mobile, information-rich and profitable working relationship that will serve your common customers? Join the free webinar today, and if you can’t listen live you can still access the recordings.


Simply register for free here.


For more information please contact Graham Proud:

Graham Proud

Insurance Nexus by Reuters Events

Tel: +44 (0)20 7375 7221


About Insurance Nexus

Insurance Nexus is the central hub for insurance executives. Through in-depth industry analysis, targeted research, niche events and quality content, we provide the industry with a platform to network, discuss, learn and shape the future of the insurance industry.

Insurance Nexus by Reuters Events is part of FC Business Intelligence Ltd. FC Business Intelligence Ltd is a registered company in England and Wales. Registered number 04388971, 7-9 Fashion Street, London, E1 6PX, UK



Don’t Let the Grinch Steal Your Data! 5 Tips for a Safe Cyber Christmas

Written by Tony Pepper, CEO of Egress

Whilst working from home during the festive period represents a well-meaning attempt by staff to maintain productivity, it can also expose a business to considerable risk, much to the delight of cyber criminals looking to exploit the Christmas holidays for their own gain. Without due consideration for the security of what they are doing, a careless employee could compromise corporate data and information and, in the worst-case scenario, create a data breach.

Likewise, outside of normal working environments, unsuspecting employees are an easy target for phishing and other forms of attacks during holiday times. Cyber criminals are increasingly exploiting the noise created by Black Friday and Cyber Monday, where unsuspecting shoppers are often more concerned with the latest bargains from retailers, rather than worrying about the safety of their personal information. Furthermore, with colleagues covering busy holiday workloads, less familiar with procedures and controls, it is easy for an email to end up in the wrong hands.

With employees’ intentions in the right place, it is up to organisations to stay one step ahead to ensure that security is not being compromised. A lot of the time this comes down to education and training, because all too often employees are blissfully unaware of the scale of the problem and how they may be compounding it.

To this point we recently obtained, via a Freedom of Information (FOI) request, statistics from the Information Commissioner’s Office (ICO) on human error, which today remains the main cause of personal data breaches (PDBs). The figures showed that, of the 4856 PDBs reported to the ICO between January and June this year, 60% were the result of human error. Of these nearly half (43%) were the result of incorrect disclosure. Nearly a fifth (18%) were attributed to emailing information to incorrect recipients or failing to use Bcc, and 5% were caused by providing data in a response to a phishing attack.

These statistics show how easily this can happen in the day-to-day working environment, so imagine how this could be amplified when you have employees remotely ‘dipping in and out of work’ whilst on holiday.

Likewise, we commissioned research earlier in the year that explored the reasons why insider data breaches occur. In the research we asked employees if they had accidentally shared data and why they thought this had happened. Of those who had accidentally shared data, almost half (48%) said they had been rushing, and 29% said it happened because they were tired. The most frequently cited employee error was accidentally sending data to the wrong person (45%), while 27% had been caught out by phishing emails. Sending data to the wrong person can be as simple as mis-typing or auto-complete of an email address, a mistake when sending to a distribution list, or simply using the wrong attachment.

However, rather than discouraging employees from keeping up to date with work – because it is inevitable in our 24/7 always-on world – what holiday tips can employers give their employees and what should organisations be thinking about?

Taking organisations first, we recommend that they adopt a people-centric approach. By focusing on people as part of their data security strategy, organisations can build a safety net for users’ behaviour to prevent accidental, as well as malicious, data breaches. This means putting in place solutions that surround the user, providing them with simple and easy-to-use tools so that they can protect sensitive information.

Additionally, comprehensive data analytics and e-discovery can help security administrators establish a baseline of normal behaviours and therefore provide the ability to spot anomalies. Here at Egress we provide a people-centric data security platform that protects and supports users, helping them to make the ‘right’ decisions when sharing sensitive data. By building machine learning into everything we do, we help detect threats and provide a wide range of insights into behavioural patterns to identify anomalies across the organisation. So, for example, if you take the mistyping of email addresses and accidental sends, our platform detects and alerts even on Cc and Bcc recipients that may not belong in a certain message.

But what tips should employers pass onto their employees? Here are my top five recommendations, all quite simple, but combined with an organisation taking a people-centric approach, should help keep data safe and hackers at bay during the holiday season.

Use unique passwords and change them often

Don’t make it easy for them! Birthdays, nicknames, pet and children’s names – these make for terribly insecure passwords that are constantly exploited by even the most amateur of hackers.

Log out when you have finished

It’s not just something we need to worry about at internet cafes; Wi-Fi, Bluetooth, and network technology have advanced far enough that people accessing your devices is the real concern. That’s why it’s always a good idea to log out of any account if you have finished using it, or if you will be away from the device for an extended period of time.

Only send sensitive information over email if it is encrypted

Whenever possible, it’s a good idea to only send sensitive information via email that is encrypted. It is never a good idea to send credit card numbers, bank details, passwords, and so on if you haven’t encrypted this data, even if you are sending to a family member or close friend. The fact remains that any critical information sits waiting in their inbox or archives for the day it is accidentally forwarded, phished, or stolen.

Check any link before clicking

Even if an email looks like it is from a credible source, there is nothing guaranteeing that any links contained within the message lead back to a legitimate source. It’s important that you know where a link is going to take you before you click it. Otherwise, you may unintentionally reveal sensitive information. If an email asks you to click on a link, button, or other hyperlink elements, you should first hover over (or preview) that link to see its address. If in doubt, seek advice from your IT team.

Never download something in an email from an unknown sender

It’s common for hackers to use attachments and downloads in emails to introduce malicious programmes into user’s devices. More often than not the user remains completely unaware that they have downloaded these scripts which can do anything from slowing their device’s performance to stealing their sensitive information. That is why you should never open or download anything inside an email from a sender you don’t recognise or know.

Now, go and enjoy your Christmas festivities!



Windows 10 update is packed with dangerous ransomware and other viruses- Comment

It has been reported that Windows 10 users are receiving emails purporting to be from Microsoft, urging them to install a new update to their machine. But be warned, it’s not an official message from the US firm and the update is packed with dangerous malware and other vicious viruses.
Commenting on this, Yossi Naar, chief visionary officer and co-founder at Cybereason, said Phishing scams are, unfortunately, an elusive approach and they are successful time and time again because they are hard to detect.
My basic advice for people is, if someone is trying to get me to do something, don’t trust it and verify independently – meaning, if someone wants me to install something and says it’s Microsoft, don’t do it before verifying independently that the request is real. Also, in this instance, users should check on Microsoft’s website to verify that a patch has been issued. Never, ever use the provided link from an unsolicited source.
One of the most common attacks against companies where they send an email “from the CEO” and tell accounting to “wire money urgently for X” or something along these lines. They are scams and individuals need to first verify with whoever is supposed to have made the request. Don’t trust out of bound things that you didn’t trigger and aren’t expecting.


Also, in general, Microsoft specifically does not tend to email it’s users. It has never in the past (to my recollection) sent emails about “installing a patch” so I don’t see what they could have done, except as they did – alert people to this scam and explain it isn’t them.


Emails, in a broader sense – have a problem of verified trust. There is a huge list of ongoing scams, and the list continues to grow every day. Scammers figure out creative new ways of luring people into their traps. A major part of it is that it’s a low-cost operation usually – it costs the scammers nothing to send millions of emails, so even if their success rate is one in a million, it’s still worth it to the criminals in many cases.


Best practices against phishing emails and a variety of scams include increased control over communication methods, increasing verification of source senders and limiting the ability of unverified senders to send phishing emails. Increased vigilance and improving security hygiene could help reduce the viability of email as a scamming channel. Much like the ongoing discussion about secure DNS implementation – it’s often difficult both technically and politically to implement a large scale change in basic infrastructure. Nevertheless – it’s essential that we do so.”




Notorious Iranian Hacking Crew Is Targeting Industrial Control Systems- Comment

It has been reported that one of Iran’s most active hacker groups appears to have shifted focus. Rather than just standard IT networks, they’re targeting the physical control systems used in electric utilities, manufacturing, and oil refineries. At the CyberwarCon conference today, a Microsoft security researcher plans to present new findings that show this shift in the activity of the Iranian hacker group APT33, also known by the names Holmium, Refined Kitten, or Elfin.

Commenting on this, Sam Curry, chief security officer at Cybereason, said “Microsoft’s research into APT33’s recent targeting of industrial control systems reminds us that in the great cyber game, it’s about using peacetime to build “optionality”; amass assets, resources and access. The Iranian cyber forces are masters of this, and seeing increases in the cold war that is cyber conflict, it makes sense that they would continue to grow what’s worked in the past: expand penetration of weak networks with high access, produce tools for use in the ecosystem of cyber aggressors and build capacity.

Iran has been on the receiving end of such attacks, as with Stuxnet, and it’s been the attacker too, as with Saudi Aramco in 2012 this isn’t new, and it isn’t a passing fad. The great game of nations has a cyber extension now for new, less risky and ever-more powerful extensions of politics by other means – to paraphrase Clauswitz.


As early as 1992 with the alleged US attack on Siberian pipelines up to and including the Russian Black Energy attack in 2015 on Ukrainian power distribution companies or again the NotPetya attacks of 2017, there is a clear tradition of attacking critical infrastructure by cyber means. It should come as no surprise that nation states are looking to land, expand and grow their options. If you want to hamstring a country, drive trade concessions, win at the diplomacy table or amass power for strategic gains, cyber is the choice of the present and the foreseeable future.”




Google and Android smartphone vulnerability lets attacker remotely control cameras

Forbes reported that the security research team at Checkmarx has discovered vulnerabilities affecting Google and Samsung smartphones, with the potential to impact hundreds of millions of Android users, the biggest to date. Researchers discovered a way for an attacker to take control of smartphone camera apps and remotely take photos, record video, spy on your conversations by recording them as you lift the phone to your ear, identify your location, and more. All of this performed silently, in the background, with the user none the wiser.

In response, Craig Young, senior security researcher at Tripwire, stated:

One of the most important aspects of Android app security is to lock down exported activities. Within Android, Intents serve as the glue for cross-application interaction at runtime allowing, for example, one app to invoke an activity from another. Poorly designed activities can be leveraged by malicious apps to perform actions or access data that would normally incur a permissions request.

In this case, Google left an open activity for triggering the CameraActivity specifying that it should take a picture or record a video. A malicious app with storage permission could trigger the activity and then access the resulting media files from the phone’s internal storage. It is frankly quite shocking that Google would make such a mistake in their own camera app.

In the long-term, I think AOSP needs to seriously consider finer grained access controls between apps. Something like a firewall for Intent messages so that users have some control over which other apps a given app can interact with.