Updated and corrected below.The antivirus industry likely let out a collective groan when Google first made a familiar-sounding boast Wednesday: that the just-launched laptops it’s calling Chromebooks have “
security built-in so there is no anti-virus software to buy and maintain.”Similar claims from Apple (that its computers are safe “
right out of the box“) or from Oracle (that its machines are “
unbreakable“) have only been invitations to the security industry to prove otherwise. But this time is different: Google may have built something so simple that it renders security add-ons–and the industry that sells them–irrelevant.
Chromebooks are built to run nothing but a browser–unless they’re jailbroken, no executable files can be installed, neither antivirus software, nor the malicious software it’s meant to protect against. And if that web-only strategy catches on–still a big if, admittedly–it could spell real trouble for antivirus companies like McAfee, Symantec, Kaspersky and Trend Micro.
Charlie Miller, a researcher for Independent Security Evaluators who has
made a career out of disproving Apple’s security claims, has owned a Chromebook since February, when the machines were sent as freebies to winners of the Pwn2Own hacking competition in Vancouver. He hasn’t dug deeply into the device’s security, but he says the Web-only security model works in theory. While a hacker might exploit bugs in the Chrome browser to run code on a user’s machine, that exploit would only allow the attacker to access the user’s data for a single session, and would disappear the moment the browser closed. “The way you stay persistent [as a hacker] is by installing software,” says Miller. “This is designed not to allow any persistence. You turn it off and on and you’re good to go.”
Update and correction :A critical response
post at Tom’s Tech Blog points out a few issues I missed here. Google is releasing a software development kit for native applications, which could potentially introduce security vulnerabilities. And with regard to Charlie Miller’s quote above, even a hijacked browser could potentially steal a user’s credentials, which could allow access to his or her cloud-stored data. (Though the point remains that this isn’t an issue that necessarily can be fixed by antivirus software.) Apologies for these oversights.
The Chromebook’s security model means the antivirus industry is facing a new kind of PC more similar to the iPhone than a netbook, argues Perimeter E-Security chief technology officer Andrew Jaquith: a limited device with security inherent in its restrictions . When Jaquith was still an analyst for Forrester Research last August, he
wrote a widely-read post arguing the folly of Intel’s McAfee acquisition. One point in that argument was that McAfee is less relevant than ever before, as the burden for security in post-PC devices like tablets and smartphones shifts to the vendor–Apple, Google or RIM–instead of the security industry.
The Chromebook contributes to that larger post-PC problem for McAfee and its ilk, Jaquith argues. He points to data from Gartner Research that predicts sales of 1.4 billion post-PC devices (a category that he construes as including the Chromebook) by 2015 compared with 540 million traditional PCs. “Very few of these will need AV. That’s terrible news for security vendors because three-quarters of the market for their traditional products is about to go away,” says Jaquith. “That’s what happens when you build security in, instead of relying on the market to bolt it on. It’s great for customers, and terrible for the security aftermarket.”
When I
asked McAfee chief executive David DeWalt about the problem that the security faces with regard to restricted devices like smartphones last month, he pointed out that McAfee has an opportunity to help businesses integrate those post-PC devices securely and that McAfee’s mobile software can help consumers track lost phones and back up their data, as well as protect them from malware. He also brought up a string of rogue apps that recently appeared in Google’s Android market as evidence of the need for post-PC security.
But integrating Chromebooks into an organization is easy enough–they don’t store any data locally, so they pose little risk of causing a data breach. Tracking lost phones and performing backups is hardly enough of a task to sustain giant antivirus operations like McAfee and Symantec. And in that Android outbreak that DeWalt referenced, Google
flipped its remote kill switch, remotely wiping the offending apps without any security company’s intervention–hardly a demonstration of McAfee’s relevance in mobile.
The Chromebook is locked down even tighter than Android, and reduces antivirus’s foothold from slim to near-zero. The ultra-simple devices may catch on, or not. But either way, they’re a reminder that the PC world is facing an incursion by post-PC devices, and that those devices will be post-antivirus, too.
