How many times today have you entered a passcode or password on your phone?
These are the kind of everyday digital tasks we tend to do without thinking. But they aren’t always as secure as we think they are.
In recent years the Trusted User Interface (TUI) has emerged as a security concept designed to protect us as we perform these tasks. It operates within what is called a Trusted Execution Environment (TEE), outside of the main OS. It’s there to stop bad actors from spying on us as we enter our personal details or perform critical tasks.
The Trusted User Interface has been a helpful concept. But there’s a danger that it won’t be enough to protect us from cybercriminals in years to come.
Attacks are getting ever more sophisticated. And the user interface itself is evolving and blurring as augmented reality takes root in our lives.
So, it seems like the right time to ask:
Are we ready to secure the user interfaces of the future?
What exactly is a user interface?
For a long time the answer to the question above was obvious: a space where users interact with their device. Input has often been through touch (a keyboard, a mouse, or a touchscreen). And output has mainly been via a screen and speakers.
But augmented reality will soon blur the senses we use to connect to our phones.
User interfaces in the coming years might involve a combination of voice, visual display, and touch. That’s why we need to start preparing for this future now instead of only focusing on finding security solutions for the user interfaces of the present.
We’ll explore this in more detail later in this piece. But before that, let’s come back to the here and now.
You only have to look at the last year or so to find examples of just how quickly the landscape can change. In no time at all we’ve all got completely used to scanning QR codes in bars and restaurants. The mobile device has also transformed into a de-facto covid-19 passport that we present to officials in airports and outside venues.
These aren’t the only changes influenced by the pandemic. The growth in mobile payments - both making and receiving - has sped up the demise of cash. And this in turn has normalized yet another user interface.
We tend to get used to these shifts quickly. But the problem is that cybercriminals do, too. They see a new way of sharing sensitive data with a swipe or a simple voice command as a vulnerability to exploit.
The need for a Trusted User Interface
Hackers know our usage habits evolve more quickly than businesses put in place the necessary security measures. And this knowledge is boosting their confidence.
The last few months have provided us with plenty of examples to prove the point. This summer, the security researchers, Threat Fabric, reported a new Android malware that can record everything that happens on your phone. The banking trojan, Vultur, carries out screen recording and keylogging to capture users’ login details.
These are two of the most common spying methods right now. Keylogging is where a bad actor captures the keys you stroke on a keypad. Screen recording (also known as screen capping) records a video or takes a screenshot of what’s on your smartphone screen.
Vultur uses Virtual Network Computing (VNC) to remotely control - and record - a victim’s device.
Perhaps the most frightening aspect of Vultur reported by Threat Fabric is that the malware is able to detect when someone is using an app on a ‘target’ list.
That means that if a bad actor were interested in logging sensitive data from a particular banking app, they’d be notified of exactly when to record.
We also read recently about the malware family, TeaPot, which uses different types of overlay attacks to target Belgian banks. It can create a fake UI on top of the real app, tricking the user to touch specific parts of the screen. It can create interactive fields to sit on top of key fields. And it can even overlay the entire app and pretend to be the app. This is what’s called a full overlay attack.
These attacks tell us that there’s already a need for the Trusted User Interface as we currently recognize it. Trojans like Vultur and TeaPot have helped to usher in regulations from bodies such as PCI. In the next year or two, they will likely act as an extra push for app developers.
Is the current Trusted UI specification too limited?
However, right now Trusted UI is used mainly with a view to stopping cybercriminals from spying on our login details, passwords, and two-factor verifications.
The scope is typically confined to screen and touch protection.
Is this a limited view?
The Global Platform specification of a Trusted User Interface was devised in 2013 and, at the time, it was a totally sound specification. Some functions were deliberately left out of it as they were seen as being either not realistic technically, could not be standardized easily due to fragmentation, or were not considered to be of sufficient importance.
But eight years on, our mobile usage habits - and the threat landscape as a whole - has changed.
And so it’s worth asking whether it would be more helpful to consider a “secure user interface” that covers much more of our day-to-day interactions on mobile devices.
Let’s use a couple of examples from the present before we look to the near future.
We currently spend a lot of time on video calls that, if recorded, could provide an intimate view into our daily lives. Images or video footage of family members or of our homes and offices could tell attackers a lot about us. If they were able to capture them, then these shots could aid their extortion efforts.
What’s more, other screenshots of apps - outside of a payment or transaction screen - could also help bad actors to craft a more believable phishing campaign.
Say you bank with Chase and you get a phishing message from Bank of America. You’d be able to safely ignore that. But if you received what looked like a legitimate message from Chase with references to your usage habits, you’d be much more likely to engage with it in the moment.
Securing the user interfaces of the future
We recently read a couple of articles that help to illustrate how a new specification for a wider secure user interface might be made ready for the near future.
The first one was about fraudsters cloning a company director’s voice to carry out a $35m bank heist in the UAE. And the second was about some malware called PixStealer that abused Android’s Accessibility Service to target users of the Brazilian bank, PagBank.
The idea of cloning someone’s voice to carry out fraud sounds pretty incredible to us today. But this is a pointer to the kind of cyber attack we’ll read about a lot more in 2-3 years.
As long as recordings of our voice and videos of us exist online, then the opportunity will also exist for hackers to use technology to pretend to be us.
There are already some worrying stories about people using deepfakes with bad intentions. And it only feels like a matter of time before one is used to carry out a serious cyber attack.
Imagine a world where it’s normal to use augmented reality - or even smart glasses - to log into the most secure applications. Even an action as personal and unique as this might be at risk from fraud in the future.
This is why we think the concept of Trusted UI needs a rethink. Because while it’s hard to predict exactly how our changing tech habits might lead to new attack vectors opening up, one thing is certain - they almost always do so. We can’t assume that the way we carry out transactions and other critical tasks today will stay the same.
The PixStealer malware is a different kind of attack. It proves just how adept cybercriminals are at profiting from a new kind of user interface. In this case, one that was designed to help people with disabilities to access their phone.
Again, it’s impossible to read about this attack and not hypothesize about future attack vectors. After all, the more smart devices and sensors surround us, the easier it will be for all of us to connect to the digital world. But bad actors will see each of them as a window.
In a recent article we shared 5 tips for securing your mobile device in the post-pandemic world. And the first tip was obvious to us:
Be more suspicious.
This advice was for end users, but it’s just as vital for developers, too. Yes, being wary is a sad suggestion, but as long as bad actors are able to spy on our activity, it’s very necessary.
This helps to explain why Google’s Pixel 6 device - announced last week - will come with a privacy dashboard. It’s there to enable users to set camera and microphone access for all of their apps.
Becoming more aware of these permissions is just one step in creating a secure user interface that will benefit us all.
Sign up to our monthly newsletter, Layers, to get updates about our upcoming articles - including more on secure user interfaces.