Hagai Bar-El

Information Security Architect

HBAREL.COM

InZero provides some security
Posted on: 24 Mar 2010

I was just made aware of InZero, a new physical device that you connect to your PC, and your browsing becomes secure. I find it amazing that some people treat it as among the most revolutionary of security solutions.

I think the InZero device is cool. I think it protects against some attack vectors, at some usability costs. It may even make a worthwhile trade-off for some people. But to consider the protection granted by this device as something that is revolutionary, or to claim that it is “giving hackers, criminals, and spies the middle finger” is an exaggeration, even when it comes from marketing guys.

InZero is a hardware device that connects to your PC. It fits an execution environment that runs a browser in the box. This browser interacts with the network and with the user through a driver that is installed on the PC to which it is connected. The browser runs in the box, not on the PC, so all those browser exploits do not find a ground to run on where they can cause damage. The memory that the box uses is read-only, so whatever the malware does on the browser platform, its effect will not survive for the next boot. Good.

InZero may solve some of the security problems that involve malicious scripts exploiting the browser. These you could also solve with remote browsing, software filtering proxies, or, to a limited extent, with a good browser that supports disabling of scripts.

There are too many attack vectors that InZero does not address for me to consider it as something that can “stop computer viruses dead in their tracks” or otherwise change the security landscape.

First, statements such as:

When even Google (GOOG) falls victim to hackers, it's clear that traditional security software isn't getting the job done. Hackers, criminals, and spies have broken into the computer systems of thousands of companies, government agencies, and organizations. [...]

Against this darkening backdrop, a tiny, Herndon (Va.) startup called InZero Systems claims to have developed a hackproof hardware-based system [...]

which I found on BusinessWeek make almost no sense to me. InZero protects web clients, not servers. Attacks on servers do not care about InZero being installed on eventual clients of the service, or anywhere else for that matter.

Also, facts as:

Its approach has been tested by the military's Defense Advanced Research Projects Agency (DARPA) and several companies that specialize in finding cracks in computer security. No one has broken in.

which I found in the same article, may be true, but not necessarily relevant. The box may run a platform that is impenetrable, but that does not change the nature of the security benefits provided by the box; even while it is intact.

To better understand the limitations of the solution in showing hackers the middle finger, let us examine some of the common client-side attacks that are not plain browser exploits:

Keylogging. An attacker has got a key-logger installed on the victim's machine. The key-logger sniffs the keystrokes that are typed by the victim when logging into his bank, and sends them to the attacker for his own use. Such an attack will succeed even if the victim uses InZero for the simple reason that keyboard entry is sniffed by malware on the PC. Such malware sees all keyboard input regardless of where the browser that will eventually use this input is installed.

Virus Infection. The user downloads a file that is infected with a virus. In theory, InZero can prevent this, because the browser that downloads the infected file will not store it on the PC but only in the secure read-only box. However, if this behavior is indeed activated, then the user will not be able to use any of the files he downloads, so why download? Obviously, for download to be useful, InZero will have to provide the ability to pass the downloaded files back to the PC. Once the infected file is delivered to the PC — the virus detonates, just as if it was downloaded by the PC directly.

Phishing. The victim is tricked into visiting a fake web-site that looks just like the one of her bank. She enters her banking user-name and password into the fake site, which in-turn delivers the data to the attacker. This attack will also not be foiled by InZero. InZero provides a browser — it browses where you tell it to browse. If the user directs InZero, as she directs any other browser, to the wrong web-site, this is the site that will be browsed and this is where the banking credentials go, with InZero as without it.

Conclusion: InZero is a neat device that will eliminate some attack vectors that involve the browser. It will grant protection comparable to that of known technologies of web-based remote browsing and ex-browser script filtering. Treating it as a knockout to hackers, or as something that is beyond the state of the art in security, misses on a few important points.

Blog Index