Malicious links could jump the air gap with the Tone Chrome extension

The new Google Tone extension is simple and elegant.  On one machine, the browser can generate audio tones which browsers on other machines will listen to and then open a website.  Brilliant.  No need to be connected to the same network, spell out a long URL to your neighbor, or cut/paste a web address into a text message for everyone to join.  But it has some serious potential risks.

Chrome Tone.jpg

Imaging being on an audio bridge, in a coffee shop, or a crowded space with bored people on their phones, tablets, or laptops.  One compromised system may be able to propagate and infect others on different networks, effectively jumping the proverbial ‘air gap’.  Malware could leverage the Tone extension and introduce a series of audible instructions which, if enabled on targeted devices, would direct everyone to automatically open a malicious website, download malware, or be spammed with phishing messages. 

Will such tones eventually be embedded in emails, documents, and texts?  A Tone icon takes less space than a URL.  It is convenient but obfuscates the destination, which may be a phishing site or dangerous location.  Tone could also be used to share files (an early usage for the Google team).  Therefore it could also share malware without the need for devices to be on the same networks.  This bypasses a number of standard security controls.  

On the less malicious side, but still annoying, what about walking by a billboard and having a tone open advertisements and marketing pages in your browser.   The same could happen as you are shopping in a store to promote sales, products, and coupons.  Will this open a new can of undesired marketing pushing into our lives?

That said, I must admit I like the technology.  It has obviously useful functions, fills a need, and shows the innovation of Google to make technology a facilitator of information sharing for people.  But, we do need controls to protect from unintended and undesired usages as well as security to protect from equally impressive malicious innovations.  My advice: use with care.  Enterprises should probably not enable it just yet, until the dust settles.  I for one will be watching how creative attackers will wield this functionality and how long it takes for security companies to respond to this new type of threat.

Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts


Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.