Newly discovered Bash security bug could pose bigger threat than ‘Heartbleed’
NEW YORK (CNNMoney) – Say hello to the bash bug, a lesson in why Internet-connected devices are inherently unsafe.
Computer security researchers have discovered a flaw in the way many devices communicate over the Internet. At its most basic, it lets someone hack every device in your house, business or government building — via something as simple as your “smart” light bulb.
With this flaw, criminals can potentially break computers or steal private and government information.
The problem extends to lots of Internet-connected computers located anywhere — from shops to hospitals to schools.
It’s worse if you’re one of those tech-embracing types who buys Internet-connected “smart” appliances. But keep in mind, that includes a rapidly growing number of businesses and governments that use smart devices — like cameras — within their internal networks.
Why fear the bash bug? Because it’s so pervasive.
According to open source software company Red Hat, it affects any device that uses the operating system Linux — which includes everything from calculators to cars. But it also affects Apple Macs and some Windows and IBM machines. Google said no Android machines are susceptible.
In a public warning, Red Hat researchers classified the severity of the bug as “catastrophic.”
Not every connected device is vulnerable. But it’s difficult for the average person to figure out if, for instance, their home security camera is at risk. And it’s unlikely that companies and public institutions are updating every single computer in the back room.
The problem is new, but hackers have already been caught trying to exploit the flaw to set up botnets — hijacking vast numbers of computers. They can then use these slave armies of devices to spread malware or attack websites.
If this bug turns out to be anything like the Heartbleed bug discovered earlier this year, we might not see damage for months. And when we do, it could be disastrous.
In the case of Heartbleed, hackers eventually broke into a hospital network and stole 4.5 million patient records — including Social Security numbers.
Norweigian cybersecurity consultant Per Thorsheim noted that the bug will become old news — but people will still be vulnerable.
“In a few days everything will be forgotten, and the hackers will feast on [this] for years to come,” Thorsheim said.
The only solution for the bash bug? If and when a patch becomes available, update every device you have. But that’s something that’s not likely. Companies don’t often update their fleet of devices, and customers rarely pay attention for that sort of thing.
Security experts say IT departments are now running exams on computer systems to see if hackers have exploited this flaw before. The problem? They’ll have to look way back. This flaw has been around for as long as 20 years.
“We just don’t know how far this goes,” said Chris Wysopal, co-founder of app security firm Veracode.
Here’s how the bash bug works, as explained by cybersecurity expert Robert Graham.
The problem stems from a flaw in the “bash,” a type of computer program called a shell. A shell translates commands from you to a device’s operating system. Think of it as an efficient middleman.
Lots of Internet-connected devices use the bash shell to run commands, like “turn on” and “turn off.” Generally, a device that communicates using a bash shell also looks for extra information, like what browser or device you’re using.
And that’s where the problem lies. If a hacker slips bad code into this extra data, they can sneak past a device’s safeguards.
A “smart,” Internet-connected light bulb then suddenly becomes a launchpad to hack everything else behind your network firewall, Graham said. That could be your home computer, or a retailer’s payment terminals, or a government office’s sensitive database of information.
“This is the problem with the ‘Internet of Things.’ We’re putting all these things on the Internet without any expectation of actually patching them in the future,” Graham said.
The bug was discovered by Stéphane Chazelas, a French IT manager working for a software maker in Scotland.