Why Shellshock is bad news for the Internet of things

Washington Post – by Andrea Peterson

A major flaw in a piece of open source code that affects Mac OS X and Linux users has cybersecurity professionals scrambling to identify and patch vulnerable machines — but embedded devices making up the so-called “Internet of Things” could be among the worst hit by the bug.

Dubbed “Shellshock” by some members of the IT security community, the issue affects “bash” — an open source code used in Unix-based systems used since the 1980s. Bash is a type of shell code for user commands, meaning it serves as a sort of direct route to controlling systems that is built in at the operating system level.  

The National Institute of Standards and Technology’s National Vulnerability Database scored the vulnerability as a “10,” on a scale from one to 1o, on both impacts and exploitability. US-CERT also issued an advisory, saying “exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system.”

“A significant part of the Internet is running a Linux or UNIX-based version of operating system that includes the bash shell,” explains Bogdan Botezatu, senior E-threat analyst at cybersecurity vendor BitDefender. “These UNIX-based web servers often run CGI scripts that rely on bash for functionality, therefore any attack against these scripts could result in exploitation and, subsequently, could allow a hacker to remotely own the machine.”

A half billion web servers and other Internet-connected devices including mobile phones, routers, medical devices, could be impacted by the bug, according to cybersecurity firm Trend Micro. Experts say the issue could be a bigger deal than Heartbleed, a vulnerability discovered in a widely used open source encryption library earlier this year, in some ways. “One of the big differences between this and Heartbleed is that you get to totally control the computer you manage to exploit because the bug is at the operating system level,” says Tod Beardsley, engineering security manager with cybersecurity firm Rapid7, whereas Heartbleed could only be used to steal information.

Major Linux distributors have already pushed out patches — but some appear to be stopgap fixes that do not completely resolve the problem. In a comment on Red Hat Linux’s initial fix, security engineer Huzaifa Sidhpurwal said that the organization had “become aware that the patches shipped for this issue are incomplete,” saying that attackers could still exploit the vulnerability under certain circumstances.

Web servers, which often run Linux, may be among the most obvious targets at risk. But Internet connected devices may ultimately be the most difficult fix. Much of the software embedded in those devices makes use of “web-enabled bash scripts,” security researcher Rob Graham explained on his blog. That puts those Internet connected devices — ranging from your wireless router to security cameras or appliances — at risk, particularly if they have web-based interfaces, says Beardsley. And yet, he says, “there’s almost never an automatic update, and sometimes not even manual update, procedures.”

The result? “For the devices most likely to be affected, there isn’t a good patching infrastructure in place to fix it,” he says.

“Unlike Heartbleed, which only affected a specific version of OpenSSL, this bash bug has been around for a long, long time,” wrote Graham. “That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.”

But it’s hard to know just how pervasive the problem may because it is so deeply embedded in systems. “The real scale of the problem is not yet clear,” says David Jacoby, Senior Security Researcher at Kaspersky Lab. “It’s almost certain that hackers and security researchers are testing web services and Linux software right now and the results of these tests will probably be published in the coming days.”

But the process is time-consuming, says Beardsley. “You can’t really scan for it like you could for Heartbleed, and although you can test for it.”

Graham initial research appears to suggest that the bug is wormable — meaning it can be exploited to self-replicate itself in the wild. And Botezatu says his company has already noticed attacks against web servers using the vulnerability today. “They are very easy to implement and carry out.”

“In short, this is potentially a ‘plague-like’ vulnerability that can exploit command access to Linux-based systems constituting approximately 51 percent of web servers in the world,” according Christopher Budd, Trend Micro global threat communications manager. “Because of the pervasiveness, attacks against it could ‘grow’ at a very fast pace.”

While both Heartbleed and the Shellshock bug were discovered in open source software, Beardsley thinks their discovery is actually a sign that the open source model is maturing. “We’re hitting this era where open source is finally delivering on its promise: There are a lot of eyeballs and they are discovering problems.”

http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/25/why-shellshock-is-bad-news-for-the-internet-of-things/

10 thoughts on “Why Shellshock is bad news for the Internet of things

  1. “A major flaw in a piece of open source code that affects Mac OS X and Linux users has cybersecurity professionals scrambling to identify and patch vulnerable machines…”

    I keep seeing people touting Linux here.

    Looks like they came up with an answer for that one.

    1. It is Greek to me. I don’t understand a word they are saying. Not tech savy. 🙁
      “Russian security software maker Kaspersky Lab reported that a computer worm has begun infecting computers by exploiting ‘Shellshock.’
      The malicious software can take control of an infected machine, launch denial-of-service attacks to disrupt websites, and also scan for other vulnerable devices, including routers, said Kaspersky researcher David Jacoby.
      He said he did not know who was behind the attacks and could not name any victims.”
      http://www.reuters.com/article/2014/09/25/us-cybersecurity-shellshock-idUSKCN0HK23Y20140925

      http://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create-botnets-ddos-attacks/

      http://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-software-bug-to-be-significant.html?_r=0

        1. I remember you commenting about it, last night. When I read about the “issue” today, alarms went off in my head. Kaspersky (and others) haven’t figured it out, yet.

          1. Just my luck.

            So much for Kaspersky being top-notch anymore, I guess. They’ve been failing me lately..

  2. One doesn’t really need to be tech savvy to know that this one can be bad, very bad. You don’t fix it in the normal sense, it gets patched or repaired. Keep check on various sites for lists of equipment you may use (which can include routers, computers, cell phones, and a lot more).

    This is not like the Y2K bug, at all. This is an oversight in the code.

    Eyes open …

  3. In my opinion, this is scare tactics to keep people away from Linux, as it is growing rapidly in popularity. Can’t be havin the slaves getting there software for free dontcha know? Gotta keep em tied to Microsoft.

    1. Yea, that’s what I’m thinking too. Open source is supposed to be impossible for the government to take over because it is open source. At least that’s what people say…..

  4. I have a powerbook G4, its 14 years old, its a little slow but let can’t get in to it, no back doors. It will be my last computer.

Join the Conversation

Your email address will not be published. Required fields are marked *


*