Glibc security bug affecting thousands of Linux devices outed by Google
-   +   A-   A+     18/02/2016

Researchers have discovered a bug that could affect hundreds of thousands of internet-connected devices, apps and software. 

The flaw makes it possible for an attacker to  remotely take control of hardware such as computers, internet routers and smartphones

Researchers have discovered a bug that could affect hundreds of thousands of internet-connected devices, apps and software. 

The flaw makes it possible for an attacker to  remotely take control of hardware such as computers, internet routers and smartphones. Found in one of the building blocks of the internet, it could also affect websites and apps. 

A patch has now been released to fix the vulnerability, but it still needs to be widely adopted.

What devices are affected?

The vulnerability affects devices that run the Linux operating system. While exact figures for how many devices may be affected are not available, they could include surveillance cameras, wireless routers, servers and internet of things devices, such as smart washing machines. 

"Sometimes baby cameras run Linux as well, and they're sometimes connected to the internet," said Steven Murdoch, a security researcher at UCL. "There has been concern that these had security vulnerabilities that would allow people to access them. This is another example of those vulnerabilities."

The bug could also affect Linux computers, Bitcoin software and anything built using the Python, PHP and Ruby on Rails programming languages. Examples of services that use these languages include Dropbox, Facebook and Twitter. 

Google's Android runs on Linux, but "most Android phones will not be affected because they use a different version," said Murdoch. But some Android apps could be affected. 

Major systems like Windows and Apple's OS X are not affected.

What is the bug?

The bug was discovered by Google security researchers. It was found in glibc, an open source library of code that is used in web development and internet-connected devices. "Glibc is one of the core parts of the Linux operating system," said Murdoch. 

There is a flaw in the code, which could be exploited let an attacker remotely access a device that uses the operating system. Google discovered that the flaw has been in the code since 2008. 

The Google researchers said that "to our surprise" the people who maintain glibc were alerted of the bug in July 2015. 

"We couldn't immediately tell whether the bug fix was underway, so we worked hard to make sure we understood the issue and then reached out to the glibc maintainers," said the Google security researchers.

A separate team of security researchers at Red Hat were already studying the bug's impact.

What can you do to protect yourself?

"The main thing to do is regularly download the security updates for connected devices," said Murdoch. 

Companies have been known to stop releasing security updates when they stop selling a product. Murdoch urges customers to complain in this instance. 

"If they're not getting updates then they should complain," he said. "Manufacturers are responsible for providing updates, as connected devices are inevitably going to have vulnerabilities like this at some point." 

Google has released a security patch for developers that have used the system. And it has created what is known as a "proof of concept" attack, which developers and manufacturers can use to test their software for the flaw.  

High profile hacks

Heartbleed bug was found in 2014

Heartbleed bug was found in 2014

In the last year alone, hackers have wreaked havoc on:

eBay (2014): eBay asked 145m users to change their passwords after hackers stole customers' names, addresses, numbers and dates of birth

Heartbleed (2014): A serious vulnerability was discovered in encryption technology used to protect many of the world's major websites, leaving them vulnerable to data theft

Sony (2014): A cyber attack on Sony Pictures Entertainment resulted in a huge data leak, including private details of 47,000 employees and famous actors

US Central Command (2015): Hackers claiming links to Isil managed to take control of CentCom's Twitter and YouTube accounts, changing the logo to an image of a hooded fighter

Ashley Madison (2015): Hackers threatened to publish the names of up to 37m AshleyMadison.com customers - a dating website for adulterous affairs

Talk Talk (2015): The website of phone and broadband company TalkTalk was hacked by cybercriminals. Names, addresses, email addresses, phone numbers and credit card/bank details could have been accessed in an unencrypted form

JD Wetherspoon (2015): A database containing names, email addresses, birth dates and phone numbers of of 656,723 customers was hacked. The company insisted only an “extremely limited” number of credit card details were taken.


Read count: 1903 Previous page Back to top
Other news