A computer bug which could allow hackers to take control of hundreds of millions of devices all over the world has been discovered, forcing governments to take immediate steps to protect their critical infrastructure.
The security flaw, dubbed “Shellshock”, was found inside a piece of software called Bash, which is used by Apple’s Mac operating system as well as Linux systems and internet servers relied upon by governments, banks and the military.
Last night, cyber-security experts suggested that people should stop using their credit cards for online purchases until a solution to the bug, which has existed for more than 20 years, is found and distributed.
The UK’s national cyber-security response team, Cert-UK, has issued an alert to all government departments stating that the Shellshock flaw carried the “highest possible threat ratings… for both impact and exploitability”. The US National Cyber Security Division gave it a score of 10 out of 10 for severity and a complexity rating of low – meaning it is easy for hackers to exploit. Cert-UK added that it should be “assumed” that many government computers and other devices would be vulnerable to the bug, adding: “This will inevitably include organisations that are part of the critical national infrastructure.” Many industrial control systems, from power plants to traffic light systems, rely on Bash software to function.
Cyber analysts said last night that authorities must act immediately to close the loophole, pointing out that within hours of it being discovered, hackers had started exploiting the flaw, posting videos of their exploits online. Although software “patches” have already been distributed to deal with the problem, they are not thought to be fully effective.
Professor Alan Woodward, a security researcher from the University of Surrey, said more than 500 million websites and hundreds of millions of devices all over the world, including wi-fi routers, may be vulnerable to the Shellshock bug. “The thing that’s concerning me most is that we don’t yet really understand how it can be exploited,” he said.
Q. What is Shellshock?
A. Shellshock is a mistake in the code of a program called Bash, which is typically installed on non-Windows operating systems such as Mac, Unix and Linux. The bug allows hackers to send commands to a computer without having admin status, letting them plant malicious software within systems.
Q. Could it be used to steal my financial details?
A. Yes. If banks or online retailers use older, “mainframe”-style computing systems, they are likely vulnerable. Home routers and modems could also be targeted as a way to get to PCs and laptops.
Q. Are there any indications it has already been exploited?
A. It’s too early to tell. However, authorities fear a deluge of attacks could soon emerge. The US government has rated the security flaw 10 out of 10 for severity.
Q. What can be done to solve it?
A. Security experts around the world are now rushing to find a fix for the bug, but the widespread and varied use of Bash means there won’t be a single solution. Individual organisations and companies such as Apple will develop patches for their own systems.
Q. What can I do to protect against it?
A. Experts recommend not using credit cards or disclosing personal information online for the next few days. Usual precautions are also recommended such as updating anti-virus software and not visiting dodgy websites.