Support Salvation Army Wildfire Relief

‘Bash’ bug could let hackers attack through a light bulb

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

NEW YORK — Say hello to the bash bug, a lesson in why Internet-connected devices are inherently unsafe.

Computer security researchers have discovered a flaw in the way many devices communicate over the Internet. At its most basic, it lets someone hack every Internet-enabled device in your house — via something as simple as your light bulb.

That is, if you’re one of those tech-embracing types who buys Internet-connected “smart” appliances.

But that includes a rapidly growing number of businesses and governments that use smart devices — like cameras — within their internal networks.

Why fear the bash bug? Because it’s so pervasive.

According to open source software company Red Hat, it affects any device that uses the operating system Linux — which includes everything from Apple Macs to calculators to cars.

In a public warning, Red Hat researchers classified the severity of the bug as “catastrophic.”

Not every connected device is vulnerable. But it’s difficult for the average person to figure out if, for instance, their home security camera is at risk.

The problem is new enough that it’s impossible to know if hackers are already using it. But if it’s anything like the Heartbleed bug discovered earlier this year, we might not see damage for months. And when we do, it could be disastrous.

In the case of Heartbleed, hackers eventually broke into a hospital network and stole 4.5 million patient records — including Social Security numbers.

The only solution for the bash bug? If and when a patch becomes available, update every device you have. But that’s something that’s not likely. Companies don’t often update their fleet of devices, and customers rarely pay attention for that sort of thing.

Here’s how the bash bug works, as explained by cybersecurity expert Robert Graham.

The problem stems from a flaw in the “bash shell.” A shell is a program that translates commands from you to a device’s operating system. Think of it as an efficient middleman.

Lots of Internet-connected devices use the bash shell to run commands, like “turn on” and “turn off.” Generally, a device that communicates using a bash shell also looks out for extra information, like what browser or device you’re using.

And that’s where the problem lies. If a hacker slips bad code into this extra data, they can sneak past a device’s safeguards.

A hacked light bulb suddenly becomes a launchpad to hack everything else behind your network firewall, Graham said.

“This is problem with the ‘Internet of Things.’ We’re putting all these things on the Internet without any expectation of actually patching them in the future,” Graham said.

The bug was discovered by Stéphane Chazelas, a French IT manager working for a software maker in Scotland.