That cute little cat video you just watched could cost you millions. And it’s not just about cat videos – innocent videos on YouTube can be used to infect computers with dangerous malware, as revealed in the latest report by Morgan Marquis-Boire, a hacker-turned-researcher. In the report created for Citizen Lab, he described how a simple network injection tool can be used to infiltrate home computers.
Such video attacks that use network injections have their own strengths and weaknesses. Other attacks like watering hole and phishing need the user to do something ‘wrong’, like clicking on an infected file or link. Network injections don’t need that. Any simple browser behavior, such as watching a funny cat video, can trigger such attacks. There is a limit, however – once the user’s computer has been infected, the infection is confined to the browser. And such network injection tools aren’t even difficult to find; they can be easily procured from companies like FinFisher and Hacking Team.
These tools, or rather appliances, are physical devices that can be stored inside ISP servers all over the world. To execute an attack, the malicious code is injected into the everyday browsing traffic. One simple way to do this is by using YouTube streams that are unencrypted. The hacker can target a user and then wait for them to watch a YouTube video. They can then intercept the traffic and replace it with their own code. This would give them complete control over the user’s device.
This method can be used for any unencrypted website that offers targeted traffic, but since YouTube is one of the most commonly visited websites, it can be an easy target for hackers. Another website that can be exploited in this way is login.live.com of Microsoft.
Google and Microsoft have taken a note of this vulnerability and have encrypted all targeted traffic. This has made most videos safe; however, there are other vulnerabilities that devices from FinFisher and Hacking Team can exploit.
The Internet offers many vulnerable entry points to hackers. From browser plugins to advertising networks and browser apps, hackers have many low cost options to infect the incoming Internet traffic of a target. Although this method needs user interaction (for example, accepting a fake Flash update), the process looks unsuspicious and can easily infect a computer without the user having a slightest hint.
The well-informed Internet user generally knows that they have to do something wrong or stupid to get hacked. They have no idea that a simple YouTube video can leak their banking details and private conversations to prying eyes.
Does this mean your neighborhood stalker can read your private conversations? Not exactly. The price of this network injection appliance is close to $1 million. This special appliance would load the code into unencrypted data using the servers run by your ISP.
While an amateur hacker might not have that much money, foreign governments can surely use such devices to set up their own mini-NSA. These hacking tools are openly sold as “lawful interception” tools, and they can do a lot of harm if they are purchased by countries that have questionable human rights policies.
This can turn into a high-level problem, and companies have to take action to make sure that the Internet experience can become safe for an average user. Meanwhile, users can encrypt their files to make sure that no data can be stolen from their computers.
This is not the only hacking tool that is easily available. Tools that could perform man-in-the-middle attacks have been openly available for many years. For example, the Ettercap open source tool allows the hackers to intercept and manipulate traffic on LANs. This tool was developed by Marco Valleri and Alberto Ornaghi in 2001. These two guys are the founders of Hacking Team, the same company that creates network injector devices that can infect YouTube videos.
While this device is openly available for “lawful activities”, there is a need for open discussion about how it can be used for legal activities, and if such devices should be made public.
It is not known if other governments are using such commercially available hacking tools for spying purposes. Although the price of these tools is a major factor for limiting its use by only major entities, there are chances that these devices can be replicated in an inexpensive way. If that happens, any hacker can gain control to home computers using a seemingly innocent YouTube video.
The only thing that could prevent such attacks is encryption. With the rising number of hacking cases, there is a need for an encrypted Internet that can protect an average user from malware. Web developers need to make sure that their websites are encrypted and safe to use. Until then, users need to be wary of their online activities, including watching cat videos on YouTube.