Pro Hackers Could Be Spying On You Through YouTube

Pro Hackers Could Be Spying on You Through YouTube

Bad news, dudes and dudettes. It's getting increasingly straight-forward for deep-pocketed hackers to buy commercial-grade equipment so sophisticated that it can infect your computer with malware when you do something as innocuous as watching cat videos on YouTube. This is why it's time to encrypt your shit.

Morgan Marquis-Boire, a celebrated hacker turned security researcher, just published a lengthy and rather scary paper on so-called "network injection appliances". The NSA-calibre hacking tool is sold by companies like Hacking Team and FinFisher for as little as $US1 million and can crack into your hard drive any time unencrypted data is exchanged with a server. YouTube videos, by the way, are not encrypted.

The exploit described by Marquis-Boire almost sounds too simple. He describes the process in a column on The Intercept:

These are racks of physical machines deployed inside internet service providers around the world, which allow for the simple exploitation of targets. In order to do this, they inject malicious content into people's everyday internet browsing traffic. One way that Hacking Team accomplishes this is by taking advantage of unencrypted YouTube video streams to compromise users. The Hacking Team device targets a user, waits for that user to watch a YouTube clip like the one above, and intercepts that traffic and replaces it with malicious code that gives the operator total control over the target's computer without his or her knowledge.

And if you're a more visual person, Marquis-Boire included an adorable diagram in his paper. The takeaway is that pretty much anyone with a lot of money can buy this equipment and install it at a local data center — which is probably as easy as greasing some palms and keeping quiet. And then they ruin your life.

Pro Hackers Could Be Spying on You Through YouTube

Since he's a white hat now, Marquis-Boire informed Google — as well as Microsoft whose login.live.com site is also a target — about the vulnerability. Apparently the companies are working on a fix as we speak. Nevertheless! This news serves as a terrific reminder that you should encrypt everything. [Citizen Lab via The Intercept]

Picture: Shutterstock / YouTube / Illustration by Willow Brugh


Comments

    Why is this site not using https? DID YOU NOT READ THE ARTICLE..?!?!?!?!

    Well as far as I can tell, Operating Systems themselves will have to be encrypted. Encryption may protect data in transit, but all that means is the main targets will still be the computer systems themselves - the points where the data is encrypted/decrypted. It's all a bit pointless as far as I'm concerned, considering that intelligence agencies capture all data through Prism anyways - whether it's encrypted or not.

    Of course, you still have your basic levels of protection so your data can't be lifted without a fight, but overall it's much 'ado about nothing and what it really all comes down to is honesty and decency. There'll always be someone, or something, who want's to take what's not theirs, always has been, always will be.

    It is no fault of your own that someone wants to steal your shit. I'm getting pretty bored of the notion that it is somehow an honest persons fault that their shit got stolen! Try explaining that one to your Grandparents, and they'll say the same thing!

    Last edited 17/08/14 12:07 pm

Join the discussion!

Trending Stories Right Now