“Here kitty kitty… here kit—”
“Please update your computer’s security software.”
Even something as innocent and simple as a cat video on YouTube can be used to infect your computer with unwanted malware, according to a new report written by hacker-turned-researcher Morgan Marquis-Boire. Writing for The Citizen Lab watchdog organization, he describes how a “network injection appliance” can be used to infiltrate even a well-guarded home computer.
The worrying aspect of this type of hack is that it requires no interaction on the part of the user: you don’t have to forget to update your antivirus software or click on a suspicious-looking pop-up ad for the damage to be done. The vulnerability is limited to your browser though, unless a plug-in such as Flash, Java or QuickTime can be used to spread it elsewhere.
“Many otherwise well-informed people think they have to do something wrong, or stupid, or insecure to get hacked — like clicking on the wrong attachments, or browsing malicious websites,” writes Marquis-Boire in a column on The Intercept explaining his findings. “The only thing you need to do to render your computer’s secrets — your private conversations, banking information, photographs — transparent to prying eyes is watch a cute cat video on YouTube, and catch the interest of a nation-state or law enforcement agency that has $1 million or so to spare.”
That $1 million figure refers to the cost of the equipment required to make such a hack possible. It uses the network injection appliance to load malicious code into unencrypted data as it heads towards your computer, sometimes from the servers run by your Internet Service Provider. Unencrypted YouTube videos can be used in this way, although Marquis-Boire has said that both Google and Microsoft are working on fixes for the problem.
This is a high-level problem and something that Web companies rather than home users have to take steps to fight back against. Nevertheless, it’s a sober warning that you might not be as safe behind your security software as you think — for maximum protection for your data, you might want to consider encrypting your files.