Contrary to what you might have experienced as Aiden Pierce in Watch Dogs, hacking isn’t easy. In fact, trying to log in to someone else’s computer to compromise their files is practically impossible without the right set of tools. Fortunately (or perhaps unfortunately, depending on who you’re asking) security researchers have discovered a bug in several Linux distributions that makes taking over an entire system as easy as striking the backspace key 28 times.
The report comes from security researchers Hector Marco and Ismael Ripoll, at a Polytechnic University Cybersecurity Group in Valencia, Spain. Upon backspacing exactly 28 times, the pair discovered that all authentication systems can be easily overridden. The bug affects every distribution of Linux using Grub2, the bootloader found in “most Linux systems,” the researchers wrote in their published results.
Assuming the system is in fact susceptible to the bug, anyone with the right know-how could access the system’s “Grub rescue shell,” which, with just a few keystrokes, can give them unhindered access to any and all data found on the PC. Of course, with malicious intentions, a person could seamlessly install persistent malware, allowing them to sabotage what’s rightfully yours.
“The number of backspaces hit was the only input controllable by the user to cause different manifestations of the error,” the researchers declared.
Experts agree that this bug is an alarming security oversight for the bootloader developers.
“It is irresponsible for grub to lack decades-old exploit mitigations like stack cookies that could have addressed this issue,” Trail of Bits founder Dan Guido pointed out.
On the bright side, Marco and Ripoll have worked together to come up with a solution for the bug in question. It’s a simple patch compatible with Ubuntu, Red Hat, and Debian distributions. Your best bet would be to install it quickly before letting anyone untrustworthy get ahold of your machine.
- Some Android manufacturers lie to customers about installing security updates
- Microsoft misses another Edge-related 90-day security disclosure deadline
- 9 things to know about Facebook privacy and Cambridge Analytica
- It’s no crypto-utopia. Blockchain has real problems to solve
- Researchers claim hackers can create havoc in the Oculus Rift, HTC Vive