Bad news, dudes and dudettes. It's getting increasingly straight-forward for deep-pocketed hackers to buy commercial-grade equipment so sophisticated that it can infect your computer with malware when you do something as innocuous as watching cat videos on YouTube. This is why it's time to encrypt your shit.
Morgan Marquis-Boire, a celebrated hacker turned security researcher, just published a lengthy and rather scary paper on so-called "network injection appliances." The NSA-caliber hacking tool is sold by companies like Hacking Team and FinFisher for as little as $1 million and can crack into your hard drive any time unencrypted data is exchanged with a server. YouTube videos, by the way, are not encrypted.
The exploit described by Marquis-Boire almost sounds too simple. He describes the process in a column on The Intercept:
These are racks of physical machines deployed inside internet service providers around the world, which allow for the simple exploitation of targets. In order to do this, they inject malicious content into people's everyday internet browsing traffic. One way that Hacking Team accomplishes this is by taking advantage of unencrypted YouTube video streams to compromise users. The Hacking Team device targets a user, waits for that user to watch a YouTube clip like the one above, and intercepts that traffic and replaces it with malicious code that gives the operator total control over the target's computer without his or her knowledge.
And if you're a more visual person, Marquis-Boire included an adorable diagram in his paper. The takeaway is that pretty much anyone with a lot of money can buy this equipment and install it at a local data center—which is probably as easy as greasing some palms and keeping quiet. And then they ruin your life.
Since he's a white hat now, Marquis-Boire informed Google—as well as Microsoft whose login.live.com site is also a target—about the vulnerability. Apparently the companies are working on a fix as we speak. Nevertheless! This news serves as a terrific reminder that you should encrypt everything. [Citizen Lab via The Intercept]