Shellshock and home routers

shellshockBy now you’ve likely heard about the Shellshock vulnerability (also known as CVE-2014-6271). It’s a vulnerability that was recently discovered in the bash shell, a very old and central part of the Unix/Linux system. This vulnerability has apparently been around for a very long time, but has just recently been discovered.

What’s Shellshock?

Shellshock is a vulnerability that was found in the bash program, which is a part of the Unix or Linux operating system. Bash is a “shell” which allows commands to be executed on the computer. Since the Apple Mac operating system is based on Unix, it’s also believed to be vulnerable.

Not so much is currently known about Shellshock, but the biggest fear seems to be surrounding web servers that run some form of Unix/Linux. They seem to be the most vulnerable and would provide hackers with the biggest prizes if they were compromised.

A partial fix currently exists for Shellshock, and security professionals are racing to create a complete fix. Once that’s done, the race to patch all of the affected systems will begin.

For a more complete explanation of the Shellshock situation, a great resource is the Sophos Naked Security blog.

Is Shellshock like Heartbleed?

If you recall, Heartbleed was the last major computer security vulnerability to get widespread attention in the media. Are they similar? Nope. Heartbleed was a vulnerability in the SSL protocol, the one that encrypts your website communication when doing sensitive things like typing in a credit card number. Shellshock is about remotely executing code. They’re only similar in that they’re getting a lot of attention.

Is my router at risk from Shellshock?

This, of course, is the $64,000 Question. The answer: We don’t know.

Most home routers are now typically built around some flavor of Linux, so they’re possibly vulnerable. But do they use bash, are they accessible to hackers? Currently the answer is we don’t know. They might be – we just don’t have enough information to say.

What we can say is this: We have tested the handful of routers that we have in the RouterCheck router lab, and none of them showed signs of a vulnerability. That’s good news.

We can also say that for any reasonable hacker, going after the great white whale of a large web server is a much more interesting target than your little guppy router. Doesn’t mean that you’re safe, just less interesting.

We will provide more information in this blog as we receive it.

What should I do about Shellshock?

People have already been writing little web apps to test whether a given website is vulnerable. Two that we’ve found are here:

If you run a web server, it might be a good idea to check.