Jacob Holcomb, an IT security researcher, has created a malicious worm that, if unleashed, could trawl the internet and attack vulnerable hardware.
Holcomb wrote the worm as a ‘proof-of-concept’ to illustrate the vulnerability of data storage on insecure hardware to malicious attack. The worm is capable of exploiting the many bugs Holcomb’s research found in existence on popular home data storage systems.
He believed that there was evidence that cybercriminals were already aware of such vulnerabilities, and the creation of his worm indeed proves the concept that they can be exploited.
Holcomb began work on the worm after conducting a series of tests on Network Attached Storage (NAS) systems made by a total of 10 separate manufacturers. The tests revealed 30 separate vulnerabilities in the NAS systems, none of which were documented and protected against.
If exploited, many of these holes would give an attacker complete remote control over the device, allowing unlimited access to the data, which in turn could be used to gain control over any other devices on those home networks.
The worm is designed to run on an infected system, take control of it, and then utilise that system’s resources to seek out other vulnerable devices.
Speaking to the BBC , Holcomb said: "Once these devices are exposed to the internet, it’s pretty much game over because most of the vulnerabilities can be exploited using authentication bypass techniques or with no authentication at all.”
Cyber-thieves are indeed waking up to the data treasure troves that NAS devices can contain. However, Holcomb reassures that it is possible to use these devices safely if owners take steps to ensure that they can only be administered from within the home network rather than across the web.
Holcomb will be demonstrating his worm in action at a Black Hat Europe security conference in Amsterdam later this week.