-1

Suppose you have a target machine (desktop, smartphone, server) and that you have any needed knowledge about the target machine to perform the following task. Is it possible to infect given machine using that information, without needing the user to install something themselves (aka social engineering/phishing/trojan)? Additionally, can the malware run/spread/start by itself or is it unfunctional if it's not manually run?

How easy is it for someone to infect my devices, how vulnerable are they? I would like to know how i can best protect my privacy.

Konstei
  • 1
  • 1
  • 2
    Is it possible? Yes it is. Should you be worried? Depends on your threat model, but probably no. – nobody May 01 '22 at 19:05
  • 3
    This is too broad. Is it possible that any device can be accessed remotely and gain admin access without the user of the device doing anything? Sure. Wannacry could do this. But that's one example. If your goal is to know how vulnerable you are in general, then keep your devices updated. – schroeder May 01 '22 at 19:09
  • @schroeder but how is it possible? i don't know much, i'm just starting out, so i have no idea what and how is possible; also what do you mean by broad? – Konstei May 01 '22 at 19:19
  • OP, what you are describing in your question is a *computer worm*. From https://en.wikipedia.org/wiki/Computer_worm: A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It will use this machine as a host to scan and infect other computers. When these new worm-invaded computers are controlled, the worm will continue to scan and infect other computers using these computers as hosts, and this behavior will continue. – mti2935 May 01 '22 at 20:18
  • 1
    @mti2935 thank you, i feel that this is the closest answer to what i was looking for; i can't believe i didn't manage to add two and two together, as i have heard about worms before, but never made the connection – Konstei May 02 '22 at 16:48

1 Answers1

4

Is it possible to infect given machine using that information, without needing the user to install something themselves ... Additionally, can the malware run/spread/start by itself or is it unfunctional if it's not manually run?

Systems have bugs and bugs can be exploited. One example is the Broadpwn issue which made it possible for an attacker to execute code via Wifi on the victims device with highest privileges - and no participation from the victim was needed for this. Another such bug was Eternalblue which allowed an attacker on the same network to execute code with high privileges - again no participation from the victim involved. This bug was famously used in the widespread WannaCry ransomware attack or in Petya and NotPetya attacks. And there are many more such problems, like recently Log4Shell.

How easy is it for someone to infect my devices, how vulnerable are they?

It depends a lot of what these devices are, how current the software is, how complex these devices are, what kind of services these expose etc. In general: less is more, i.e. more specialized devices usually have less complexity which means less bugs. They also usually come with a smaller attack surface than more general purpose systems. Additionally there are security by design principles like privilege separation or a robust defense in depth architecture - and these are again easier to implement solidly for simple systems than for complex systems.

I would like to know how i can best protect my privacy.

Privacy is not the primary concern here, but data integrity, confidentiality and availability. Privacy issues can happen even if the systems are not exploitable: all the user tracking and profile agglomeration on the internet is not due to security issues and exploits at all.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424