Log4Shell can hack your iPhone and even a Tesla
Researchers and hackers are experimenting with Log4Shell
Now that the Log4Shell cat is out of the bag, researchers are experimenting with all the different ways the exploit could be used in the wild.
This includes two recent examples showing how the vulnerability in the Log4j open-source Java tool could be used on an iPhone, or a Tesla car, to compromise the server communicating with the endpoints.
A Dutch researcher has demonstrated how changing the iPhone’s name to a string of characters could force the server on the other end trying to access a specific URL. The same was done with a Tesla car by an unknown researcher, who posted their results to the anonymous Log4jAttackSurface Github repository.
Growing risks
Theoretically, a malicious actor could host malware on a server and then, by changing the name of an iPhone, could force Apple’s servers to access that server’s URL and download the malware.
It’s a long shot though, as any well-maintained network would be able to prevent such an attack with relative ease. What’s more, there’s no indication such a method could lead to any broader compromise of these firms, The Verge further explained.
Extremely potent vulnerability
Log4Shell is the name of recently discovered exploit in the Log4j Java tool which some researchers believe handles millions of devices for incidient logging purposes.
Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) described the flaw as “one of the most serious” she’s seen in her entire career, “if not the most serious”.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” Easterly explained.
It’s tracked as CVE-2021-44228, and allows malicious actors to run virtually any code. The skills required to take advantage of the flaw are very low, experts have warned, urging everyone to patch Log4j as fast as they can.
Organizations using Log4j in their software should upgrade it to the latest 2.15 version immediately which is available from Maven Central.
You might also want to check out our list of the best firewalls right now
Via: The Verge
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.