The peculiar, persistent threat of bitsquatting

Typos have a long history, by turns serious and silly, going back to the dawn of the printed page. But thanks to the peculiarities of computer technology and the ingenuity of hackers, correctly typing website locations into your browser is no guarantee that they will show you the site you intended to view. When machines make typos, after correct human input, the errors can lead to an unusual form of cyberattack known as bitsquatting. The younger sibling of typosquatting, bitsquatting is hard to stop—and appears to be here for the foreseeable future.

Typosquatting is the act of registering websites with incredibly similar names to popular sites, such as “cnm.com” instead of “cnn.com,” in hopes of gaining traffic intended for the popular sites. It sounds like a lot of effort in order to grab accidental, typo-driven traffic, but setting up malicious activity on the typoed websites has proven to be an effective method for hackers to target unsuspecting victims. It was a serious enough problem in the early days of the commercial Internet for the United States to pass the AntiCybersquatting Consumer Protection Act in 1999, which contained measures to allow for prosecution of typosquatters.



READ MORE ON CYBERATTACKS

Why strategic cyberwarfare is more complex than ever before
Is ad fraud a cybersecurity problem?
To protect a political campaign, re-read the Mueller Report
Opinion: How to reduce ‘collateral damage’ from blockbuster cyberattacks
WannaCry vs. the ER doc: On the front lines of a ransomware outbreak


Bitsquatting is similar to typosquatting, but without the human element. As implausible as it may sound, it’s not just humans who can make typos—computers can do it too. Bitsquatting is the act of relying on a computer error—a one-bit (binary digit) error known as a bit flip—to redirect a device’s attempt to access a non-malicious website to one controlled by a hacker.

How bitsquatting works

In bitsquatting, the malicious hacker registers a website that is one bit different from the one that an unsuspecting user intends to visit, such as amczon.com (the letter “c” is one bit different from the letter “a”). Once the victim reaches the malicious website, the hacker controlling it can spread malware, carry out cyberespionage, or phish for personal or business information from the victim.

Bitsquatting is essentially DNS hijacking without exploitation, says Artem Dinaburg, a security researcher at cybersecurity company Trail of Bits, who discovered bitsquatting in 2011. He says the complicated nature of how bitsquatting works plays a big role in why it’s hard to stop.

“More and more devices are connecting to the Internet every day. And in such a large number of devices, sometimes a value in a bit changes. It happens often enough to be detectable,” Dinaburg says. Those value changes, or bit flips, can sometimes lead devices to IP addresses that they weren’t instructed to access. “It’s hard to measure how prevalent bitsquatting is because it affects not just domain names that are frequently looked up, but back-end sites as well.”

Knowing that bitsquatting is happening is a far cry from gauging how often it occurs, though there’s some scientific research into what causes bit flips. One source of bit flips is the hardware itself overheating, though a 2009 study by the University of Toronto and Google found that while there’s some correlation between heat and hardware error rates, CPU utilization is a much stronger indication of when a hardware error (and potentially a bit flip) will occur.

Another known source of bit flips is a manufacturing defect in the silicon, as explained in this 2010 study by University of Rochester and Ask.com.

And as preposterously science-fictional as it may sound, even cosmic rays in the form of neutron radiation can lead to bit flips. Neutron particles forcing planes to crash has been a serious concern of the aviation industry for more than a decade. Researchers have been reporting cosmic ray-induced hardware errors since at least 1994, and investigating the phenomenon since the late 1970s. It’s even possible to force bit flips under rare circumstances, according to a 2016 report.

Although it is nearly impossible to target bitsquatting at specific individuals, Dinaburg and other cybersecurity researchers familiar with bitsquatting say it’s hard to detect, which makes it hard to stop. With an estimated 31 billion devices connecting to the Internet in 2020, even if 0.1 percent of devices are affected by bit flips, that’s potentially 31 million devices vulnerable to bitsquatting.

This story was originally commissioned by Okta. Read the full story here.