Should I disable SMB on my computer?
The Server Message Block protocol is a protocol that sends information between a local computer and a remote one. File sharing. Remote editing. Remote printing. All these are possible because of SMB. But it is also vulnerable. In 2017, a large scale attack by a group of hackers took the British National Health Service’s data ransom. Reportedly, over 200,000 other computers worldwide were affected by this ransomware too. These attacks were made possible by a weakness in SMB — would you rather use SMB today or have to shell out BitCoin to hackers?
How does SMB work?
SMB is the most common file sharing protocol that is used today. AFP (Apple Filing Protocol) and NFS (Network File System) are also common, however you’re more likely to deal with SMB in a professional environment. Although many home users today are turning to Apple and Linux for their computing needs, most big businesses use Microsoft technology.
Whenever a message (which could be a request to a printer or remote access to a file) is sent on a Windows machine, it goes through SMB protocol. This creates a pathway for the client and the host to communicate. This pathway may also stay open for a return transfer — if you send a file to print, the printer will also send a confirmation back along the same pathway.
What is EternalBlue?
The US NSA developed an exploit called EternalBlue of SMB in 2017 which allowed a remote user to access a computer without the local user’s knowledge. If a hacker could access a local computer, they would also be able to access the local network. This was obviously a huge security risk, so Microsoft set to developing a patch. Despite completing it in March, a group of hackers (known as Shadow Brokers) leaked it in April the same year. This led to the WannaCry ransomware attack, which affected over 200,000 computers and the NHS, and the NotPetya malware, which maliciously attacked computers mainly in Ukraine and Germany. Both pieces of malware caused large scale disruption and over $100,000 dollars in payments for the encrypted data.
Should I disable my SMB?
Firstly, the two attacks using the EternalBlue exploit attacked SMBv1. Since the development of SMBv1 in 1984, there have been 6 revisions of the protocol. The most recent version is SMBv3.1.1 which shipped with Windows 10. Hardened with AES-128 encryption, extra protections against man-in-the-middle attacks, and session verification, you won’t need to worry about an EternalBlue attack on your computer through SMB.
If you have an older laptop that is still running SMBv1 or you have lowered your settings so that it only uses SMBv1, disable it now. A Windows update is available from their website for free. Some businesses are using end-of-life OSs for continuity, but still could have been defended against the WannaCry and NotPetya attacks if the NSA and Microsoft had been more proactive about spreading information about the update and rolling it out. A useful lesson for those who are always skipping their Windows updates!
