Can malware kill? It can cause massive damages that on a dramatic day might lead you to say something like, "This %*^@# is killing me!" Computer viruses can also induce those feelings, because you might be "free" 24/7 family tech support, and must deal with family members who refuse to take care of their computers and keep infecting their systems until it needs to be reformatted. Some people may feel like they want to die when malicious software manages to infect online banks and empty out accounts.
So malware, viruses, trojans, and such, may cause you pain and suffering; but now I'm wondering how many times malware has actually killed people?
We've seen ploys for media hype such as when Dr. Mark Gasson of Reading University injected a virus-infected RFID chip in his hand, becoming the "first human infected with a computer virus." Unless he was part cyborg, the computer virus in his system couldn't possibly be fatal. Security experts like Sophos' Graham Cluley were anything but impressed.
Yet perhaps computer viruses have proven to be deadly in the past? What if the virus or worm or trojan resulted in computer errors and those infected systems malfunctioned and caused deaths?
It gave me chills when the Spanish newspaper El Pais reported that computer viruses may have contributed to the Spanair plane crash which killed 154 people in Madrid two years ago. The 12,000 page accident summary report explains that the Spanair central computer was trojan-infected and therefore failed to trigger an alarm which would have grounded the plane.
Then F-Secure's Mikko Hypponen posted about real-world infrastructure that has been affected by computer problems. The 2003 computer worm Slammer slowed the entire Internet, crashed automatic teller machines and emergency phone systems, slowed air traffic control systems, and took down computer monitoring of a nuclear power plant. He emphasized that malware induced problems in real-life systems were byproducts of worms.
Hypponen also mentioned the worms Blaster and Welchi which messed up banking systems, and some airline systems were fouled up enough to cancel flights. It also attacked automatic teller machines, the U.S. State Department's Visa system, as well as CSX train signaling systems which halted some commuter trains.
These were a royal pain in the rear, inconvenient and costly, but not deadly. It's not like the virus infection caused a life or death situation. But then I saw security expert Kane Lightowler tweet, "@mikkohypponen I have personally seen Windows based life support machines infected with Slammer/Blaster."
Uh-oh. That sounds fairly creepy and potentially life threatening. But has malware indirectly killed people, other than the probable connection to the Spanair plane crash?
Just this month, the Federal Aviation Administration announced that computer systems are still vulnerable to cyber attacks, meaning the FAA cannot effectively monitor air traffic control. That's like a movie plot, taking over systems and crashing planes, but it could also be part of the push for the U.S. Government to play a bigger role in stopping a possible "cyberwar." Meanwhile the DHS is quietly sending teams to check U.S. power plant security systems since Stuxnet could steal industrial data from SCADA systems. Espionage and taking over nuclear power plants also sounds like something you might see in an action-adventure movie.
In the past, I certainly do not recall a computer virus being called a murder weapon in any deaths. Maybe it never happened, or maybe we missed it?
- In 1988, the Morris Worm infected NASA Research Institute and wreaked havoc on the Internet, influencing DARPA to establish CERT/CC for "coordinating responses to network emergencies."
- In 1998, Solar Sunrise Virus attacked the U.S. Defense Department computers that "triggered America's first full-blown infowar false alarm."
- The 1999 Melissa Worm and the 2000 ILOVEYOU Virus may have caused heartache by a lover awaiting a reply email, but shutting down the Internet mail system does not constitute death by computer virus.
- Conficker, Downup, infected the French Navy network, the British House of Commons, Manchester Police computer, and the United Kingdom Ministry of Defense. The latter affected the Royal Navy and hospitals in Sheffield. If it, or any other computer virus, even indirectly caused someone's death, I did not hear about it.
It's terrifying if malware did play a part in the Spanair plane crash and 154 deaths. Before that, the only computer related attacks which were deadly were traffic wrecks and destruction in movies like Live Free or Die Hard. So what do you think? Can malware be used indirectly as a murder weapon?
If you know of a computer virus, worm, trojan, malware, botnet, whatever you wish to label it, if you know of any computer infection at all that has indirectly caused the loss of human lives, please do let me know.
This story, "Murder by Malware: Can a Computer Virus Kill?" was originally published by Computerworld.