Window-Eyes is the so-called screen reader (reader of screen) for Microsoft Windows which is used by visually handicapped users, above all by totally blind and seriously visually handicapped users. Such software converts the content of the screen, e.g. of web pages, into the form of alternative output, most frequently as voice or Braille.
At night from 15th to 16th January 2015, Windows-Eyes became the centre of attack through GW Toolkit, part necessary for the functioning of applications which are operated under Window-Eyes. If the users updated GW Toolkit to the version 8.5.8, the following text was displayed to them in minute intervals:
„Greetings on the behalf of the Islamic state. The time of repentance is near. Please contact GW-Micro for further information.“
As Aaron Smith from Ai Squared states, GW Toolkit version 8.5.9 resolved the urgent problem:
From: Aaron Smith <firstname.lastname@example.org>
Subject: Ai Squared Statement on Security Breach
Date: Fri, Jan 16, 2015 10:17:48 am
Dear Window-Eyes Users,
First we want to apologize for the unfortunate messages that some of you may have seen this morning. We wanted to take a minute to address what happened and explain how we plan on preventing this in the future.
We released App Central in 2008 as a central repository for Window Eyes Apps, documentation and related resources. App Central was built as a community resource, from the beginning we wanted all Window-Eyes users to be able to contribute and benefit from each others efforts. We’re proud of what we accomplished – App Central today contains over 299 apps and more are added all the time.
Sometime early this morning a user with familiarity with Window-Eyes and the App Central environment breached out security and posted an update to GW Toolkit. Users who downloaded the update were exposed to some unfortunate messages. Our analysis shows that no permanent changes were made to your Window-Eyes installation and, if you update to GW Toolkit version 8.5.9 the problems you may be experiencing should be resolved. Instructions on how to manually update your Apps is at the following KB article www.gwmicro.com/kb2062
We have changed passwords and security on our systems that run App Central and we’ve turned off developer updates to apps for the time being. In the next few days we’ll be performing an internal security audit to determine what steps we can take to prevent something like this from happening again.
Rest assured that we take security seriously and we’ll be implementing these steps in a logical, ordered fashion.
Once again, our apologies and thank you for your patience on this matter.
The Ai Squared Team
Although the matter concerned was “only“ an impertinent, would-be funny attack of the so-called grey hats, as Chris Hofstader suggests in his blog, it occurs to me whether the especially vulnerable group of the society cannot be just the most vulnerable one.
Let us mention another case. During august 2014, attackers placed to the web of the Israeli organization for handicapped children and youth especially with visual handicap Keren Or photos of injured children and jihadist songs. In the opinion of the Israeli television, the attack was caused by symphatizers of the Islamic Resistance Movement. What the pages looked like during the attack can be seen on the video YouTube.
The attacks do not refer only to visually handicapped users. In the year 2008, the attackers placed to the web of the American not-for-profit organization Epilepsy Foundation small blinking pictures and seemingly useful references to other pages. On the referred pages, however, pulsating kaleidoscopis figures of various colours were displayed. The aim of the attack was to cause an epileptic fit at the visitors of the web. According to the information being found out, some people who visited the web really had the fit.
Cyber attacks aimed against handicapped are not sporadic, including the Czech Republic. The first mentioned attack was noted also by visually handicapped users of the Fanda conference of the Support Centre for Students with Special Needs of ČVUT ELSA. Now I try to disentangle other, above all historical incidents and I only file other ones.
In conclusion I do not still venture to say whether the topic of cyber attacks against handicapped is more or less serious in comparison with cyber attacks aimed against other groups. I do not have enough relevant information for uttering a similar conclusion yet. Not only practice, however, reveals to me that assistance technology in many cases does not much solve its and consequently user´s security. Also for this reason I, under the baton of a raised warning finger, started to regularly monitor narrowly focused sources of information which include e.g. various e-conferences for handicapped, which are popular above all among visually impaired. Such monitoring should be the base of regular news of cyber attacks against handicapped. These news should appear every year on pages of the project OWASP WASA (Web Application Security Accessibility Project).