Even if you haven’t heard of the SMB protocol, millions of people use it every day. However, it has a vulnerability revealed in a massive cyberattack that affected hundreds of thousands of people. What’s worse is that simply no longer using it is not a valid solution. Fortunately, there’s a way to use the this protocol safely. But first — what is SMB?
The Server Message Block (SMB) is a network protocol that enables users to communicate with remote computers and servers — to use their resources or share, open, and edit files. It’s also referred to as the server/client protocol, as the server has a resource that it can share with the client.
The SMB protocol creates a connection between the server and the client by sending multiple request-response messages back and forth. It can do this using the TCP/IP or other network protocols.
Imagine your team is working on a large project that involves a lot of back and forth. You might want to be able to share and edit files that are stored in one place. The SMB protocol will allow your team members to use these shared files as if they were on their own hard drives. Even if one of them is on a business trip half a world away, they can still access and use the data.
Let’s say that the printer in your office is connected to the receptionists’ PC. If you want to print a document, your computer (the client) sends the receptionists’ computer (the server) a request to print it and uses the SMB protocol to do it. The server will then send back a response, stating that the file is queued, printed, or that the printer ran out of magenta and is unable to perform the task.
In 1996, Microsoft tried to rename SMB to CIFS (Common Internet File System). It was an updated version of the same protocol and had more functions, but the name didn’t stick. Because of this, many still think it’s the same thing. CIFS is now only one of many dialects (variants) of SMB.
Here’re all the variants of the SMB protocol:
It’s important to know which version of the SMB protocol your device uses, especially if you own a business and have a lot of Windows machines connected to each other. It would be hard to find a PC running Windows 95 or XP (and using SMBv1) in a modern-day office, but they might still be running on old servers. Why is that important?
In 2017, the US National Security Agency (NSA) found a vulnerability in the SMBv1 protocol. It allowed an attacker to execute their code without the user noticing anything. When one device got infected, the hacker could gain access to the whole network and every device connected to it.
This exploit was called EternalBlue. A hacker group called the Shadow Brokers allegedly stole it from the NSA and leaked it online in 2017. Microsoft released an update to patch the vulnerability, but only a month after that, the WannaCry ransomware broke out. This massive attack affected almost 200,000 Windows devices across 150 countries. It encrypted all data on the victim’s computer and demanded a ransom in Bitcoin. WannaCry cost the UK's National Health Service about 120 million dollars in ransom money, not to mention the chaos that thousands of encrypted and unusable computers created.
Unfortunately, there are still more than a million Windows machines running the unpatched version of the SMBv1 protocol. Most of them are likely connected to a network, which makes other devices on the same network vulnerable, regardless of which SMB version they are using.
If you’re running a Windows computer or server that still uses SMBv1, you should immediately install the update or, better yet, upgrade to a newer version of the protocol.
Constant updates can be annoying, but you should always install them as soon as they’re available. Never assume the vulnerabilities won’t affect you. Anyone can become a target, so it’s best to protect your devices and data before anything happens.
For more cybersec and privacy insights, subscribe to our monthly blog newsletter below!