Slashdot Mirror
New Destructive Malware Intentionally Bricks IoT Devices (bleepingcomputer.com)
An anonymous reader writes: "A new malware strain called BrickerBot is intentionally bricking Internet of Things (IoT) devices around the world by corrupting their flash storage capability and reconfiguring kernel parameters. The malware spreads by launching brute-force attacks on IoT (BusyBox-based) devices with open Telnet ports. After BrickerBot attacks, device owners often have to reinstall the device's firmware, or in some cases, replace the device entirely. Attacks started on March 20, and two versions have been seen. One malware strain launches attacks from hijacked Ubiquiti devices, while the second, more advanced, is hidden behind Tor exit nodes. Several security researchers believe this is the work of an internet vigilante fed up with the amount of insecure IoT devices connected to the internet and used for DDoS attacks. "Wow. That's pretty nasty," said Cybereason security researcher Amit Serper after Bleeping Computer showed him Radware's security alert. "They're just bricking it for the sake of bricking it. [They're] deliberately destroying the device."
carry on.
Despite how malicious this is, I'm oddly OK with it.
.... the manufacturers would provide more secure firmware for the owners of bricked devices to load.
If it's secured, then it belongs on the network. If it's not secured, this is the best possible outcome, non-function and removal.
Good job.
Where is the kickstarter or indiegogo page for this project? I can't find it.
Okay, it was only a matter of time before somebody came around and starting exploiting all the backdoors/weak protection in this IoT(I pronounce "idiot") devices. The funny thing is, this may well be a public service in an odd way. At least no one's life is dependent on these devices..yet. If we started adopting these things carelessly in situations that could endanger lives, we'd be in serious trouble. Perhaps this is the wake up call we've desperately needed.
"Imagination is more important than knowledge" - Einstein
Kill them young so they can't do more harm. If there is no cure and the guys in the biohazard suits with microscopes and bio media test glasses leave, the guys in biohazard suites and flamethrowers come in.
How can I help, I want those junk IoT, infectors or tubes devices bricked yesterday
These devices weren't fit for the internet.
These devices were already broken. Now they are non-functional as well.
So potentially a stupid question here, but given that we have a severe shortage of IP addresses due to exhaustion of the IPv4 space, how are all of these devices getting publicly addressable IP addresses to allow an incoming connection in the first place? If they're behind a NAT they should be naturally firewalled, otherwise who has the spare IPs to hand out to crappy little IoT devices?
... then this is the expected outcome, isn't it?
Since telnet is inherently broken (like a window pane that comes with a hole to let the rain in) this is akin to not even CLOSING the door.
It's like inviting homeless people into your house and then complaining when they start a bonfire to keep warm.
I don't know anyone who buys windows and doors without checking for holes.
Do people buy computer equipment like that too?
Oops.
is playing in the background.
There is no possible argument against this - a device that is built to be connected to the internet, but has a remotely accessible security flaw, cannot be deemed to be 'fit for the purpose for which it was sold', and so the customer is entitled to a full refund, if they desire, regardless of how old the device is.
Arguably, you could consider installing available security updates within a reasonable timeframe - say, a few weeks after the customer has been informed of them - could be considered basic maintenance, as long as the procedure for applying the update is something that an ordinary user could do. In that case, the manufacturer and retailer could get away with an exchange program for bricked devices, where the devices are sent to a shop with JTAG, serial or other in-circuit programming equipment, or even just providing full instructions on how to unbrick, if this can be done without any additional hardware.
But if the manufacturer has not provided such updates, then full refund must be paid. And it is the retailer who is on the hook for this - they then have to get recompensed from their wholesaler, etc.
Prediction for end of Universe #42: Fencepost error in Quantum_bogosort.cpp
..the Internet developed antibodies.
"we are all atheists about most of the gods that societies have ever believed in. Some of us just go one god further."
1. AAA (be it a crime syndicate, or an three/four letter agency) acquires or deploys own IoT botnet
2. BBB (most likely a three/four letter agency) decides doing the same is not going to cut it, as it has more to lose from an attack than it could gain from doing the same itself.
3. BBB deploys ICE. If it could be easily added to an enemy botnet, it dies.
4. Industry is forced to do something a little less crappy, or it won't survive a day.
This is public service. I hope they catch the wrong guy.
The security researcher calls this nasty?! It's genius!
It's certainly vigilante. But given the societal harm being caused by shoddy IOT devices, bricking them is quite arguably noble. Also, this could be good for the affected users too. Would you rather have your cheap IOT device fail and realize something is wrong with it or have it become an entry point for stealing critical data from your network or infecting your important devices with ransomware?
At least if your device breaks, you realize something is wrong with it and can complain to the manufacturer for a refund instead of it spying on you and/or serving as a node in a criminal's botnet.
Not to mention that in the long run, the impact of this would likley be that companies face immediate PR blowback that kills sales when they release shoddy devices. They will quickly learn that to make any money they need to pay attention to implementing reasonable security precautions.
Carry on soldier!
... for the greater good:
1) protect individuals and society from the harms of shoddy IOT devices.
2) punish the companies producing them and create economic imperatives to design in security.
Except this is super effective. I approve this medication.
DDoS is in peril. Oh, the humanity!
Good. I am personally glad.
Reminder: if a device can be "unbricked" then it was never bricked in the first place.
...so our dear law enforcement will go after him (her?) with full force.
The real criminals OTOH are always left alone, because "we do not have the means to do that"...
Good work. Keep this shit off my interwebs.
We discussed this in our office, and we came up with another approach whereby the devices are used in a DDOS against the manufacturer of the device.
Didn't know there were so many anarchists on slashdot... to hell with the rule of law, eh? (so long as it doesn't touch you)
Considering most of the people on /. are, in the main, IT sort of people, so it's not very surprising someone decided to take matters into their own hands and sort out the problem themselves. Surprised it took this long. I mean, Mirai's source code was available ages ago, I even downloaded it to take a look. What's amusing is my antivirus only picked it up a couple days ago.
Good luck to them, I hope they are hiding their tracks properly, because this is still illegal.
There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
Depends on the jurisdiction but in Europe companies are required to cover warranty for quite a significant period of time
(at least 24 months in this case. It might even be 36 months but I'm too lazy to google. Anyway given how recent this IoT craze is, most of the devices are definitely more recent than their warranty period and thus of course still covered)
The constructor *HAS* to replace such bricked devices through warranty, with the user only bearing the cost of sending the bricked device and the manufacturer covering the cost of the new replacement and shipping that back to the user. (During the first few months the shop that did sell the device can even handle the replacement themselve and ship the defective through their own channels. The user will become the replacement immediately and 100% for free).
So there is *definitely a strong economic incentive* to make the device secure.
If the device is vulnerable, it is going to cost a lot due to warranty replacement and shipping.
(And as pointed by others: if the replacements keep getting broken again, consumer will switch brands)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Hopefully (though doubtfully) the OEMs will be eating a lot of warranty returns. It is only if this costs the OEMs money that the problems will be fixed.
Such warranty return are mandatory for the OEM to accept in Europe, at least 24 months (I think, it might by 36) and given how recent this IoT craze is, most devices still qualify for such returns.
The cost might not get all the way to the cheap-ass chinese no-name manufacturer who did actually commit a device with such atrocious security.
But the cost won't burden the end user, it would at least be a problem for the brand that decided to have their device manufactured, without exerting the necessary caution regarding security.
If you're ready to import the device and stick your branding on it, you need to be held responsible for its security.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
IOT, at best with mortal humans is a curiosity with little to no use for a high cost. To ensure fewer IOT devices are sold brick the existing boxes and the customer gives up. Now we look a little deeper at the world of Electronic Component Distributors that have bet the bank on IOT taking off like a rocket. Well, when it explodes on the launchpad (no offense intended TI), electronics distribution will fall back to one, maybe 2 distributors in the US, unless they too have bitten into IOT Hook Line and Sinker!
You don't want to pay for an attack, maybe, in the three years, and then when it finally happens it only affects two models of smart lightbulb and a poor-selling refrigerator that's already off the market. Patreon is what you're looking for.
They're just bricking it for the sake of bricking it.
No. They're bricking it for the sake of preventing it from being used in a botnet.
Nope, no sig
The written warranty gives the customer additional rights, such as replacement where the law only specifies repair, or give you a repair for something that could be normal wear-and-tear. But this is about 'implied warranties', such as a warranty of fitness, which the manufacturer or retailer cannot annul with pieces of paper. So they can write what they want, it doesn't matter.
If you were sold a device to do a certain thing, and it was suitable for it, then you are due a refund.
Prediction for end of Universe #42: Fencepost error in Quantum_bogosort.cpp
Wow. In Canada, a warranty would apply to manufacturing defects, which this clearly isn't.
It clearly is.
The manufacturer used a defective conponent, even if said component(*) is software (the stupidly insecure firmware) rather than hardware (it's not a broken capacitor). From the point of view of the end user, it's all the same : the user both a IoT gizmo, use it as intended, did nothing wrong, but suddenly the gizmo stopped working without any forewarning.
in EU and other european countries, manufacturing defects are defined as problems which aren't cause by neither excessive wear and tear, nor by abnormal use.
You have a IoT (say a smart LED light bulb. e.g.: whose colour you can change with an App).
You use it perfectly normally as instructed in the manual (i.e.: you screwed it into some ceiling light in your living room, and use the app to change colour) (i.e.: you're not submitting it to an abnormal amount of abuse (it's not fixed on the outside of your mud bike) and you're not using it in a unusual way (you're not kicking into it as a make-shift soccer ball) )
Suddenly this IoT stop functioning (e.g.: Philips' SmartLED bulb have a buggy cloud-based firmware update system that is easy to spoof to load any payload. It could get hacked by this bricking worm).
As you didn't do anything wrong, it's clearly considered as "manufacturing defect" (and in practice that's actually the case : Philips manufactured a smart LED bulb with a broken firmware - a firmware with an asinine security flaw making it easy to abuse) and thus it must be covered by warranty as required by most European jurisdictions.
They also don't claim to prevent brute force attacks, which is what this is.
The technical detailled reason why it stopped working isn't relevant.
In most european countries, the only question that matters is :
- Did the device suddenly stop working ?
- Was it used as excepted when this occured ?(**)
- Was this not expected as the normal wear and tear of the device (when used within reasonable parameters)
If the manufacturer has to eat the bill here, that's fucked up.
If the manufacturer is stupid enough to release a device running a defective firmware (stupidly insecure), they *have* to eat the bill replacing broken devices.
(device broken due to their stupid firmware. not devices broken by users who aren't capable to use the device as they should).
----
(*) In lots of jurisdiction in europe, software *is* considered as a component of a device.
That why in lots of countries here around you DO NOT have software patents. Only patents for devices which happen to have a software component also described in the patents claim.
(**) This is also the weird reason why some customer services can legitimely require you to un-install your Linux and re-install Windows on a laptop with a defective part. That laptop was only designed to run Windows. It was never designed to run Linux. That not a normal use.
(Although it's ridiculous when the warranty claim isn't about malfunctions bout about broken physical parts).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
The device isn't failing because of manufacturing defects or ordinary wear and tear or anything predictable. It's failing because it's been deliberately attacked. If I bought a computer, and someone else shot it, I'd expect the manufacturer to not be responsible.
If you look into the details, a laptop isn't (normally) designed for the purpose of sustaining gun shots. The laptop getting shot and subsequently stopping to work isn't part of its normal operating mode.
Whereas a IoT device is supposed to be constantly connected to the Internet - that waht the "I" in "IoT" means. Being connected to the internet is part of their intended normal use.
If a manufacturer sells a lot of X, and the bad guys find a security hole, the manufacturer could be on the hook for an unlimited number of X without receiving any payment, since a customer could find a series of Xs bricked.
If a customer bought X, and suddenly X stops working even if the customer always used X as instructed and did nothing wrong then the manufacturer has to replace X. Period. That's the law.
It doesn't matter if the smart LED bulb stopped functioning because of a blown capacitor, or a software defect (See the spoofable firmware update on Philips smart LED bulbs).
It's a light bulb that doesn't work anymore and if that happens within 24 months (10 years actual real-world warranty provided by some manufacturer like Philips) and the customer didn't do anything wrong, the manufacturer has to replace it or repair it.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]