New Destructive Malware Intentionally Bricks IoT Devices

An anonymous reader writes: "A new malware strain called BrickerBot is intentionally bricking Internet of Things (IoT) devices around the world by corrupting their flash storage capability and reconfiguring kernel parameters. The malware spreads by launching brute-force attacks on IoT (BusyBox-based) devices with open Telnet ports. After BrickerBot attacks, device owners often have to reinstall the device's firmware, or in some cases, replace the device entirely. Attacks started on March 20, and two versions have been seen. One malware strain launches attacks from hijacked Ubiquiti devices, while the second, more advanced, is hidden behind Tor exit nodes. Several security researchers believe this is the work of an internet vigilante fed up with the amount of insecure IoT devices connected to the internet and used for DDoS attacks. "Wow. That's pretty nasty," said Cybereason security researcher Amit Serper after Bleeping Computer showed him Radware's security alert. "They're just bricking it for the sake of bricking it. [They're] deliberately destroying the device."

Sledgehammer approach.

[mlheur]

Despite how malicious this is, I'm oddly OK with it.

Re:Sledgehammer approach.

[marka63]

That depends on where you are in the world.

Here in Australia a full refund of the purchase price is codified in law. Retailers will pick better suppliers as it costs them to refund.

Re:How Are These Devices Getting Public IPs?

Universal Plug and Play (UPnP) is enabled on most home routers. Most of these insecure IoT devices use UPnP to open port forwarding holes through the home router.

Re:How Are These Devices Getting Public IPs?

[Dagger2]

Fun fact: NAT doesn't naturally firewall anything.

Here's how you do NAT on Linux: iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE. See that "-o wan0"? The rule, and thus the NAT, only applies to outbound connections. It does nothing whatsoever to inbound connections! You can test this yourself if you want; just take a subnet where inbound connections work, add that NAT rule to the subnet's router, and you'll see that inbound connections continue to work just fine.

In any case, the answer to your question is that people set up port forwards for their cameras because they want to view the camera when they're away from home. IPv6 would help a lot here because it makes it significantly more difficult to scan for these devices, unlike in v4 where it's pretty trivial to exhaustively scan the entire address space.

Consumer protection law

[DrYak]

Depends on the jurisdiction but in Europe companies are required to cover warranty for quite a significant period of time
(at least 24 months in this case. It might even be 36 months but I'm too lazy to google. Anyway given how recent this IoT craze is, most of the devices are definitely more recent than their warranty period and thus of course still covered)

The constructor *HAS* to replace such bricked devices through warranty, with the user only bearing the cost of sending the bricked device and the manufacturer covering the cost of the new replacement and shipping that back to the user. (During the first few months the shop that did sell the device can even handle the replacement themselve and ship the defective through their own channels. The user will become the replacement immediately and 100% for free).

So there is *definitely a strong economic incentive* to make the device secure.
If the device is vulnerable, it is going to cost a lot due to warranty replacement and shipping.

(And as pointed by others: if the replacements keep getting broken again, consumer will switch brands)