New Destructive Malware Intentionally Bricks IoT Devices (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

New Destructive Malware Intentionally Bricks IoT Devices (bleepingcomputer.com)

Posted by BeauHD on Thursday April 6, 2017 @10:40AM from the vigilante-justice dept.

An anonymous reader writes: "A new malware strain called BrickerBot is intentionally bricking Internet of Things (IoT) devices around the world by corrupting their flash storage capability and reconfiguring kernel parameters. The malware spreads by launching brute-force attacks on IoT (BusyBox-based) devices with open Telnet ports. After BrickerBot attacks, device owners often have to reinstall the device's firmware, or in some cases, replace the device entirely. Attacks started on March 20, and two versions have been seen. One malware strain launches attacks from hijacked Ubiquiti devices, while the second, more advanced, is hidden behind Tor exit nodes. Several security researchers believe this is the work of an internet vigilante fed up with the amount of insecure IoT devices connected to the internet and used for DDoS attacks. "Wow. That's pretty nasty," said Cybereason security researcher Amit Serper after Bleeping Computer showed him Radware's security alert. "They're just bricking it for the sake of bricking it. [They're] deliberately destroying the device."

36 of 163 comments (clear)

Min score:

Reason:

Sort:

I commend the effort... by Anonymous Coward · 2017-04-06 10:43 · Score: 5, Insightful

carry on.
1. Re:I commend the effort... by Zocalo · 2017-04-06 20:06 · Score: 3, Insightful
  
  Ordinarily, I'd condemn this kind of vigilante action, but in this instance I'm hardly struggling with it at all. Mirai kicked off in early September 2016. It's now April 2017. That's six full months, almost to the day, that device owners, ISPs, and vendors have had to secure their devices, filter inbound scanning/outbound end-user traffic, and produce update firmware, yet there's very little evidence any of that is happening at scale (shocking, I know), so it's clearly not going to. The rest of us, meanwhile, have been subjected to continual port scanning and DDoS attacks. Taking vulnerable devices out of commission, placing the cost of that on owners and vendors, plus pressure from both on ISPs to start to filter the malicious traffic, is clearly the only approach that is going to work at this point, and might even encourage vendors to put a little more thought into security in future.
  
  Carry on indeed. Hell, post the code like the original Mirai author did - we might as well wrap this up as fast as Mirai and its clones were able ramped up. Open Source, ftw!
  
  --
  UNIX? They're not even circumcised! Savages!
2. Re:I commend the effort... by Zocalo · 2017-04-06 20:15 · Score: 2
  
  Oh, yeah. Just in case the author(s) are reading this, for v2.0, you might want to consider looking into the following popular IoT ports as well (there are others, but these are the ones with the most activity):
  22 - SSH
  2222 - alt. SSH
  2323 - alt. Telnet
  5358 - Web Services API
  6789 - Dahui admin port?
  7547 - TR-069 management port
  23231 - alt. Telnet
  37777 - CCTV port forwarding
  
  You're welcome.
  
  --
  UNIX? They're not even circumcised! Savages!
Sledgehammer approach. by mlheur · 2017-04-06 10:44 · Score: 5, Informative

Despite how malicious this is, I'm oddly OK with it.
1. Re:Sledgehammer approach. by Snotnose · 2017-04-06 11:17 · Score: 2, Insightful
  
  Yeah, came here to say this. Surprised I'm in the majority on this.
  
  If you can't figure out how to secure your device, or you are unable to do so, then so sad too bad. Hope a bunch of IoT vendors go tits up.
2. Re:Sledgehammer approach. by networkBoy · 2017-04-06 11:22 · Score: 3, Insightful
  
  I'm not.
  I think most here on /. are of this general opinion. It's machiavellian for sure, but really does have the whole "Ends justify the means" feel to it.
  Hopefully (though doubtfully) the OEMs will be eating a lot of warranty returns. It is only if this costs the OEMs money that the problems will be fixed. If it only costs the end users money then not a ton will really happen.
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
3. Re:Sledgehammer approach. by marka63 · 2017-04-06 11:23 · Score: 3, Informative
  
  That depends on where you are in the world.
  Here in Australia a full refund of the purchase price is codified in law. Retailers will pick better suppliers as it costs them to refund.
4. Re:Sledgehammer approach. by Anonymous+Brave+Guy · 2017-04-06 11:35 · Score: 2
  
  Actually, if someone sells insecure crap that subsequently gets hacked and stops working as a result, in a lot of places that's going to be considered unfit for purpose or the legal equivalent and therefore entitle the owner to some sort of refund or other remedy at the vendor's expense. While I don't condone the vigilante aspect here, it might prove to be quite effective at highlighting how poor the state of security is in the IoT industry and forcing manufacturers of these devices not to cheap out so much.
  
  --
  If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
5. Re:Sledgehammer approach. by Baron_Yam · 2017-04-06 12:18 · Score: 2
  
  I can break into your house because it's not secure enough. Is that OK too?
  Just because something isn't locked doesn't mean it's OK to access it. You're either civilized or you're not, and the person who released this code should be having a long stay in jail to think about the morality of what they've done.
6. Re:Sledgehammer approach. by rgmoore · 2017-04-06 12:23 · Score: 5, Insightful
  
  I can break into your house because it's not secure enough. Is that OK too?
  If the house has already been taken over by a criminal gang, it's a different matter. That's a better analogy with a lot of these insecure IoT devices. They aren't just sitting there innocently; if they're vulnerable to being shut down by this malware, they're also vulnerable to being taken over by botnets. This is not just a theoretical worry; some of the big recent DDOS attacks have been by IoT device botnets.
  
  --
  There's no point in questioning authority if you aren't going to listen to the answers.
7. Re:Sledgehammer approach. by gweihir · 2017-04-06 14:34 · Score: 2
  
  I don't know about malicious. Seems to be both well-intentioned and working well. Of course, vigilantism can be a problem, but I don't really see that here either. It is hard to fault it when law enforcement has consistently failed to do anything at all about a serious threat. And anybody that took the minimal precautions to secure their devices will not be affected either.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
8. Re:Sledgehammer approach. by Highdude702 · 2017-04-06 14:45 · Score: 2
  
  Security isnt a selling point already? people are stupid.
9. Re:Sledgehammer approach. by freeze128 · 2017-04-06 16:58 · Score: 3, Insightful
  
  I don't like your analogy because peoples houses aren't ALWAYS targeted by criminals. How about we replace "your house" with "your local bank".
  
  Suppose your local bank just left money lying around on the floor of the lobby. If anyone takes that money, they are stealing. Is that OK? Of course not, but it's really risky and stupid to keep it there in the first place. Also, in order to be FDIC insured, the bank needs to take at least some minimal precautions, like storing the money in a vault, and maybe having an armed guard. If the bank doesn't do this, they would probably be robbed the most, and the FDIC would not insure them. Result - The bank would quickly go out of business and close.
  
  The malware is breaking the law by bricking the device, but in this scenario, I'm the fucking FDIC, bitch! I demand better security on your IOT device, or you must shut it down.
10. Re:Sledgehammer approach. by Opportunist · 2017-04-06 19:50 · Score: 2
  
  There IS an immediate credible threat. A device that can trivially be taken over IS a threat.
  What you have here is a loaded weapon lying right out in the front yard. Any criminal can walk by, pick it up and use it to commit a crime. Do you think this gun should be removed?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
11. Re:Sledgehammer approach. by Opportunist · 2017-04-06 22:15 · Score: 2
  
  Vigilantism logically happens when law enforcement fails to uphold a law that is in the interest of the people. This is why it's not only critical that the law reflects the ideals of the population but also that it's executed. If you have laws that run contrary to what the people consider right, you can only enforce them with force against your own people and you can logically assume that your own population fights you. This is, among other things, what fell communism.
  If you're unwilling or unable to establish AND enact laws, the result is vigilantism.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
12. Re:Sledgehammer approach. by eth1 · 2017-04-07 02:43 · Score: 2
  
  I'm not.
  I think most here on /. are of this general opinion. It's machiavellian for sure, but really does have the whole "Ends justify the means" feel to it.
  Hopefully (though doubtfully) the OEMs will be eating a lot of warranty returns. It is only if this costs the OEMs money that the problems will be fixed. If it only costs the end users money then not a ton will really happen.
  I was thinking it'd be neat if the malware had a database of warranty information and geo-IP-based warranty laws, and it actually tried to figure out if the device was still under warranty. Silently close the backdoor and go dormant if it thinks it's not under warranty, brick it if it thinks it is.
If pwnable easily it must die - network darwinism by Anonymous Coward · 2017-04-06 10:47 · Score: 3, Insightful

If it's secured, then it belongs on the network. If it's not secured, this is the best possible outcome, non-function and removal.
Good job.
Crowdfund? by Anonymous Coward · 2017-04-06 10:47 · Score: 5, Funny

Where is the kickstarter or indiegogo page for this project? I can't find it.
1. Re:Crowdfund? by bill_mcgonigle · 2017-04-06 10:57 · Score: 2
  
  Hehehe - sorry, I ran out of mod points this morning.
  I wonder if the people exploiting Mirai for profit will start disinfecting this thing.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
We knew it was coming... by evolutionary · 2017-04-06 10:49 · Score: 4, Interesting

Okay, it was only a matter of time before somebody came around and starting exploiting all the backdoors/weak protection in this IoT(I pronounce "idiot") devices. The funny thing is, this may well be a public service in an odd way. At least no one's life is dependent on these devices..yet. If we started adopting these things carelessly in situations that could endanger lives, we'd be in serious trouble. Perhaps this is the wake up call we've desperately needed.

--
"Imagination is more important than knowledge" - Einstein
1. Re:We knew it was coming... by networkBoy · 2017-04-06 11:23 · Score: 4, Funny
  
  depends, did she submit a bad review on Amazon?
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
2. Re:We knew it was coming... by Zaelath · 2017-04-06 11:24 · Score: 5, Insightful
  
  Better than the two women that got killed because their insecure garage door opener let the maniac in.
3. Re:We knew it was coming... by Ol+Olsoc · 2017-04-06 11:33 · Score: 2
  
  At least no one's life is dependent on these devices..yet. If we started adopting these things carelessly in situations that could endanger lives, we'd be in serious trouble. Perhaps this is the wake up call we've desperately needed.
  We already have life critical devices compromised. Remember that the early adopters of the IoT was hospitals, which have been compromised already. http://spectrum.ieee.org/view-...
  While this case was not the result of a hacker, but software error, todays radiation dispenser is about 100 percent likely to be attached to the internet. http://ccnr.org/fatal_dose.htm....
  And it wouldn't be too surprising if people have been killed already. We just wouldn't hear abou tit, or the operators might not even know.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Was already broken by bhetrick · 2017-04-06 11:20 · Score: 5, Insightful

These devices were already broken. Now they are non-functional as well.
If this happens to you, get a full refund. by robbak · 2017-04-06 12:28 · Score: 4, Interesting

There is no possible argument against this - a device that is built to be connected to the internet, but has a remotely accessible security flaw, cannot be deemed to be 'fit for the purpose for which it was sold', and so the customer is entitled to a full refund, if they desire, regardless of how old the device is.

Arguably, you could consider installing available security updates within a reasonable timeframe - say, a few weeks after the customer has been informed of them - could be considered basic maintenance, as long as the procedure for applying the update is something that an ordinary user could do. In that case, the manufacturer and retailer could get away with an exchange program for bricked devices, where the devices are sent to a shop with JTAG, serial or other in-circuit programming equipment, or even just providing full instructions on how to unbrick, if this can be done without any additional hardware.

But if the manufacturer has not provided such updates, then full refund must be paid. And it is the retailer who is on the hook for this - they then have to get recompensed from their wholesaler, etc.

--
Prediction for end of Universe #42: Fencepost error in Quantum_bogosort.cpp
And so.. by ACE209 · 2017-04-06 12:39 · Score: 5, Insightful

..the Internet developed antibodies.

--
"we are all atheists about most of the gods that societies have ever believed in. Some of us just go one god further."
Public service by sinij · 2017-04-06 13:24 · Score: 3, Funny

This is public service. I hope they catch the wrong guy.
Nasty?! Isn't this better for everyone? by monkeyzoo · 2017-04-06 13:28 · Score: 4, Insightful

The security researcher calls this nasty?! It's genius!
It's certainly vigilante. But given the societal harm being caused by shoddy IOT devices, bricking them is quite arguably noble. Also, this could be good for the affected users too. Would you rather have your cheap IOT device fail and realize something is wrong with it or have it become an entry point for stealing critical data from your network or infecting your important devices with ransomware?
At least if your device breaks, you realize something is wrong with it and can complain to the manufacturer for a refund instead of it spying on you and/or serving as a node in a criminal's botnet.
Not to mention that in the long run, the impact of this would likley be that companies face immediate PR blowback that kills sales when they release shoddy devices. They will quickly learn that to make any money they need to pay attention to implementing reasonable security precautions.
Carry on soldier!
1. Re: Nasty?! Isn't this better for everyone? by monkeyzoo · 2017-04-07 04:38 · Score: 2
  
  Increased sales!
  Users will just go out and buy another one.
  Not from the same manufacturer though. ;-)
  At least eventually once they have a reputation for having their devices bricked.
Carry on... by monkeyzoo · 2017-04-06 13:31 · Score: 5, Interesting

... for the greater good:
1) protect individuals and society from the harms of shoddy IOT devices.
2) punish the companies producing them and create economic imperatives to design in security.
1. Re:Carry on... by Highdude702 · 2017-04-06 14:37 · Score: 2
  
  Win Win all around. Give those men a cookie!
Re:How Are These Devices Getting Public IPs? by Anonymous Coward · 2017-04-06 13:37 · Score: 2, Informative

Universal Plug and Play (UPnP) is enabled on most home routers. Most of these insecure IoT devices use UPnP to open port forwarding holes through the home router.
Re:How Are These Devices Getting Public IPs? by Dagger2 · 2017-04-06 16:07 · Score: 3, Informative

Fun fact: NAT doesn't naturally firewall anything.
Here's how you do NAT on Linux: iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE. See that "-o wan0"? The rule, and thus the NAT, only applies to outbound connections. It does nothing whatsoever to inbound connections! You can test this yourself if you want; just take a subnet where inbound connections work, add that NAT rule to the subnet's router, and you'll see that inbound connections continue to work just fine.
In any case, the answer to your question is that people set up port forwards for their cameras because they want to view the camera when they're away from home. IPv6 would help a lot here because it makes it significantly more difficult to scan for these devices, unlike in v4 where it's pretty trivial to exhaustively scan the entire address space.
Consumer protection law by DrYak · 2017-04-06 23:47 · Score: 3, Informative

Depends on the jurisdiction but in Europe companies are required to cover warranty for quite a significant period of time
(at least 24 months in this case. It might even be 36 months but I'm too lazy to google. Anyway given how recent this IoT craze is, most of the devices are definitely more recent than their warranty period and thus of course still covered)
The constructor *HAS* to replace such bricked devices through warranty, with the user only bearing the cost of sending the bricked device and the manufacturer covering the cost of the new replacement and shipping that back to the user. (During the first few months the shop that did sell the device can even handle the replacement themselve and ship the defective through their own channels. The user will become the replacement immediately and 100% for free).
So there is *definitely a strong economic incentive* to make the device secure.
If the device is vulnerable, it is going to cost a lot due to warranty replacement and shipping.
(And as pointed by others: if the replacements keep getting broken again, consumer will switch brands)

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Re:How Are These Devices Getting Public IPs? by PetiePooo · 2017-04-07 01:25 · Score: 2

Right so you can get calls at 10 at night from Grandma guiding her on opening ports on her firewall settings with UDP to get her Ipad's itunes to work
If uPNP weren't available, iTunes and your games would have been written with some other connection method. They'd be making more use of STUN/TURN/ICE or just ensuring that all connections from the enduser are outbound. uPNP enabled programmers to be lazy in how they engineered connectivity. It is insecure by design, "but hey, since it's ubiquitous, let's use it!"
Willful ignorance by drew_kime · 2017-04-07 04:54 · Score: 2

They're just bricking it for the sake of bricking it.

No. They're bricking it for the sake of preventing it from being used in a botnet.

--
Nope, no sig