Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Destructive Malware Intentionally Bricks IoT Devices (bleepingcomputer.com)

Posted by BeauHD on from the vigilante-justice dept.

An anonymous reader writes: "A new malware strain called BrickerBot is intentionally bricking Internet of Things (IoT) devices around the world by corrupting their flash storage capability and reconfiguring kernel parameters. The malware spreads by launching brute-force attacks on IoT (BusyBox-based) devices with open Telnet ports. After BrickerBot attacks, device owners often have to reinstall the device's firmware, or in some cases, replace the device entirely. Attacks started on March 20, and two versions have been seen. One malware strain launches attacks from hijacked Ubiquiti devices, while the second, more advanced, is hidden behind Tor exit nodes. Several security researchers believe this is the work of an internet vigilante fed up with the amount of insecure IoT devices connected to the internet and used for DDoS attacks. "Wow. That's pretty nasty," said Cybereason security researcher Amit Serper after Bleeping Computer showed him Radware's security alert. "They're just bricking it for the sake of bricking it. [They're] deliberately destroying the device."

12 of 163 comments (clear)

  1. I commend the effort... by Anonymous Coward · · Score: 5, Insightful

    carry on.

  2. Sledgehammer approach. by mlheur · · Score: 5, Informative

    Despite how malicious this is, I'm oddly OK with it.

    1. Re:Sledgehammer approach. by rgmoore · · Score: 5, Insightful

      I can break into your house because it's not secure enough. Is that OK too?

      If the house has already been taken over by a criminal gang, it's a different matter. That's a better analogy with a lot of these insecure IoT devices. They aren't just sitting there innocently; if they're vulnerable to being shut down by this malware, they're also vulnerable to being taken over by botnets. This is not just a theoretical worry; some of the big recent DDOS attacks have been by IoT device botnets.

      --

      There's no point in questioning authority if you aren't going to listen to the answers.

  3. Crowdfund? by Anonymous Coward · · Score: 5, Funny

    Where is the kickstarter or indiegogo page for this project? I can't find it.

  4. We knew it was coming... by evolutionary · · Score: 4, Interesting

    Okay, it was only a matter of time before somebody came around and starting exploiting all the backdoors/weak protection in this IoT(I pronounce "idiot") devices. The funny thing is, this may well be a public service in an odd way. At least no one's life is dependent on these devices..yet. If we started adopting these things carelessly in situations that could endanger lives, we'd be in serious trouble. Perhaps this is the wake up call we've desperately needed.

    --
    "Imagination is more important than knowledge" - Einstein
    1. Re:We knew it was coming... by networkBoy · · Score: 4, Funny

      depends, did she submit a bad review on Amazon?

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    2. Re:We knew it was coming... by Zaelath · · Score: 5, Insightful

      Better than the two women that got killed because their insecure garage door opener let the maniac in.

  5. Was already broken by bhetrick · · Score: 5, Insightful

    These devices were already broken. Now they are non-functional as well.

  6. If this happens to you, get a full refund. by robbak · · Score: 4, Interesting

    There is no possible argument against this - a device that is built to be connected to the internet, but has a remotely accessible security flaw, cannot be deemed to be 'fit for the purpose for which it was sold', and so the customer is entitled to a full refund, if they desire, regardless of how old the device is.

    Arguably, you could consider installing available security updates within a reasonable timeframe - say, a few weeks after the customer has been informed of them - could be considered basic maintenance, as long as the procedure for applying the update is something that an ordinary user could do. In that case, the manufacturer and retailer could get away with an exchange program for bricked devices, where the devices are sent to a shop with JTAG, serial or other in-circuit programming equipment, or even just providing full instructions on how to unbrick, if this can be done without any additional hardware.

    But if the manufacturer has not provided such updates, then full refund must be paid. And it is the retailer who is on the hook for this - they then have to get recompensed from their wholesaler, etc.

    --
    Prediction for end of Universe #42: Fencepost error in Quantum_bogosort.cpp
  7. And so.. by ACE209 · · Score: 5, Insightful

    ..the Internet developed antibodies.

    --
    "we are all atheists about most of the gods that societies have ever believed in. Some of us just go one god further."
  8. Nasty?! Isn't this better for everyone? by monkeyzoo · · Score: 4, Insightful

    The security researcher calls this nasty?! It's genius!

    It's certainly vigilante. But given the societal harm being caused by shoddy IOT devices, bricking them is quite arguably noble. Also, this could be good for the affected users too. Would you rather have your cheap IOT device fail and realize something is wrong with it or have it become an entry point for stealing critical data from your network or infecting your important devices with ransomware?

    At least if your device breaks, you realize something is wrong with it and can complain to the manufacturer for a refund instead of it spying on you and/or serving as a node in a criminal's botnet.

    Not to mention that in the long run, the impact of this would likley be that companies face immediate PR blowback that kills sales when they release shoddy devices. They will quickly learn that to make any money they need to pay attention to implementing reasonable security precautions.

    Carry on soldier!

  9. Carry on... by monkeyzoo · · Score: 5, Interesting

    ... for the greater good:
    1) protect individuals and society from the harms of shoddy IOT devices.
    2) punish the companies producing them and create economic imperatives to design in security.