BrickerBot, the Permanent Denial-of-Service Botnet, Is Back With a Vengeance

An anonymous reader quotes a report from Ars Technica: BrickerBot, the botnet that permanently incapacitates poorly secured Internet of Things devices before they can be conscripted into Internet-crippling denial-of-service armies, is back with a new squadron of foot soldiers armed with a meaner arsenal of weapons. Pascal Geenens, the researcher who first documented what he calls the permanent denial-of-service botnet, has dubbed the fiercest new instance BrickerBot.3. It appeared out of nowhere on April 20, exactly one month after BrickerBot.1 first surfaced. Not only did BrickerBot.3 mount a much quicker number of attacks -- with 1,295 attacks coming in just 15 hours -- it used a modified attack script that added several commands designed to more completely shock and awe its targets. BrickerBot.1, by comparison, fired 1,895 volleys during the four days it was active, and the still-active BrickerBot.2 has spit out close to 12 attacks per day. Shortly after BrickerBot.3 began attacking, Geenens discovered BrickerBot.4. Together, the two newly discovered instances have attempted to attack devices in the research honeypot close to 1,400 times in less than 24 hours. Like BrickerBot.1, the newcomer botnets are made up of IoT devices running an outdated version of the Dropbear SSH server with public, geographically dispersed IP addresses. Those two characteristics lead Geenens to suspect the attacking devices are poorly secured IoT devices themselves that someone has compromised and used to permanently take out similarly unsecured devices. Geenens, of security firm Radware, has more details here.

Denial-of-Service?

BrickerBot, the botnet that permanently incapacitates poorly secured Internet of Things devices

Denial-of-Service botnet? Sounds more like a Public-Service botnet to me.

Re:Denial-of-Service?

[monkeyzoo]

Securing them for good before they can secured for evil.

Re:Denial-of-Service?

Exactly :)

Nice choice of words, btw

Re:Denial-of-Service?

[GargamelSpaceman]

I would mod parent up if I could.

We made a big mistake when we made cracking into things illegal. We should have made cracking into things legal and made people put up impenetrable walls. This is computers and data. There are walls that anyone can put up that can keep out governments. This would have created demand for real security and by now we'd have it ubiquitously without trying.

I hope this guy doesn't get caught, and I appreciate and do not encourage his actions.

Re:Denial-of-Service?

Destroying innocent consumer's IoT devices is a public service? I'd hate to live in your country.

Re:Denial-of-Service?

[Opportunist]

While I generally agree, I cannot second the idea that it should be legal to break into computers that are insufficiently secured. That would make the internet an even worse place than it already is.

What we need is something like the famous FCC part 15 sticker rules. You know the ones, you can find it on pretty much any electronic device:
(1) This device may not cause harmful interference, and
(2) this device must accept any interference received, including interference that may cause undesired operation.

We need something like this for IoT devices.

Re:Denial-of-Service?

[Opportunist]

If you're stupid enough to buy broken devices... at least consumer protection laws lets you return the crap.

Re:Denial-of-Service?

If the IoT device is part of a botnet and attacking other people, then it may be just fine to disable the device. It would be similar to someone who knows that leaving their keys in their car is bad, and someone just hopped in, and used the car for a bank robbery. The legal system definitely will fault the owner of the car for failing to take reasonable security steps. Same with IoT devices. IoT makers don't give a rat's ass about security, so the responsibility for the unsecured device belongs to the buyer. If buyers realize their device will be killed if it is pwned and used for nefarious stuff, then perhaps they will demand actual security... or not buy the things in the first place.

Re:Denial-of-Service?

While I generally agree, I cannot second the idea that it should be legal to break into computers that are insufficiently secured. That would make the internet an even worse place than it already is.

Well, the internet was a much better place when breaking into insufficiently secured computers did not have legal consequences. In general it was a much better place when it was more reminiscent of the wild west. Of course going back to this approach is not a good idea given how crucial internet based services have become to the worlds largest economies. However, as long as connecting insecure shit to the internet does not have legal consequences, the only way to protect these crucial services is to nuke these stupid IoT toys before they get compromised and used against us. In the end it is really that simple.

I am always amazed that the very same politicians that fight for the right of the american people to carry guns for self defense, and even use them to kill people in self defense, constantly try to criminalize both defensive (encryption) and offensive security.

Re:Denial-of-Service?

[I-am-a-Banana]

I would mod parent up if I could.

We made a big mistake when we made cracking into things illegal. We should have made cracking into things legal and made people put up impenetrable walls. This is computers and data. There are walls that anyone can put up that can keep out governments. This would have created demand for real security and by now we'd have it ubiquitously without trying.

I hope this guy doesn't get caught, and I appreciate and do not encourage his actions.

So you have people with no technical skill in coding, or getting into their hardware buying a device, just say baby monitor and it is alright for a person to hack into it because these people do not have the technical knowledge to secure it better? This is asinine. It is like saying "It is fine to steal a persons car if you can because the person should have secured it better". Doesn't matter if it had an alarm and an immobilizer, was locked in a secure garage that was alarmed. If I can steal it it si the owner's fault for not taking better safety precautions.

Re:Denial-of-Service?

The producer is the one responsible for better security. The consumer is the one responsible for buying product with better security (though if these attacks are persistent and only attack critically flawed designs and not tricky security holes, then these should be killed within weeks and the consumers responsibility is reduced to return the bricked devices, which will naturally achieve the goal of improved security in a way reasonably close to free market).

Re:Denial-of-Service?

[liquid_schwartz]

Because those stickers helped anyone ever how exactly?

Re:Denial-of-Service?

But if you leave your keys in your car, you can be charged with a crime. So it seems the law does distinguish between a minimal effort to secure your car and wanton disregard for it. So is the answer to charge owners of insecure IoT devices with negligence?

Re:Denial-of-Service?

[FrankHaynes]

Better that IoT toys should display a message from BrickerBot to the effect that "The manufacturer of this device compromised your security. It has been disabled to protect you. Contact the manufacturer for further details."

This dumps the burden back on the creator of the garbage so they either move security up the priority list or go out of business. OK, so maybe it fibs a little, but only a little.

Re:Denial-of-Service?

[Solandri]

Just take this botnet you've created with hacked IoT devices, and direct it at the websites of the companies which are producing and selling the insecure IoT devices. Then the moral objections cancel out.

Re:Denial-of-Service?

Devil's Advocate:

Yet when the FBI sought laws allowing them to legally alter compromised systems with far less collateral damage, it was met with rage and accusations. They've recently used the enacted law in question with good results and actually did so with a great deal of transparency. Something to think about, regardless of your stance.

Re:Denial-of-Service?

[amicusNYCL]

Well, IoT devices are at least halfway there. A lot of them will in fact accept any "interference" at all, and happily do whatever they are asked. Even if they are asked to violate the first rule.

Re:Denial-of-Service?

[amicusNYCL]

So you have people with no technical skill in coding, or getting into their hardware buying a device, just say baby monitor and it is alright for a person to hack into it because these people do not have the technical knowledge to secure it better?

Right, just like all of those people who have no experience in machining who are all buying that one car where every car opens and starts with the same publicly-known key, and they are getting their cars stolen just because they don't have the experience to manufacture their own lock, ignition system, and key?

Man, it's almost like the burden should be on the manufacturer to deliver a product that can't easily be broken into by default.

Re:Denial-of-Service?

>Far less collateral damage

El oh fucking el. They wanted to legally mandate back doors. Fuck out of here with this bullshit.

Re:Denial-of-Service?

[zlives]

consumer protection would outlaw insecure devices. the consumer is not at fault for believing the device maker as atleast made an attempt to make the device safe for use, like all other things consumable. otherwise the maker gets sued... or perhaps its time for the makers to get sued.

Re:Denial-of-Service?

[burtosis]

Fat finger modded down by accident, posting to remove...

Re:Denial-of-Service?

[mark-t]

Well, the internet was a much better place when breaking into insufficiently secured computers did not have legal consequences.

What, you mean like the early 1970's? Because laws outlawing hacking, or "phreaking" as it was called in the day are about that old.

Re:Denial-of-Service?

[mark-t]

But if you leave your keys in your car, you can be charged with a crime

Actually, no... If you leave your keys in your car, you simply cannot make a recognized insurance claim if it is stolen. It may certainly be illegal to leave the keys in a car that you do *not* own without consent of the owner, however, but it is not illegal to leave your keys in your own car. Waxing hypothetical, here, it would only be illegal to leave your keys in your own car if it were somehow an actual legal requirement for you to possess and have access to a car at all times.

Re:Denial-of-Service?

[mark-t]

I would suggest that just as much responsibility should be on the consumer to try and verify that the device they purchase is actually secure as should be on the provider of those devices. If consumers are too lazy or indifferent to bother, they should be treated exactly the same as small children who haven't yet learned that they need to look both ways before crossing a street.

If a person runs a red light and kills somebody, you don't go after the automobile manufacturer... you go after the guy who broke the law.

Re:Denial-of-Service?

What I meant is that even if laws existed (not everybody is in the US) they were not enforced (or even enforcable) in the same way they are today.

Re:Denial-of-Service?

[zlives]

your analogy doesn't fit a secure worthiness of a electronic device. Most users would be just at loss when considering the myriad safety features and potential pitfalls of their vehicles and thus rely on the almost perfect (right!!) *** rating system. and at least its rather understandable to consider seatbelts (check) brakes (check) airbag (check) vs... is this device running the latest updated version of the linux distro, the apps are secured and there is firewall in place not to mention default username passwords unsecured portals blah blah... things an end user will never see, need to see and thus has no onus to understand.
in reality it would be better to require a license to buy and install these devices for consumer safety.

Re:Denial-of-Service?

[wkwilley2]

Technically, you don't have to break into anything when the door is left wide open.

Re:Denial-of-Service?

[Opportunist]

Understand that this was a very different time than today. When back then someone hacked you, it was for shits 'n giggles. You did it to show off, or you needed a few MB of space online so you created a backdoor to a server where you and a friend could move some data to and from. The damage was negligible. What we did was mostly repurposing resources for our own little benefit.

What you're dealing with today is criminal organizations aiming for money. To draw a parallel, what we did was going out in our little fishing boat and catching a fish because we were hungry. What's going on today is fleets of trawlers stripmining the seas because they want to sell the fish worldwide.

Re:Denial-of-Service?

[Opportunist]

Few here are probably old enough to actually know how those stickers helped.

Of course the stickers themselves did little. But the requirements to be allowed to glue those stickers to your gear are as described on the sticker. And before the stickers, electric gadgets interfering with each other was a big deal. Even well after WW2 high frequency interference from electric tools was still a big issue. Today, with electric appliances working on FAR lower voltages and using FAR less electricity, along with better parts that create less noise, this problem doesn't really apply anymore, and the FCC sticker is pretty much obsolete, because pretty much any and every power tool will be able to pass.

It wasn't always that way. And people did actually bother to check whether something had that sticker after getting burned (not necessarily only figuratively so) by electronic devices of a lower quality standard that didn't earn that FCC badge.

Re:Denial-of-Service?

[Opportunist]

Yet still when I enter your home unasked it's trespassing, even with your door wide open.

Re:Denial-of-Service?

[Opportunist]

How should the consumer verify this? It's not like there is a button they could push to verify the security of the device. Hell, until the hack comes alone, more often than not even the manufacturer doesn't know it.

Re:Denial-of-Service?

[mark-t]

Research, or talking with experts. Ideally, they will learn about the technology themselves, at least enough to recognize when things are not secure. If it isn't too much to expect that children learn how to look both ways before crossing the street, it can't be too much to expect of adults to look before they leap as well.

Re: Denial-of-Service?

The stickers still have a purpose, and interference is as big a problem as ever. As an amateur radio operator, those stickers are quite helpful when someone complains that my completely legal and licensed radio transmitter is messing up their crappy unshielded $5 chinese device. I can point to the sticker. Also works when that same device illegally interferes with me.

Re:Denial-of-Service?

[Opportunist]

Unfortunately we security researchers don't get preview demos of those things. We buy them just the same way you do.

Re:Denial-of-Service?

[mark-t]

Fair enough, but security researchers typically know what sort of things to look for when verifying that a system is secure.

Re:Denial-of-Service?

[Opportunist]

Certainly, but by the time we finally get to report it (because, face it, if you really have something cool you wait for the next big conference to let the bomb go off, who gives a shit about publishing something on his homepage when Black Hat is in 3 weeks?) thousands have already bought the insecure piece of junk and the damage is done.

Re:Denial-of-Service?

[mark-t]

My point was that experts can teach people what things to look for... that was my point... ideally people will learn about the technology themselves from such people and learn what sort of things they should be looking for when it comes to vulnerabilities.

I'm not suggesting that such education should necessarily be freely given by experts without any compensation, but I don't think it's an unreasonable demand on consumers who don't know how to tell if their devices are secure to put some effort into learning.

Re:Denial-of-Service?

[Opportunist]

Teaching and learning depends on two people's agreement: One who teaches, and one who learns.

We have been trying to teach. But the only ones that learned something were we: We learned that nobody wants to learn.

BrickerBot

[Daetrin]

The hero the Internet of Things both deserves _and_ needs.

Re:BrickerBot

[sinij]

The hero the Internet of Things both deserves _and_ needs.

I hope they catch the wrong guy/gal.

Re:BrickerBot

[OzPeter]

The hero the Internet of Things both deserves _and_ needs.

Yeah .. there's nothing like a vigilante of whom you approve.

Re:BrickerBot

[Big+Hairy+Ian]

The hero the Internet of Things both deserves _and_ needs.

Yeah .. there's nothing like a vigilante of whom you approve.

I think it maybe Fratman

Re:BrickerBot

[sinij]

The hero the Internet of Things both deserves _and_ needs.

Yeah .. there's nothing like a vigilante of whom you approve.

Yes it is vigilante and we suppose to condemn such things. However, what the alternative? Internet Weather with DDoS storms routinely taking big chunks of it down? Markets completely failed to solve this problem, legislation isn't feasible considering international nature of this... so vigilante is least bad solution here.

Re:BrickerBot

[bill_mcgonigle]

Yeah .. there's nothing like a vigilante of whom you approve.

That Batman is the #1 superhero indicates that a very large majority of the public recognizes that the State is limited in ability, resources, effectiveness, and competence.

Imagine you're at a shopping mall, some nut comes in and starts throwing knives at passersby, taking out one shopper every five to ten seconds. There's a grandpa there packing a 9mm under his coat. Do you:
a) want the grandpa to take out the knife-attacker
b) call 911 and wait for the police to arrive

Statists will generally sacrifice all the people's lives in scenario b) because they value group power over individual life, liberty, and property. Non-statists believe in self-defense and third-party defense as a right and even a societal obligation and will go with a) and save all those lives. The Statists will then show up to call grandpa a 'vigilante'.

Fortunately, the Internet is inherently Stateless so the third-party defense doctrine applies. As far as motive - we just heard a couple days ago about the teens on moral crusades, and then there's the possibility that people (at Dyn?) lost their jobs over the recent high-profile Mirai attacks and would want to see that botnet brought down.

Re:BrickerBot

[OzPeter]

so vigilante is least bad solution here.

A bad solution is still a bad solution. And vigilanteism is still vigilanteism. And DDOS attacks using infected devices are nothing new, it is just that IoT have opened up a new attack vector. Look at how many Windows based computers have been involved in DDOS in the past.

What we have here is:

1. Unknown person breaks into a computer they do not own.
2. Unknown person does stuff to this computer (unknown to the owner) under the pretense of "fixing it".
3. Ironically (according to TFS) the unknown person may also be using this computer to further propagate the fix.

How would you feel if this was your IoT device that was attacked?

(And no, I am not defending IoT manufacturers for their poor practices)

Re:BrickerBot

[OzPeter]

Imagine you're at a shopping mall, some nut comes in and starts throwing knives at passersby, taking out one shopper every five to ten seconds. There's a grandpa there packing a 9mm under his coat.

False equivalence. In order to be comparable your "grandpa" would have be driving around town, spotting people with knives that grandpa considers dangerous, and then executing them. See Duterte for a great example of how this goes.

Re: BrickerBot

I'd want the man with the gun to take out the man with knives, but I'd also recognise that it's pretty unlikely that would happen without casualties as a result of that one person pulling out a gun in a stressful situation, without the kind of training the police and similar officials are supposed to have.
You could say that in an ideal world the bystander with a gun reacts perfectly under pressure, takes out knives (non-lethally) without harming anyone else, is not shot by anyone else because they pulled out a gun and shot someone, is not shot by the police for the same, but in an ideal world we also wouldn't have someone running around with knives and a will to kill, either.

Re:BrickerBot

How would you feel if this was your IoT device that was attacked?

I would be thankfull that i was made aware that my iot thingy was crap.

Re:BrickerBot

[Gravis+Zero]

The hero the Internet of Things both deserves _and_ needs.

A hero of the Internet? We shall dub them, Bricky McBrickerson! ;)

Re:BrickerBot

[Opportunist]

Vigilantes rise where the law is insufficiently able or completely unable or, worse, unwilling to deal with criminals that affect the population. There, and only there, you will find vigilantism.

Re:BrickerBot

Slashdot's been big on Putin since November or so.

Re:BrickerBot

How would you feel if this was your IoT device that was attacked?

I'd complain to the manufacturer: "my internet-thing doesn't work. Money back, (or repair) please."

They're the dolts who manufactured trivially hackable items in the first place. That is a fault, so they get to fix the things.

Re:BrickerBot

[Opportunist]

With the difference that the grandpa can flawlessly identify those that pose a threat. Because the IoT devices that get bricked that way are exactly those that would get taken over by a botnet. If they can't be taken over by botnets, the brickerbot cannot affect them either.

Re:BrickerBot

[Zocalo]

A bad solution is still a bad solution. And vigilanteism is still vigilanteism. And DDOS attacks using infected devices are nothing new, it is just that IoT have opened up a new attack vector. Look at how many Windows based computers have been involved in DDOS in the past.

Yes, it's a bad solution, and it's undeniably vigilantism as well. But, like democracy, it's still the best (and at present, only) solution we currently have that is working at scale. The Zero Day Initiative typically gives vendors 90 days (3 months) to fix a problem before they go public except in exceptional circumstances, and most credible vendors are OK with that framework. By comparison Mirai hit almost six months before BrickerBot, Hajime, and other such tools were unleashed, and in all that time noone - whether vendors, ISPs, or owners - did much more than shrug, shuffle their feet, and wring their hands.

They collectively took a huge dump in everyone else's bed and then did nothing about it, so that just left people stepping up with their bad solutions and vigilantism to try and clean up the mess. Want to "fix" BrickerBot and Hajime, etc.? Fix your devices, secure your networks, and isolate your devices, as applicable. Just like Mirai and the rest, if they can't root the device, then they can't propogate either, and everyone benefits - in fact, unlike the blackhat authors of malicious botnets, the vigilantes are more likely to shut up shop as soon as there are credible signs of progress being made. Acknowledging the message they are sending is all that is required.

Re: BrickerBot

[Zero__Kelvin]

And a solution, when it is the only one, is still the only solution. I cite as an example war. It's a horrible solution. That doesn't mean it is never necessary.

Re:BrickerBot

[Shinobi]

Vigilantes also rise from ideology, more commonly in orthodox religious or right-wing political leaning ones historically, though recently(as in the last 60 years), left-wing and some more liberal religious groups have started to engage in vigilante behaviour too

Re:BrickerBot

[sjames]

It's a tough question tyhough. I can't say I support BrickerBot, but at the same time, how would you feel if your website (or just one you really want to browse) is down and unlikely to return because of a bunch of internet enabled paper clips?

Re: BrickerBot

I cite as an example war. It's a horrible solution. That doesn't mean it is never necessary.

Yes this is exactly like war. Specifically the part where you sneak into your adversary's country and kill all the civilians to keep them from joining the army.

Re: BrickerBot

[moeinvt]

I'm very skeptical of this "police are less dangerous than armed citizens because of their training" argument. Police get stressed just like everyone else and their track record on protecting innocent bystanders is less than stellar.

Remember those idiots in California who fired over 100 rounds at two women in a blue Toyota .... which they somehow managed to mistake for Chris Dorner's gray Nissan? How about the cops in NYC who shot 3 innocent bystanders and injured 6 others near the Empire State Building as they attempted to take out ONE guy with a weapon? There was also an incident in Times Square where the cops fired at a guy, missed him completely but managed to wound two other people.

I'll take my chances with the armed citizens. The cops may be trained, but they strike me as being a little too trigger-happy.

Re:BrickerBot

You know... there are people who believe in both personal freedom and a foundation of law and order.

E.g., shall-issue carry permits---with background checks for criminal records and mental problems.

The false dichotomy of freedom-loving libertarians vs iron-fisted statists is getting a little old.

Re:BrickerBot

It is solvable, though at a lot of effort:
- people whose devices are involved in a botnet/DDOS and don't fix it will be disconnected
- ISPs who don't do that will be disconnected
- (now going into bad precedent territory that might make this worse than the BrickerBot "solution") countries that don't make their ISPs do either of this get disconnected

Re: BrickerBot

No, it's more like grandpa goes round town permanently disassembling defective defective gas supplies that could explode at any minute and kill a passer by

Re:BrickerBot

Bricky McBrickface!

Re:BrickerBot

You mean, unwilling to deal with people whom the mob perceives as criminals. Very important distinction, and the root of why vigilantism is bad.
(Also note, brickerbot doesn't actually target any criminals.)

Re: BrickerBot

Putin, the vigalante we need.
Trump, the vigilante we deserve.

Re:BrickerBot

[amicusNYCL]

A bad solution is still a bad solution.

Just out of curiosity, what is the good solution to the problem of a vast network of unsecured or insecure IoT devices that have already been deployed? Instead of describing what manufacturers should have done, what good solution do you have for the existing problem?

How would you feel if this was your IoT device that was attacked?

How do you feel when IoT botnets deliver DDOS attacks in the range of hundreds of gigabits per second? Are you still looking for that good solution to the existing problem?

Re:BrickerBot

[n329619]

He really should rename BrickerBot to BatmanBot.

Re:BrickerBot

[Opportunist]

Criminal neglect is still criminal.

Is it a bird?

[Big+Hairy+Ian]

Is it a plane?

No it's Super Hacker Nerd!!

Leaping the Internet Of Things in a single bound

Good - burn it down

IoT isn't a thing, it's just dumb.

The sooner it goes the way of 3D TV, the better.

Re:Good - burn it down

[Opportunist]

The idea behind the IoT isn't bad. The execution is horrible.

The idea that you can use the internet as a medium to access parts of your home isn't that bad an idea. That the whole shit is done by corporations that only care about their bottom line and offer your gimmicky toys that are security nightmares is the horrible execution thereof.

Re: Good - burn it down

[Zero__Kelvin]

This is 100% correct, and it baffles me that obstensibly intelligent people can't see the difference between a good idea and a flawed implementation.

I thought Linux was supposed to be secure?

One of the articles says (I've added emphasis):

BrickerBot.3 and BrickerBot.4, like BrickerBot.1, are targeting ‘busybox’-based Linux devices, typically IoT devices such as IP camera’s and DVRs.

This confuses me, though, because I always hear that Linux is supposed to be more way secure than other OSes.

If Linux is so secure, then why is it being exploited in this case, to the extent that the device itself is essentially destroyed?

Re:I thought Linux was supposed to be secure?

It is secure,
This not an attack on linux it's an attack against a poorly configured toy running busybox

Re:I thought Linux was supposed to be secure?

Nothing is completely secure and anyone who claims otherwise is full of shit. I'm not going to get into an OS war, but event he most secure OS has it's flaws, the biggest being the users. You can't fix stupid and stupid people are going to make stupid decisions with security. If you hardcode password/key that is the same on every device, put in a back door, install outdated software, or make other bad configuration mistake you are going to get hacked no matter how secure your OS is. The majority of these IoT devices are cheap throw-away devices by manufacturers that couldn't give two shit about security and don't care if they make the above mentioned mistakes.

Re:I thought Linux was supposed to be secure?

[Joce640k]

If Linux is so secure, then why is it being exploited in this case,

'Linux' isn't being exploited, the crappy applications people wrote to run on Linux are.

Any app that accepts incoming data from the internet can be vulnerable to buffer overflows, etc.

Apps written by the cheapest available people in a 3rd world country? Doubly so.

Re: I thought Linux was supposed to be secure?

[Zero__Kelvin]

Any OS can be made insecure by idiots. Linux has the potential to be secure. The source code is also available and it is still administered by humans. This means any idiot can create an insecure Linux distribution or turn an out of the box secure one into an insecure one. Linux isn't a panacea, but Windows is a petri dish. HTH

Re:I thought Linux was supposed to be secure?

[petermgreen]

The problem is threefold.

Firstly lack of updates, SoC vendors are notorious for porting one or two versions of Linux, throwing it over the wall to device vendors and then doing nothing to keep it up to date. Some SoCs can be use with upstream kernels but very often with reduced functionality. The device vendors in turn add their own customisations to that kernel that the SoC vendor threw over the wall. Quickly you end up with something that cannot reasonablly be updated to a new upstream version. It is possible to some extent to backport security fixes, but it's a lot of work so it is likely to get skipped entirely or at least restricted to the most-severe vulnerabilties.

Secondly the vendors doing the work often do it without really caring about security which can lead to busting big holes in the user-security model. Remember "exynos-mem"?

Thirdly if your application layer is full of holes then attackers will be able to get whatever privilages that application has. If that is root then the attacker has full control of the device. Even if it is not root the attacker may well be able to elavate to root due to the first and second points.

Re:I thought Linux was supposed to be secure?

[sjames]

Nothing is so secure that a complete idiot can't screw it up and render it insecure (consider, fort Knox but someone stands the guards down and leaves the doors and vaults open).

When we say Linux is more secure, what we mean is that a reasonably competent person has a better chance of coming up with a reasonably secure Linux machine than they do using another OS.

Re:I thought Linux was supposed to be secure?

[AmiMoJo]

Maybe we need to forget trying to secure devices and instead try to secure the router. Each device would have a profile, something like "can only access this short list of IP addresses, rate limited to X bytes/second and capped to X bytes/day." Literal alarm bells when limits are exceeded, with the device auto quarantined.

Re:I thought Linux was supposed to be secure?

IoT devices are deliberately made to be insecure...after all, the purpose of such devices is to let their corporate owners spy on people so that they can collect as much data as possible. Making these devices secure would in many cases defeat that purpose. Theft and sale of personal data has become one of the biggest and most profitable businesses today!

While I am not sure that I would condone this vigilante type action, so far it seems the only way that both people and corporations can be warned of the dangers of these insecure IoT crap devices! Or at least the only way that they will listen and pay attention to!!

Re:I thought Linux was supposed to be secure?

[Lost+Race]

Don't forget they're trying to hit impossible price points with terrible economies of scale. Any feature that's not directly visible to the consumer (like quality software engineering) is a non-starter.

Re: I thought Linux was supposed to be secure?

[Miamicanes]

Insecurity isn't a necessary component of corporate data-harvesting... it's quite possible to make a device with robust, impenetrable security that encrypts & transports vast quantities harvested data to its corporate masters.

These are the REAL problems with most IoT devices:

1. Devices with 8-bit MCUs that treat the internet like a UDP-implemented serial port & have no meaningful security of their own.

2. Linux's (intentional) lack of a stable kernel ABI, which makes it all-but-impossible for end users to take control of their own destiny and upgrade devices long after they've been abandoned by their manufacturers.

3. The lack of meaningful public documentation of the underlying SoC. If MediaTek, Qualcomm, etc. doesn't make proper datasheets available to the public, reverse-engineering some generic nameless webcam is going to be *really* hard unless you have access to the hardware & software tools usually owned only by companies or universities.

If somebody can name a sub-$60 IP camera with official open-source firmware, I'd *love* to be proven wrong, but the fact is, sub-$60 IP cameras are practically large-scale integrated circuits *themselves*. Seven times out of eight, not even the nominal *manufacturer* of the camera has access to the full sourcecode to its firmware... they buy some SoC, assemble it into a camera based on some generic reference design, and get all the firmware & drivers verbatim from the SoC's manufacturer (like the thousands of knock-off "Foscam-type" IP webcams).

Re: I thought Linux was supposed to be secure?

#2 is a load of hooey. The only use case for a "stable kernel ABI" is to be targeted by proprietary apps. By definition, it's illegal for users to upgrade those.

Re: I thought Linux was supposed to be secure?

[petermgreen]

The lack of stable interfaces (both ABIs and APIs) mean that not only can you not upgrade the propitary bits but you can't easilly upgrade the rest of the kernel either. Your hardware drivers stop you from easilly upgrading your network stack or the code that manages privilage seperation.

Looking at my firewall logs

[Zocalo]

Looking at my firewall logs I think BrickerBot v3.0 may have actually been unleashed on the 18th, not the 20th. There was a huge decline in scanning for port 5358 that started on the 18th, which is now less than half the activity level it was at on the 17th, and less than 15% of the levels it was peaking at prior to BrickerBot v1.0. There are further, but smaller, falls in some of the other typical IoT ports like 2323 that started around the same time as well.

If you're reading, Janit0r (or whatever your current pseudonym is), keep up the good work! Might be worth taking a look at what's going on with Port 81 as well... Just sayin' :)

Re:Looking at my firewall logs

[FrankHaynes]

So all IoT toys use the same port number??

I find that impossible to believe.

Re:Looking at my firewall logs

[amicusNYCL]

You may have read too much into that post.

Re:Looking at my firewall logs

[zlives]

impossible? or just really stupid...

Solution

If it could make them all stop working within the warranty period, and people constantly return them, they would have to start securing these things.

Do we still have consumer protection in America?

If you're stupid enough to buy broken devices... at least consumer protection laws lets you return the crap.

Do we still have those in Trump's America?

The fact that you cannot be sure if I'm joking or not should give you pause.

Vigilante definition

[gurps_npc]

Vigilante definition, from Online Webster:

: a member of a volunteer committee organized to suppress and punish crime summarily (as when the processes of law are viewed as inadequate); broadly : a self-appointed doer of justice

Note the parenthetic comment - "when the processes of law are viewed as inadequate".

In this case, the processes of law are NON-EXISTENCE. It is by definition inadequate. Yes, this is vigilante justice, mainly because our governments have totally failed to properly regulate these issues.

We need a simple government agency to report internet based vulnerabilities. Once reported, the manufacturer should have one month to fix it - and push the fix out. With monetary fines for a failure to do that - calculated so that 1 vulnerability in 100% of their products cuts 10% of their gross profit (note gross, not net).

Re:Vigilante definition

[moeinvt]

"We need a simple government agency"

LOL Don't you keep up with the news? When government agencies find vulnerabilities, they don't report them, they exploit them!

Re:Vigilante definition

It's almost as if they threaten legal action if they DO patch them.

Re:Vigilante definition

[gurps_npc]

Yes because that is their mission. Your complaint is that they are too EFFECTIVE.

There are lots of solid evidence that people dislike government because it is too good at what it does. Then they undermine the government and laugh and say "Hey, now that we have handcuffed them, they can't do anything right.!

Which is why I want to create one to protect us rather than spy on us.

Government agencies are actually more effective than businesses (two thirds accomplish thier goal, vs 1 third for small business).

The problem is that when a government agency fails, it has to keep trying, while a small business that fails goes bankrupt and someone else tries again in a year or two. But government does such important work that we frankly are not willing to go without for the year or two. So we keep the failed agencies around, which makes replacing it harder.

i, for one, welcome brickerbot

Hopefully, it breaks enough devices so many people are forced to buy safe ones. And those makers who don't secure their products, simply go out of business.
Also, hopefully, the actions of brickerbot don't generate more noise than it prevents.

Re:LUDDITES are ruining the Appernet of Apps!

Keep hope alive, app guy!

Ignoring the real problem, lack of a secure OS

[ka9dgx]

People want to be able to put code in a box, and have code to function without unwanted side effects. The consistent cognitive bias is towards placing blame on certain groups or practices as being at fault, then piling on.

This approach consistently ignores the root cause, the lack of a widely used, secure operating system for anything smaller than an IBM mainframe.

If your OS can't be counted on to limit the side effects of a program to those chosen at runtime, you can't trust it.

Windows doesn't do this, nor does any other common operating system on PCs or embedded systems.

The reason mainframe systems are secure is that you specify the everything to be tossed into running a program prior to its execution, and it can't ever exceed those capabilities.

We need to make things GNU Hurd or Genode a viable choice for programmers and hackers, then for the average home user. If this is done, then we can finally actually fix things for once and for all.

Until then, enjoy being the sump pump for the world of IT.

What Solutions are there?

[The_Other_Kelly]

Hmm.

Nobody likes vigilantes! (Not even Batman).

But a serious question: How can people be protected?

While the techies can home brew something, what real products or solutions are
there for the "casuals", the civilians and the "tech-vulnerable" ??

Are there are any fairly cheap, zero configuration overhead solutions out there right now?

Any options?

Re:What Solutions are there?

[HiThere]

Yeah. Don't buy IoT devices. Actually, that's the best option for geeks, too. If you want an IoT device, build it yourself.

Re:What Solutions are there?

[The_Other_Kelly]

In the ideal world, everyone would do so, but we do not live in that one.

And the list of IoT devices will expand to include, basically, ... everything.

Every electricity meter, every freezer, every microwave, every TV.

So for the people who cannot create their own solutions, what options are there?

Re:What Solutions are there?

[HiThere]

"If this goes on..." then there aren't any solutions for anyone. That's one of the arguments for why BirckerBot & kin are social services.

For *now* the correct solution is to refuse to buy IoT devices, or if you must, refuse to register them, or don't connect them to the internet and put them in a Faraday cage (if they use WiFi). (Well, you don't need a full-blown Faraday cage...just blocking a few wave-lengths sufficiently should suffice.) And if that won't work, return them as defective.

This rewards IoT device developers

[Kazoo+the+Clown]

1. Customers buy your insecure IoT devices.
2. BrickerBot renders them nonfunctional.
3. Customers no longer have a working IoT device, so they're in the market for a replacement.
4. Profit!

Re:This rewards IoT device developers

Alternate (4) Consumer returns broken device to store for refund.
  (5) Manufacturer is more careful about security in next version.

Otherwise where is the incentive for the manufacturer to do any better?

Warranty law

[DrYak]

TODO:
Change your US warranty laws, so such bricked device must be replaced for free. (See europe for an example)

(It's a device. It was used as it is supposed to be by the end user. The end user didn't subject it to any abuse.
The device suddenly stopped working unexpectedly. It has to be replaced under warranty).

That will teach the manufacturer of shitty goods.

reward: short term vs long term

[n329619]

5. Consumers have to return broken device or re-purchase cheap IoT until they felt it is no longer worth constantly replacing broken device. Lowering the demand for IoT device.
6. IoT developers have to constantly replace broken device until they either drop the IoT design, update security or face bankruptcy.

they may sell more IoT device in the short term, but overall they will fail to profit in the long term.

WTF is telnet enabled, and default passwords?

[knorthern+knight]

The real problem is that IDIOT (Insecurely Designed Internet Of Things) devices can be accessed from the net via telnet, with default passwords, or even no passwords. I don't care if you're running linux, Windows, BSD, OS/2, or whatever; using telnet is begging to be owned.

Telnet is an ancient, insecure protocol, from "a kinder/gentler time". When DARPAnet was started as a US-only project, you needed security clearance to access a mainframe or mini computer that could access the net. Every April 1st, there would be spoofed messages from "KREMVAX" (Kremlin minicomputer); that was fun, and nobody seriously believed it would happen. Telnet was appropriate for the conditions at that time.

The authors of telnet had no way of knowing that DARPAnet would become accessable by the average person worldwide, and cheaply made crap devices, and organized criminals in 2nd and 3rd world countries.

Hyderabad escort service

[hyderabadbeautyservi]

Hyderabad escort service, escort service in Hyderabad, best escort service in Hyderabad. http://hyderabadbeauty.service...