Slashdot Mirror

← Back to Stories (view on slashdot.org)

US ISP Goes Down As Two Malware Families Go To War Over Its Modems (bleepingcomputer.com)

Posted by BeauHD on from the new-kid-on-the-block dept.

An anonymous reader writes from a report via Bleeping Computer: Two malware families battling for turf are most likely the cause of an outage suffered by Californian ISP Sierra Tel at the beginning of the month, on April 10. The attack, which the company claimed was a "malicious hacking event," was the work of BrickerBot, an IoT malware family that bricks unsecured IoT and networking devices. "BrickerBot was active on the Sierra Tel network at the time their customers reported issues," Janit0r told Bleeping Computer in an email, "but their modems had also just been mass-infected with malware, so it's possible some of the network problems were caused by this concomitant activity." The crook, going by Janit0r, tried to pin some of the blame on Mirai, but all the clues point to BrickerBot, as Sierra Tel had to replace bricked modems altogether, or ask customers to bring in their modems at their offices to have them reset and reinstalled. Mirai brought down over 900,000 Deutsche Telekom modems last year, but that outage was fixed within hours with a firmware update. All the Sierra Tel modems bricked in this incident were Zyxel HN-51 models, and it took Sierra Tel almost two weeks to fix all bricked devices.

93 comments

  1. No te metas en mi territorio by turkeydance · · Score: 1

    take that

  2. ALL HAIL MALWARE by Anonymous Coward · · Score: 0

    Malware must take over your lives! Give it your modem, your router, your IoT devices, your computer, and then your SOUL!

    Install a cyberbrain and allow sketchy nerds from Moldova to control your LIFE!

    Make of them our gods and masters!

    Um

    moo apps?

    1. Re:ALL HAIL MALWARE by Big+Hairy+Ian · · Score: 1

      So the ISP didn't do enough security patching and left their clients vulnerable to malware. BrickerBot just stopped their devices from being used to hack/ddos others. I'm not saying either is right but surely the ISP is guilty of not doing due diligence. Blaming BrickerBot alone is not the answer.

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

  3. Crook? by Anonymous Coward · · Score: 0

    Brickerbot doesn't steal anything, at least that I've heard of, so is the creator a "crook"?

    1. Re:Crook? by Anonymous Coward · · Score: 0

      Crook is just another word for criminal, it's not specific only to those who have committed theft.

    2. Re:Crook? by Doke · · Score: 2

      I agree with your definitions. However, the BrickerBot author is closer to a vigilante hero, than a criminal.

    3. Re:Crook? by scdeimos · · Score: 1

      I wouldn't the author a hero of any kind. Sure, he's removing insecure devices from the internet but at great inconvenience to the end-users that depend on them and a lot of these people will be small business owners or home office types. It's the fault of Zyxel for producing such insecure crap in the first place but also the ISP for issuing them to their customers and then failing to secure their management interfaces from the internet at large.

    4. Re:Crook? by Anonymous Coward · · Score: 0

      I wouldn't the author a hero of any kind. Sure, he's removing insecure devices from the internet but at great inconvenience to the end-users that depend on them and a lot of these people will be small business owners or home office types. It's the fault of Zyxel for producing such insecure crap in the first place but also the ISP for issuing them to their customers and then failing to secure their management interfaces from the internet at large.

      In this scenario, Zyxel is like a political candidate. That's not really so strange - it just has economic power instead of political power, but still there is a sort of voting process with mass participation. Lots of people each contribute something the organization wants. Voters apply their ballots to a candidate. Zyxel customers apply their dollars to their chosen candidate in the marketplace. The users who bought Zyxel are like an electorate. They're just voting with dollars instead of ballots.

      Assuming Zyxel does not have a monopoly, no customer is forced to "vote" for them. So this is actually a kind of democratic process. The customers are getting the companies they deserve, based on what they deem to be acceptable and how quickly they shut down power grabs by refusing to accept them.

      Had the IoT situation not become an out-of-control security nightmare, the BrickerBot author would have had no leg to stand on. But he has a point. He really does. He's offering an actual solution that might work, while everyone else is merely talking about it. That's the real problem.

    5. Re:Crook? by Anonymous Coward · · Score: 0

      I wouldn't the author a hero of any kind. Sure, he's removing insecure devices from the internet but at great inconvenience to the end-users that depend on them and a lot of these people will be small business owners or home office types. It's the fault of Zyxel for producing such insecure crap in the first place but also the ISP for issuing them to their customers and then failing to secure their management interfaces from the internet at large.

      In this scenario, Zyxel is like a political candidate. That's not really so strange - it just has economic power instead of political power, but still there is a sort of voting process with mass participation. Lots of people each contribute something the organization wants. Voters apply their ballots to a candidate. Zyxel customers apply their dollars to their chosen candidate in the marketplace. The users who bought Zyxel are like an electorate. They're just voting with dollars instead of ballots.

      Assuming Zyxel does not have a monopoly, no customer is forced to "vote" for them. So this is actually a kind of democratic process. The customers are getting the companies they deserve, based on what they deem to be acceptable and how quickly they shut down power grabs by refusing to accept them.

      Had the IoT situation not become an out-of-control security nightmare, the BrickerBot author would have had no leg to stand on. But he has a point. He really does. He's offering an actual solution that might work, while everyone else is merely talking about it. That's the real problem.

      Same AC here - to clarify, BrickerBot shifts the burden of insecurity right back onto the electorate who "voted" with their dollars for Zyxel in the first place. That's right where it belongs. Let the ones who choose to implement something bear the full costs of that thing without needlessly externalizing their burden.

    6. Re:Crook? by scdeimos · · Score: 1

      Your argument is that paying customers were given a choice in the matter and so should vote with their feet. Normally I would agree with that assertion except that most ISPs don't offer a choice of modem to customers or even alert them that they have a choice. Often they'll grumble about incompatibility issues if a new customer says, "I already have a modem."

      Modems are just another way for ISPs to milk money out of their customers. e.g.: ISPs bulk buy these modems from whomever they can source them for $10 each and then charge customers a once-off connection fee ($80-$100) or ongoing monthly rentals ($10-$20/month).

      BrickerBot and their ilk are still punishing the unwary customers for the incompetence of the manufacturers and ISPs.

    7. Re:Crook? by Anonymous Coward · · Score: 0

      it steals the owner's ability to use the device. i don't need to move your car to prevent you using it.

    8. Re:Crook? by Joce640k · · Score: 1

      it steals the owner's ability to use the device. i don't need to move your car to prevent you using it.

      Not a bad thing when you in a neighborhood full of criminals who'll steal that car and use it for crime a couple of days after you bought it.

      --
      No sig today...
    9. Re:Crook? by Zocalo · · Score: 2

      My view too. Janit0r is absolutely a vigilante, but currently BrickerBot (and the less destructive Hajime) are only active "solutions" to the various IoT botnets such as Mirai and, from their posts, I believe (s)he would stand down as soon as more active steps were taken by the vendors, ISPs, and owners. Far from ideal but, until those in a position to do something about it in a less disruptive manner step up to the plate, if that's the only option for the rest of us caught in the firing line, then I'll live with it. Keep calm, and carry on bricking!

      As for this specific incident, although Zyxel has to take some blame for shipping broken routers in the first place, I'd say the main culprit here is actually SierraTel, both for their failure to implement secure central management of their modems in the first place, but mostly for failing to learn from Deutsche Telekom's experience and remediating that error, despite having *six months* to do so. Clearly that has now cost them financially and in customer satisfacation, which should hopefully server as a wake up call to anyone else in a similar situation and dragging their feet over deploying a solution. Somehow, I don't think SierraTel is going to be the only ISP to have this kind of problem though.

      --
      UNIX? They're not even circumcised! Savages!
    10. Re:Crook? by jbmartin6 · · Score: 1

      Vigilantes are criminals. Of course they are criminals. They have to be criminals.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    11. Re:Crook? by Anonymous Coward · · Score: 1

      The device is doing exactly what it was instructed to do. Maybe manufacturers should instruct their devices to do what the customer wants instead of what other people want.

    12. Re:Crook? by Anonymous Coward · · Score: 0

      I agree with your definitions. However, the BrickerBot author is closer to a vigilante hero, than a criminal.

      Is he a vigilante because he says he's doing it for the better good? What he is doing is really no different than a murderer killing someone to prevent them from being killed by someone else and then claiming that he is doing a service to society.

    13. Re: Crook? by Anonymous Coward · · Score: 0

      Well that's a shitty analogy. Let me make one up. The guy mind controlled the people with a certain defect gene into murdering themselves because they can be easily mind controlled to rob and murder other people. The defect can be protected if they just took the right meds. But most haven't and many are already going around looting and murdering others.

      See... this is fun.

  4. No link to relevant article about sierratel by williamyf · · Score: 2

    but there is alink about previous incident in Deutsche Telekom?

    What gives?

    the level of the editors keeps getting lower or what?

    Beadhull, get away from that Keyboard, you need a few cups of coffee! Now!

    --
    *** Suerte a todos y Feliz dia!
    1. Re:No link to relevant article about sierratel by scdeimos · · Score: 1

      The link is in the article title, https://www.bleepingcomputer.c...

  5. Yet another case for VPN tunnels by Foxhoundz · · Score: 2

    Hacked modem or not, assuming you actually use a respectable router (e.g. VyOS/Edgerouter), you can at least avoid main-in-the-middle attacks due to the fact that that packets will be encrypted by the time they ingress your modem on their way to the CMTS. That being said, it still won't stop the modem from becoming a zombie device itself. ISPs have a burden to resolve this as A) they and they alone lock down your device and manage it remotely via SNMP and B) their network is sending you the malicious unsolicited data from their network to yours.

    1. Re:Yet another case for VPN tunnels by Anonymous Coward · · Score: 1

      A VPN would not have saved anyone in this case. The Brickerbot went after the physical DSL/Cable modem/gateways.

      If you've ever used one of these ISP issued things, there is typically a default username, and the password is derived from the device MAC address. It's also not a new thing, as you could also have your modem hacked just by visiting a rogue website that connects to 192.160.0.1 over websockets.

    2. Re:Yet another case for VPN tunnels by Anonymous Coward · · Score: 1

      A VPN would not have saved anyone in this case. The Brickerbot went after the physical DSL/Cable modem/gateways.

      If you've ever used one of these ISP issued things, there is typically a default username, and the password is derived from the device MAC address. It's also not a new thing, as you could also have your modem hacked just by visiting a rogue website that connects to 192.160.0.1 over websockets.

      Yes, but only if you're dumb enough to run every random script from every unverifiable web site. Seriously, this is a solved problem. A good adblocker (which often include options for filtering malicious sites) and/or NoScript can easily prevent this.

    3. Re: Yet another case for VPN tunnels by Anonymous Coward · · Score: 0

      "there is typically a default username, and the password is derived from the device MAC address"

      No ISP should be supplying devices with connections enabled on the WAN side.

    4. Re: Yet another case for VPN tunnels by FrankHaynes · · Score: 2

      The ISP manages their own devices from the WAN side, how else could they do it?

      Another poster mentioned SNMP; I did not know that, I thought it was some non TCP/IP protocol unique to cable modems. But either way they bear at least some responsibility for deploying these things in a way that allows these attacks to succeed so widely.

      --
      slashdot: A failed experiment.
    5. Re: Yet another case for VPN tunnels by Anonymous Coward · · Score: 1

      Most ISPs I know of have two VLANs where one of them is only accessible by the ISP itself. (The router/modem has 2 IPs...)

    6. Re: Yet another case for VPN tunnels by Anonymous Coward · · Score: 1

      How we do management is that we have more than 1pvc. A primary pvc os set up for subscriber internet but the second faces a locked down management network . The modem has acl in place to prevent access on the primary internet facing pvc and another to permit access from the management side.

    7. Re: Yet another case for VPN tunnels by Zocalo · · Score: 1

      Any remote management protocol can be exploited if the implementation is bad - regardless of whether it's console style via SSH, web via HTTPS, or a dedicated device management protocol like SNMP or TR-069. Firmware bugs in authentication and exploits aside, it shouldn't matter what protocol you use provided that it is properly authenticated with a non-default password, uses an encrypted protocol, and (most critically of all) access is limited to a specific management network. The trick is to assume things will get broken, then put multiple layers of defence in place so that even when something inevitably does break the rest will keep things secure while you implement a fix - ignoring it is not an option either.

      People have been chanting the "defence in depth" mantra for decades, some people have been *doing* it for decades and publishing HOWTO guides to help others do the same, and yet other people are also still getting burned by failing to do it. Ultimately, it's just the consequence of another three way choice where you only get to pick two options; the choices are "cheap", "easy" and "secure", and this is what happens when you don't include "secure" in your selection - cheap and easy both end up going down the toilet as well.

      --
      UNIX? They're not even circumcised! Savages!
    8. Re:Yet another case for VPN tunnels by Anonymous Coward · · Score: 0

      use a respectable router (e.g. VyOS/Edgerouter)

      EdgeOS 1.9.1 still doesn't have the latest version of OpenVPN so it doesn't support TLS 1.2. Not sure I would call respectable if you ask me. Multicast support is shit too.

  6. Linux Fails It by Anonymous Coward · · Score: 1

    This is why I only use Windows IOT Core based devices.

    1. Re:Linux Fails It by Anonymous Coward · · Score: 2

      Yeah, a Windows device would never just reboot to apply a new windows-upda"/(*)/)"(/ç"ç

      NO CARRIER

  7. Good! by Anonymous Coward · · Score: 0

    If those devices were infected successfully by BrickerBot that means those same devices were also susceptible to being infected by Mirai or other malware. The fact that this device is being handed out to customers in an unsecured state by an ISP is even more appalling, they should know better. It may be doing damage, but I sincerely hope BrickerBot shocks manufacturers (or at the very least this idiotic ISP) into securing their devices.

    1. Re:Good! by Doke · · Score: 1

      Yes. This merits a class action against the ISP, for distributing defective routers.

    2. Re: Good! by Anonymous Coward · · Score: 0

      It's par. Comcast and other cable providers do the same thing. An example being the 100,000+ still in use Arris modems with multiple unpatched backdoors that still show up on Shodan. Brickerbot is probably targeting them as well.

  8. Bricked or not? by Nkwe · · Score: 4, Insightful
    From the summary

    All the Sierra Tel modems bricked in this incident were Zyxel HN-51 models, and it took Sierra Tel almost two weeks to fix all bricked devices.

    If the bricked devices were fixed, then they really were not bricked.

    1. Re:Bricked or not? by Anonymous Coward · · Score: 0

      Cue post asininely claiming that the meaning of the word "bricked" has changed in 3,2,1...

    2. Re:Bricked or not? by Anonymous Coward · · Score: 0

      I suppose it's much like "hacking" has become synonymous with script kiddies and stolen passwords. Sure, an event happened. Might have temporarily broken the normal functionality but it certainly doesn't seem like bricked was the correct word. Disabled. Hmm, there's a word that may work! Maybe not, I didn't RTFA afterall.

    3. Re:Bricked or not? by Anonymous Coward · · Score: 3, Informative

      Bricked means the device is unsalvagable (by the end user.) You can typically salvage such devices by returning them to the manufacturer and having them JTAG the device to replace the firmware. Most cable/DSL modems can be updated via TFTP, but only if the device hasn't been wrecked beyond recovery.

      For example, any wireless router/modem can be destroyed permanently by setting the radios to maximum power and then connecting to each other so that they generate excessive amounts of EM radiation and eventually it will melt the amplifiers on at least one of the radios. It's like going from sitting inside a jet to sitting in front of the jet engine.

      DOCSIS cable modems can also destroy an entire neighborhood, trash the firmware in the right way and the cable modem will scream over the RF line and take out everyones modems. Not too different from how old pre-docsis modems would drown out a neighborhood every time someone loaded up winmx or kazaa

    4. Re:Bricked or not? by Anonymous Coward · · Score: 0

      Indeed sir. Es! Please keep defending the term bricked so boners won't say they "bricked their phones" when they have to reboot it to fix it. Thank you sir and again I say THANKYOU!

    5. Re:Bricked or not? by Anonymous Coward · · Score: 0

      All the Sierra Tel modems bricked in this incident were Zyxel HN-51 models, and it took Sierra Tel almost two weeks to fix all bricked devices.

      If the bricked devices were fixed, then they really were not bricked.

      In this case "fix it" means they sent the bricked device back to the manufacturer to get another one, while replacing the customers device with another one.

      The bricked device will not be repaired such that it will not be bricked.
      The bricked device is just being put "out of sight out of mind" while getting another not-yet-bricked device in return for free.

    6. Re:Bricked or not? by Jesus_666 · · Score: 1

      Some people distinguish betwen "soft-bricked" (the device stops working but can still be revived with user-available measures going beyond normal configuration*), "hard-bricked" (the device stops working and can only be revived with tools unavailable to an ordinary user**) and "broken" (the device is dead and can only be replaced***). In this case the routers appear to have been hard-bricked as they stopped working and had to be physically accessed by the vendor in order to restore functionality.

      * E.g. using Fastboot to flash a new firmware to an Android phone.
      ** E.g. using JTAG to flash a new bootloader as the device can't even go into Fastboot mode anymore.
      *** E.g. my Zuk Z1.

      --
      USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
    7. Re:Bricked or not? by ArchieBunker · · Score: 1

      I don't think you can ever permanently "brick" something. In this case they probably reflashed the firmware through the JTAG port or something similar. Bricked to the consumer but not the supplier.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    8. Re: Bricked or not? by Anonymous Coward · · Score: 0

      Bricked does not mean permanently destroyed. If you need an eprom flashing device to rewrite the firmware rom, that counts as bricked. Bricked means:

      1. It does not boot, and
      2. It cannot be fixed, or cannot be fixed without special hardware for flashing roms etc.

      I.e., a bricked device does not not have a functioning bios/bootloader.

    9. Re:Bricked or not? by Anonymous Coward · · Score: 0

      That is not true. Physically connecting the antennas together may damage the receiver of the other radio, but most wifi systems are single radio MIMO. So they are either all transmitting or all receiving. Most wifi power amplifiers have a maximum input power of >+10dBm, the pre-driver is unlikely to be able to deliver this.

      Docsis modems cannot damage other modems, at most kill the service temporary, since directional couplers are present in the cable network taps. The network also frequently has one-way amplifiers that pass the downlink band one way and the uplink band the other way. Besides that, the maximum input power for docsis is quite high, higher than what most modem can deliver at maximum transmit power so even with a direct connection it is unlikely to harm anything.

    10. Re:Bricked or not? by swillden · · Score: 2

      I don't think you can ever permanently "brick" something. In this case they probably reflashed the firmware through the JTAG port or something similar. Bricked to the consumer but not the supplier.

      You can permanently brick a device, even without hardware damage. Phones, for example, should have JTAG completely disabled for security (though many OEMs fail to do this), and depending on various bits of low-level config devices can get into a completely unflashable state. If the onboard firmware that accepts flashed images does something like sign the images with a key embedded in the SoC, and the ROM refuses to run unsigned firmware, and you can't flash normally any more, then even removing the flash memory and writing to it directly may not revive the device.

      Plus, software can sometimes do hardware damage, which can perma-brick.

      But, yeah, in the vast majority of cases where a device is "bricked", it can actually be revived by the manufacturer or their RMA centers. Even if JTAG isn't available and the system is tightly locked down, they typically have some keys they can use to sign messages to disable portions of the security infrastructure, specifically so that they can revive (and resell) bricked devices.

      I do low-level Android development and end up bricking a few devices every year. It's pretty rare that they can't be revived by the manufacturer, but it does happen.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    11. Re:Bricked or not? by Anonymous Coward · · Score: 0

      efuses....yes, you can brick some devices that become unrecoverable even by manufacturers...

    12. Re:Bricked or not? by TheStickBoy · · Score: 1

      Correct :)
      Bricked: "You Keep Using That Word, I Do Not Think It Means What You Think It Means"

  9. Since when are modems IoT devices? by Anonymous Coward · · Score: 1

    Modems are not "Things." They are necessary infrastructure.

    1. Re:Since when are modems IoT devices? by Anonymous Coward · · Score: 1

      Walks like a duck, talks like a duck. Modems were the first "things" of the internet.

    2. Re:Since when are modems IoT devices? by Jamu · · Score: 1

      Everything is a thing.

      --
      Who ordered that?
  10. Companies deploy hardware without any upgrade plan by jfdavis668 · · Score: 3, Informative

    Companies rent you hardware, and they give no thought to upgrades. Not only ISPs, but cable boxes and other such devices. As long as it works when installed, that's good enough. To be properly secure, you need to keep up with security updates.

  11. Yeah, go ahead, blame TRUMP by Anonymous Coward · · Score: 0

    Like his shit-for-brains could possibly do anything that some ruskie-funneled plant didn't tell him to do. Hm.

  12. Liability by sit1963nz · · Score: 4, Interesting

    Perhaps it is time that manufacturers have to accept liability for faulty software.

    There are many things that are considered bad practice (or outright stupidity) that make it into the consumer market, these should be punished.
    The lack of timely firmware updates (or even any updates), should be punished.
    Hardcoded accounts/passwords should be punished
    Telnet/SSH access from the DSL side on by default should be punished
    Wireless not requiring a password (a complex one !) before the wireless can be enabled should be punished

    If manufacturers had to shell out $1000 per item for this sort of behaviour a lot would go to the wall, the others would clean up their act quickly.

    And NO, manufacturers can not opt-out/contract out of this (if they try, make it $5000 an item).

    Sure, no software is perfect, but thats not the problem, its that so much junk is put out there with no attempt to make it secure. The average home user can not be expected to do this themselves.

    1. Re:Liability by Ryanrule · · Score: 1

      Websites should be liable for malware ads.

    2. Re: Liability by Anonymous Coward · · Score: 0

      Modems are generally not allowed to be flashed by the end user anyway. Even ones bought by the end user and not rented through the isp.

    3. Re:Liability by Doke · · Score: 1

      This makes a lot of sense. They have complete control over how the device leaves their factory, and the ability to easily (and cheaply) offer upgrades. There's no good excuse for not supporting their gear. It does cost money to support existing sales, but that's part of being a responsible manufacturer. This translates directly to sales. Irresponsible ones get trashed in reviews.

    4. Re:Liability by Doke · · Score: 1
      This is problematic. Often, a website signs on to an ad network, by placing a link to a rotating ad image. Then the ad agency screws them over by placing inappropriate content on that link. The site owner never intended to put anything nasty on their site, but the ad agency was negligent. You can say this will flow through to the ad agency through complaints, but they tend to have lock-in contracts, and similar stupidity. In the end, the website owner loses.

      This is why I prefer to contribute money via a site's store, or maybe Patreon, rather an allow ads on a site.

    5. Re:Liability by eyenot · · Score: 1

      *applause*

      I want to go a step further: fuck firmware. Make the god damn controllers work properly in the first place. Test every way imaginable even if it adds months before the manufacturing process. If you fuck up, send your customers replacement ROMs. If they don't know how to desolder the old one and install the new one properly, fuck them, too because they're worthless pieces of shit. Take consumer high tech out of the fucking dark ages.

      --
      "Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
    6. Re:Liability by Ryanrule · · Score: 1

      So kill the ad networks. Everyone wins.

    7. Re:Liability by sit1963nz · · Score: 1

      The average user does not read reviews. They use the modem/router that was supplied to them by their ISP.

      By the time the unit is in the consumers hands its already too late, the effort needs to be made right at the concept stage right through to manufacturing.

      Most ISPs regard the modem as throw away items, its cheaper for them to supply something new than to support something old. The manufacturers work on the basis that they want to sell something new and not support something old.

      Neither the manufacturer or the ISP has the consumers interests at heart, self regulation is not working, so now it needs "the waving of the big stick" to ensure a reasonable minimum standard of care.

    8. Re: Liability by sit1963nz · · Score: 1

      I have flashed my modem at least twice and the previous one probably 3 times.

      My New Zealand ISP has no problems with people upgrading the firmware, especially those that know enough to do it.

    9. Re:Liability by mentil · · Score: 1

      Won't happen in any broad sense. Imagine this scenario, which would quickly go into effect if any statutes were passed or frequent civil liability suits gave judgments against them:

      Shell company sells a new modem, licensing the name of some well-known company (e.g. Belkin). They produce the modem for 2 years, releasing periodic updates for the firmware. Upon product discontinuation, the shell company folds, and the liability now rests on a nonexistent company. Every product has its own associated shell company. All the money goes back to the mothership (licensing fees, natch) and there's no official ownership by anyone with serious cash. Lawsuits are held up in court for years, judgments happen after the company has already folded and they have no assets.

      Either that, or your formerly $50 modem now costs enough to cover an insurance policy that costs more than the device itself. People would then just buy Xiaomi modems online that are even less secure than what they were using before.

      --
      Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    10. Re:Liability by XparXnoiaX · · Score: 1

      Yes. Sometimes the bug is hard to stop, but sometimes it's a clear case of negligence. The manufacturer just doesn't care.

      --
      Irresponsible disclosure is responsible
    11. Re:Liability by lewistown · · Score: 1

      I like this idea on the surface, but most attacks against these devices are not persistent. Using a rom will only slow the upgrade process when bugs are found and prevent wasteful bricking attacks. For botnets, it's worlds easier to just reinfect when the device comes back online.

    12. Re:Liability by Anonymous Coward · · Score: 0

      If it were that easy, any producers of machinery currently regulated by liability laws would be doing it already.

    13. Re:Liability by Anonymous Coward · · Score: 0

      I'd go further - the software developer who introduced the bug should get jail time.

      That will put the fear of god into you geeks.

    14. Re:Liability by cdrudge · · Score: 1

      Except any website that relies on the ad revenue to operate.

    15. Re:Liability by jbmartin6 · · Score: 1

      If we were capable of making things at this level of complexity work properly in the first place the world would be a very different place.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    16. Re:Liability by sjames · · Score: 1

      What would actually happen is websites would demand indemnity from the ad networks. Any ad network that wanted to actually push ads to anyone would be forced to accept that term. Then, with the financial burden being on them, they might actually screen the ads they serve.

    17. Re:Liability by Anonymous Coward · · Score: 0

      Congratulations! You've just rediscovered the movie industry method of operation. Every film is a separate company. $BIGCORP charges all sorts of overhead and other 'costs' to the movie in order to transfer the revenue. The movie always loses money so those getting a % of the net never get anything. Helps to mnimize taxes too. And if the brand name is licensed how can we be sure it isn't happening already?

    18. Re:Liability by Anonymous Coward · · Score: 0

      The average home user can not be expected to do this themselves.

      Maybe not all of it, (Although in an ideal world they would be.), but most average users today just plug it in and expect it to do whatever they purchased it for with no further configuration done by them. Not even something simple like changing the default password, it must "just work". Their expectations are horrible. Apathy for security will not help you, and it's the reason why crap is as bad as it is. They should be expected to do some basic things, like making sure the auto-updater actually checked for updates recently, or how to open a firewall port without running UPNP. At the very least how to restore the device to factory defaults when everything goes south. (The old recovery disk thing.)

      Yes I wouldn't expect them to setup an IPSec connection, or deal with RADIUS, but the average person needs to be responsible for some of their security. Otherwise we get "generalized security" where the configuration is too strict for some use environments and not strict enough for others, or given a UI and documentation that even the developers themselves couldn't figure out because no-one tried to use it before release. We also get used to unsafe practices. Like password reuse, and giving away info without first asking why the recipient needs it. That needs to change.

      I do agree that manufacturers need to be held more accountable than they are. They have their own misgivings that need correction, like locking away vulnerable code behind signatures that prohibit owner modification / repair, but responsibility is a two way street. A two way street that hasn't seen much use lately.

  13. Yeah by Ryanrule · · Score: 1

    Fuck this poster. Prob a malware crim

    1. Re:Yeah by eyenot · · Score: 1

      I wouldn't care if they were. I was highly entertained and informed by this story. I might break karma just to mod down your lousy comment as flamebait.

      --
      "Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
    2. Re:Yeah by Ryanrule · · Score: 1

      One of the actors is shutting down malware threatened devices. But this article calls them equal. You blind?

  14. Re:Companies deploy hardware without any upgrade p by Doke · · Score: 1

    What security upgrades? Most of these manufacturers never try to upgrade their IoT crap. They drop it, and move on.

  15. "At the beginning of the month... by eyenot · · Score: 1

    ... on April 10."

    Come for the nerd-news; stay hard for the WTFs.

    --
    "Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
  16. Good... by drew_92123 · · Score: 1

    Maybe all these folks that have been affected will start demanding more from manufacturers in regards to making sure these devices are secure and that security updates are provided on a regular and timely basis.

  17. King Graham has fallen so far! =( by An+Ominous+Cow+Erred · · Score: 3, Informative

    For those not in the know, this company is the heir to Sierra On-Line/Sierra Entertainment/Yosemite Entertainment in Oakhurst, CA. They created King's Quest, Space Quest, Police Quest, Leisure Suit Larry, et al. After the studio joined Codemasters they remained in Oakhurst until at some point it became an ISP. I'm not sure if any of the original folk are still there.

    Relevant Wikipedia Entry

    (The Sierra name lives on as a trademark of Activision, but in name only. The hallowed halls of that great studio are now an ISP.)

    1. Re:King Graham has fallen so far! =( by An+Ominous+Cow+Erred · · Score: 2

      To clarify, at one point Sierra tried to create their own online gaming network. This was *NOT* an internet-based network, but something you could connect to directly via dialup with a POTS modem. This later on became the ImagiNation network, which was purchased by AT&T.

      https://blog.codinghorror.com/...

      As I understand it, the facilities originally created for this (since upgraded to support DSL service) were repurposed by the people involved into an ISP. All of this is based in the old Sierra headquarters in Oakhurst. It's funny, because what was originally "On-Line Systems", with no networking component, later became "Sierra On-Line". This became "Sierra Entertainment", which then attempted to create an on-line network, which later became an ISP. Therefore SierraTel is now more "on-line" than "On-Line Systems" ever was.

  18. Re: Companies deploy hardware without any upgrade by Anonymous Coward · · Score: 0

    My cable company gave us all new DOCSIS 3 modems last year. They were about to upgrade us all to 300 Mbps from 200.
    Then they merged and are now Spectrum who proudly announces how they are upgrading us to 60 Mbps and it's so much better than AT&T.

  19. While true, that's insufficient and impractical by raymorris · · Score: 2

    True, it would be much more secure (in one way) if administration was only possible from the local, lan-side port. However, that's neither practical nor sufficient.

    First, some people can't effectively and reliably admin their own modem. They need the cable ISP to manage it. The ISP is on the external side. So the ISP needs access from the outside. That *should* be secured reasonably well, though.

    Second, iframe src=http://192.168.1.1/admin/changepasswd.php?newpass=yourfucked

    Putting that into any web page will cause the browser, which is on the internal network, to access the router or modem. So restricting access to be from the local network only is insufficient for security.

    1. Re:While true, that's insufficient and impractical by Anonymous Coward · · Score: 0

      Except your fake scenario fails to take into even the most elementary thought of authentication. If you're going to pretend to be clever, at least pass a cookie with your terrible "hack".

      Any backdoor for the ISP is an invitation for an attacker.

  20. Have you modified your toaster yet? by Overzeetop · · Score: 3, Insightful

    1) I was unaware that website currently require that you manually execute each script

    2) Show me a commercial OS with a supplied browser that includes a good adblocker and a NoScript installed and properly configured by default.

    Computers are basically appliances for 80% of the users on the internet now. I can mod my toaster and replace the plug with a grounded type, and only plug it into a GFCI outlet to reduce the risk of shock, but everybody else just plugs theirs in and makes toast. Until OS makers start putting actual, safe browsers on their products, instead of the two-bare-wires versions they currently include, the problem isn't actually with the users. It's with the negligent programmers.

    --
    Is it just my observation, or are there way too many stupid people in the world?
    1. Re:Have you modified your toaster yet? by Anonymous Coward · · Score: 0

      Well, the programmers at $megacorp are effectively just replaceable machines, from a philosophical perspective, and so is most of management. It is the investors and the executives who are to blame, as always, for any flaw in their own plan. They set the priorities and the goals.

      Having said that, it is much easier to punish a bunch of programmers than it is to punish an executive.

  21. free repetition of doubtful words by Thud457 · · Score: 1

    that damn vigilante hacker bricked my router!

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  22. Comment on Bleeping... by ACE209 · · Score: 1
    I like the first comment on that article:

    woody188:
    Wish Janit0r would change phase two so that it instead redirects all outbound requests to a page explaining what is wrong with the device and to contact their ISP. At least for modems/routers this would be much more preferable to just bricking a device and would empower the person to get help and maybe even salvage their device should an update be available. Vigilantes don't hurt the innocent! You listening Janit0r?

    Nice idea. Ideally someone else should host that site.

    --
    "we are all atheists about most of the gods that societies have ever believed in. Some of us just go one god further."
  23. Re:Companies deploy hardware without any upgrade p by sims+2 · · Score: 1

    At work we have a att ADSL2+ modem with the software modified to disable the disconnection redirect and disable updates.

    They really really want their modem to brag every time it loses connection which would be ok but they don't have no cache set so once the connection resets you have to close out of whatever your doing to get it to stop redirecting to the modem status page.

    They issued a firmware update to the modem so you couldn't modify it but didn't add the no-cache option required to fix the problem that made people need to modify it in the first place and that's why updates are blocked.

    Maybe this is an example of DIMSS?
    https://ask.slashdot.org/story...

    Internet @ATT Hey your modem software sucks! here's how to fix it:*fix instructions here*
    ATT @internet no thanks we don't want our equipment to work *tears up fix instructions*

    --
    Minimum threshold fixed. Thanks!
  24. You left your car unlocked... by hillbluffer · · Score: 1

    You left your car unlocked, so I've removed the engine to prevent anyone from stealing it!

  25. concomitant by aicrules · · Score: 1

    concomitant concomitant concomitant

  26. Brilliant by hackel · · Score: 1

    I just adore BrickerBot more and more each story I read about it. This is the best solution, and sadly the financial impact is the only way to make these companies take security seriously.

  27. Embarrasing for Sierra Tel by ilsaloving · · Score: 1

    So this ISP was handing out shoddy insecure modems by the truckload, leaving all their customers susceptible to attack.

    It's bad enough that this kinds of crappy device exist on the market in the first place, but for an ISP to peddle the things... that's inexcusable. IMO the ISP needed this firm punch in the nose.