Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Botnet Security Communications Network Privacy The Internet

New Destructive Malware Intentionally Bricks IoT Devices (bleepingcomputer.com) 163

An anonymous reader writes: "A new malware strain called BrickerBot is intentionally bricking Internet of Things (IoT) devices around the world by corrupting their flash storage capability and reconfiguring kernel parameters. The malware spreads by launching brute-force attacks on IoT (BusyBox-based) devices with open Telnet ports. After BrickerBot attacks, device owners often have to reinstall the device's firmware, or in some cases, replace the device entirely. Attacks started on March 20, and two versions have been seen. One malware strain launches attacks from hijacked Ubiquiti devices, while the second, more advanced, is hidden behind Tor exit nodes. Several security researchers believe this is the work of an internet vigilante fed up with the amount of insecure IoT devices connected to the internet and used for DDoS attacks. "Wow. That's pretty nasty," said Cybereason security researcher Amit Serper after Bleeping Computer showed him Radware's security alert. "They're just bricking it for the sake of bricking it. [They're] deliberately destroying the device."
This discussion has been archived. No new comments can be posted.

New Destructive Malware Intentionally Bricks IoT Devices

Comments Filter:
  • by Anonymous Coward on Thursday April 06, 2017 @05:43PM (#54188269)

    carry on.

    • Carry on... (Score:5, Interesting)

      by monkeyzoo ( 3985097 ) on Thursday April 06, 2017 @08:31PM (#54188963)

      ... for the greater good:
      1) protect individuals and society from the harms of shoddy IOT devices.
      2) punish the companies producing them and create economic imperatives to design in security.

      • Win Win all around. Give those men a cookie!

      • For some reason, this reminds me of Team Rocket's entrance act.

    • by Zocalo ( 252965 ) on Friday April 07, 2017 @03:06AM (#54189909) Homepage
      Ordinarily, I'd condemn this kind of vigilante action, but in this instance I'm hardly struggling with it at all. Mirai kicked off in early September 2016. It's now April 2017. That's six full months, almost to the day, that device owners, ISPs, and vendors have had to secure their devices, filter inbound scanning/outbound end-user traffic, and produce update firmware, yet there's very little evidence any of that is happening at scale (shocking, I know), so it's clearly not going to. The rest of us, meanwhile, have been subjected to continual port scanning and DDoS attacks. Taking vulnerable devices out of commission, placing the cost of that on owners and vendors, plus pressure from both on ISPs to start to filter the malicious traffic, is clearly the only approach that is going to work at this point, and might even encourage vendors to put a little more thought into security in future.

      Carry on indeed. Hell, post the code like the original Mirai author did - we might as well wrap this up as fast as Mirai and its clones were able ramped up. Open Source, ftw!
      • by Zocalo ( 252965 )
        Oh, yeah. Just in case the author(s) are reading this, for v2.0, you might want to consider looking into the following popular IoT ports as well (there are others, but these are the ones with the most activity):
        22 - SSH
        2222 - alt. SSH
        2323 - alt. Telnet
        5358 - Web Services API
        6789 - Dahui admin port?
        7547 - TR-069 management port
        23231 - alt. Telnet
        37777 - CCTV port forwarding

        You're welcome.
  • by mlheur ( 212082 ) on Thursday April 06, 2017 @05:44PM (#54188275)

    Despite how malicious this is, I'm oddly OK with it.

    • by Anonymous Coward

      As a BoFH I also am. Secure your crap or higher somone to do it.

    • by mellon ( 7048 )

      Yeah, this is wrong, so wrong, and yet I'm having a lot of trouble getting worked up about it. If your device is that hackable, it probably needs to be bricked for the sake of humanity. The Internet of Things That Go Bump In The Night gets exorcised...

      • by Anonymous Coward

        Same here. I feel sorry for the person who's equipment no longer works, but these idiot companies have got to get off their ass and secure their shit.

        I hope this creates a global class action lawsuit against all manufactures of any IoT device.

      • I can break into your house because it's not secure enough. Is that OK too?

        Just because something isn't locked doesn't mean it's OK to access it. You're either civilized or you're not, and the person who released this code should be having a long stay in jail to think about the morality of what they've done.

        • by rgmoore ( 133276 ) <glandauer@charter.net> on Thursday April 06, 2017 @07:23PM (#54188689) Homepage

          I can break into your house because it's not secure enough. Is that OK too?

          If the house has already been taken over by a criminal gang, it's a different matter. That's a better analogy with a lot of these insecure IoT devices. They aren't just sitting there innocently; if they're vulnerable to being shut down by this malware, they're also vulnerable to being taken over by botnets. This is not just a theoretical worry; some of the big recent DDOS attacks have been by IoT device botnets.

          • I might punch you in the face some day. Possibly even shoot you. So, is it right to preemptively kill me just in case?

            No. Until there's an imminent credible threat, it's not right to take ANY kind of action against me.

            Same with these devices - the fact that they COULD be compromised in the future and used for destructive purposes is not sufficient justification for attacking them. Once they are and are being used to commit a crime, then yes, they should be open season.

            Now, if you want to start a class a

            • OK how about this, They have been comprimised. And they were killed for it. Does that make you happy?

            • If I see a burning house and a garden hose, I'm not going to wait to ask permission to enter the yard and utilize their water resource.

              • I'm cool with that. However, if you walk into my yard and take my hose and start spraying down my house because it could conceivably catch fire, I'm going to have words with you. Particularly if the windows are open.

                • You're grasping for apples and oranges. Attempt to apply your analogy to the actual events and see if it fits.

                  Is it even possible to brick an IoT device that isn't a public threat?

                  You're saying your house wasn't on fire. I'm saying I don't care, there was smoke and flames pouring out the window and your words don't change that.

                  • What I am trying to say is that destroying people's property on the assumption that it might be a threat later on is wrong. Nobody's claiming that the bricking was justified because the devices were actually causing harm, and argument I'd be more sympathetic to. Nobody's pointing to smoke and flames. People are just saying that, if it might present a threat, the intruders are justified in bricking it.

                    As to whether it's possible to brick a device that's not a public threat, I don't know. It seems like

                    • Nobody is misunderstanding you, it is just that when they say, "these devices are already a threat," and you say something like, "I don't see them as a threat," then you are in no way contradicting what others say. You're saying they're wrong, but the case you makes only says you wouldn't do what they did, not that they were wrong. We know for a fact that many of us believe these devices to be a threat as soon as they're connected to the network without being secured. In the same way that if a neighbor pile

            • There IS an immediate credible threat. A device that can trivially be taken over IS a threat.

              What you have here is a loaded weapon lying right out in the front yard. Any criminal can walk by, pick it up and use it to commit a crime. Do you think this gun should be removed?

        • by rtb61 ( 674572 )

          Don't think of it as breaking into some ones house. Think of it as spraying over someone's extremely reflective walls and roof blinding everyone around them with glare.

        • I can break into your house because it's not secure enough. Is that OK too?

          If you are my neighbor and you go away for the weekend and your external alarm goes off and nobody comes to shut it off and it doesn't turn off when I switch off your external panel (assuming you have one) I'm definitely going to bash it in with a hammer.

          If you have a device on your network making attacks against other people's resources, don't be surprised if they shut it down. And be happy that they didn't just rejigger it to flood your local network with shit traffic.

        • by freeze128 ( 544774 ) on Thursday April 06, 2017 @11:58PM (#54189475)
          I don't like your analogy because peoples houses aren't ALWAYS targeted by criminals. How about we replace "your house" with "your local bank".

          Suppose your local bank just left money lying around on the floor of the lobby. If anyone takes that money, they are stealing. Is that OK? Of course not, but it's really risky and stupid to keep it there in the first place. Also, in order to be FDIC insured, the bank needs to take at least some minimal precautions, like storing the money in a vault, and maybe having an armed guard. If the bank doesn't do this, they would probably be robbed the most, and the FDIC would not insure them. Result - The bank would quickly go out of business and close.

          The malware is breaking the law by bricking the device, but in this scenario, I'm the fucking FDIC, bitch! I demand better security on your IOT device, or you must shut it down.
        • You're either civilized or you're not

          My, how sophisticated!

          By the way, sitting in jail is likely to cause thoughts about ethics, not thoughts about morality. There is a difference.

        • If you install a revolving door and your home is used as a squat by the local crack junkie population who terrorize the neighborhood, and the police doesn't do diddly squat against it, what should I do as your neighbor? Grin and bear it?

          • Tell you what. You might install a revolving door and invite the crack junkies in. I can't know you won't. Is it OK if I burn your house down now to avoid that problem?

        • It's probably more like cruising around all the streets in the world looking for houses that are empty but have their doors open. Then, going into the house and barricading all the doors and windows so that no one (not even the owner) can get in without some specialist help (eg. locksmiths, trades people etc).

    • Exactly my first thought! Insecure "IoT" devices NEED to be disabled from accessing the internet and fucking it up for the rest of us. Besides, how can we watch our ads?!?
    • Re: (Score:3, Insightful)

      by Snotnose ( 212196 )
      Yeah, came here to say this. Surprised I'm in the majority on this.

      If you can't figure out how to secure your device, or you are unable to do so, then so sad too bad. Hope a bunch of IoT vendors go tits up.
      • by networkBoy ( 774728 ) on Thursday April 06, 2017 @06:22PM (#54188429) Journal

        I'm not.
        I think most here on /. are of this general opinion. It's machiavellian for sure, but really does have the whole "Ends justify the means" feel to it.

        Hopefully (though doubtfully) the OEMs will be eating a lot of warranty returns. It is only if this costs the OEMs money that the problems will be fixed. If it only costs the end users money then not a ton will really happen.

        • It is wrong yes ... but so is the OEM's.

          SInce we have a overly conservative government at all 3 branches in the US you know nothing will ever be done about this problem for American companies that make these. The free market doesn't work as most users do not know what security is. Their phone is on the net so what is so bad about a camera etc.

          So why change? We are the externalized costs but they do not ever see accountability.

          Now comes payback. Even freaking routers are cloud IOT based these days?!! There a

          • Even freaking routers are cloud IOT based these days?!!

            What the hell does that even mean? What does IOT even mean? Since when did routers (which have always had vulnerabilities and don't get patched often) get lumped in with light bulbs and security cameras? What about unpatched servers or workstations with direct connections to the internet (think cloud hosting providers)? Routers are the "things" that are responsible for traffic going anywhere. Servers are "things" that provide access to services on the internet. I guess the enter internet is an "intern

        • Hopefully (though doubtfully) the OEMs will be eating a lot of warranty returns. It is only if this costs the OEMs money that the problems will be fixed.

          Such warranty return are mandatory for the OEM to accept in Europe, at least 24 months (I think, it might by 36) and given how recent this IoT craze is, most devices still qualify for such returns.

          The cost might not get all the way to the cheap-ass chinese no-name manufacturer who did actually commit a device with such atrocious security.
          But the cost won't burden the end user, it would at least be a problem for the brand that decided to have their device manufactured, without exerting the necessary caution

        • by eth1 ( 94901 )

          I'm not.
          I think most here on /. are of this general opinion. It's machiavellian for sure, but really does have the whole "Ends justify the means" feel to it.

          Hopefully (though doubtfully) the OEMs will be eating a lot of warranty returns. It is only if this costs the OEMs money that the problems will be fixed. If it only costs the end users money then not a ton will really happen.

          I was thinking it'd be neat if the malware had a database of warranty information and geo-IP-based warranty laws, and it actually tried to figure out if the device was still under warranty. Silently close the backdoor and go dormant if it thinks it's not under warranty, brick it if it thinks it is.

    • Yep. Saw the report and my first thought was "is this really a bad thing?" Better they end up as bricks than fueling a LOIC.
    • Except this is super effective. I approve this medication.
    • by gweihir ( 88907 )

      I don't know about malicious. Seems to be both well-intentioned and working well. Of course, vigilantism can be a problem, but I don't really see that here either. It is hard to fault it when law enforcement has consistently failed to do anything at all about a serious threat. And anybody that took the minimal precautions to secure their devices will not be affected either.

      • Vigilantism logically happens when law enforcement fails to uphold a law that is in the interest of the people. This is why it's not only critical that the law reflects the ideals of the population but also that it's executed. If you have laws that run contrary to what the people consider right, you can only enforce them with force against your own people and you can logically assume that your own population fights you. This is, among other things, what fell communism.

        If you're unwilling or unable to establ

  • by Anonymous Coward on Thursday April 06, 2017 @05:47PM (#54188297)

    If it's secured, then it belongs on the network. If it's not secured, this is the best possible outcome, non-function and removal.

    Good job.

  • Crowdfund? (Score:5, Funny)

    by Anonymous Coward on Thursday April 06, 2017 @05:47PM (#54188299)

    Where is the kickstarter or indiegogo page for this project? I can't find it.

    • Hehehe - sorry, I ran out of mod points this morning.

      I wonder if the people exploiting Mirai for profit will start disinfecting this thing.

  • by evolutionary ( 933064 ) on Thursday April 06, 2017 @05:49PM (#54188305)
    Okay, it was only a matter of time before somebody came around and starting exploiting all the backdoors/weak protection in this IoT(I pronounce "idiot") devices. The funny thing is, this may well be a public service in an odd way. At least no one's life is dependent on these devices..yet. If we started adopting these things carelessly in situations that could endanger lives, we'd be in serious trouble. Perhaps this is the wake up call we've desperately needed.
    • What about a garage door opener that was bricked and a woman got killed because she was being chased by a maniac and her garage wouldn't let her in?

    • At least no one's life is dependent on these devices..yet. If we started adopting these things carelessly in situations that could endanger lives, we'd be in serious trouble. Perhaps this is the wake up call we've desperately needed.

      We already have life critical devices compromised. Remember that the early adopters of the IoT was hospitals, which have been compromised already. http://spectrum.ieee.org/view-... [ieee.org]

      While this case was not the result of a hacker, but software error, todays radiation dispenser is about 100 percent likely to be attached to the internet. http://ccnr.org/fatal_dose.htm... [ccnr.org].

      And it wouldn't be too surprising if people have been killed already. We just wouldn't hear abou tit, or the operators might not even kno

    • Intelligent Devices, Internet Of Things.

      Everyone buying them is a good example for the acronym thereof.

    • by zifn4b ( 1040588 )

      IoT(I pronounce "idiot") devices

      The Internet of Things shall henceforth be known as the catchy and marketable Silicon Valley-ish term: ID10T. Marketing companies please feel free to use this idea freely. Want to crank it to 10? ID10T. See how cool that is? You're welcome.

  • Was already broken (Score:5, Insightful)

    by bhetrick ( 1812392 ) on Thursday April 06, 2017 @06:20PM (#54188421)

    These devices were already broken. Now they are non-functional as well.

    • by Anonymous Coward

      That's it. They got the ultimate upgrade.

  • So potentially a stupid question here, but given that we have a severe shortage of IP addresses due to exhaustion of the IPv4 space, how are all of these devices getting publicly addressable IP addresses to allow an incoming connection in the first place? If they're behind a NAT they should be naturally firewalled, otherwise who has the spare IPs to hand out to crappy little IoT devices?

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Universal Plug and Play (UPnP) is enabled on most home routers. Most of these insecure IoT devices use UPnP to open port forwarding holes through the home router.

      • Yea that should have been gotten rid of in the 90's

        • Yea that should have been gotten rid of in the 90's

          Right so you can get calls at 10 at night from Grandma guiding her on opening ports on her firewall settings with UDP to get her Ipad's itunes to work. I am sure that would work out great. ... and open a firewall exception for each of the 45 games you have on steam sounds fun too?

          • Right so you can get calls at 10 at night from Grandma guiding her on opening ports on her firewall settings with UDP to get her Ipad's itunes to work

            If uPNP weren't available, iTunes and your games would have been written with some other connection method. They'd be making more use of STUN/TURN/ICE or just ensuring that all connections from the enduser are outbound. uPNP enabled programmers to be lazy in how they engineered connectivity. It is insecure by design, "but hey, since it's ubiquitous, let's use it!"

          • Funny you say that because I live behind a NAT with 0 forwarded ports. iTunes and every one of my steam games work perfectly fine. Try again.

            • Turn off upnp on your Nat router and let me know how well everything works?

              • lol. you dont understand. My router thats before the NAT has UPNP disabled, as has every one ive ever owned. But the NAT router thats ahead of it ALSO does not have UPNP enabled. Not many things require incoming ports(which is what UPNP configures) Everything else is in the packet its self. Should go read up on how the internet works before you once again look like a moron talking to me about the internet and the way it functions.

    • by Dagger2 ( 1177377 ) on Thursday April 06, 2017 @11:07PM (#54189403)

      Fun fact: NAT doesn't naturally firewall anything.

      Here's how you do NAT on Linux: iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE. See that "-o wan0"? The rule, and thus the NAT, only applies to outbound connections. It does nothing whatsoever to inbound connections! You can test this yourself if you want; just take a subnet where inbound connections work, add that NAT rule to the subnet's router, and you'll see that inbound connections continue to work just fine.

      In any case, the answer to your question is that people set up port forwards for their cameras because they want to view the camera when they're away from home. IPv6 would help a lot here because it makes it significantly more difficult to scan for these devices, unlike in v4 where it's pretty trivial to exhaustively scan the entire address space.

    • Most cameras and other things with a phone-based interface will try to automatically open ports on the firewall (via upnp). A lot of routers have upnp enabled by default, and so this works in a lot of cases. For those people with routers that don't play along, the product will ask them to setup port forwarding - let's be honest, most people who just bought a webcam to watch over their driveway will do anything the product tells them to do because they want to watch their driveway when they're out of the hou

  • is playing in the background.

  • by robbak ( 775424 ) on Thursday April 06, 2017 @07:28PM (#54188719) Homepage
    There is no possible argument against this - a device that is built to be connected to the internet, but has a remotely accessible security flaw, cannot be deemed to be 'fit for the purpose for which it was sold', and so the customer is entitled to a full refund, if they desire, regardless of how old the device is.

    Arguably, you could consider installing available security updates within a reasonable timeframe - say, a few weeks after the customer has been informed of them - could be considered basic maintenance, as long as the procedure for applying the update is something that an ordinary user could do. In that case, the manufacturer and retailer could get away with an exchange program for bricked devices, where the devices are sent to a shop with JTAG, serial or other in-circuit programming equipment, or even just providing full instructions on how to unbrick, if this can be done without any additional hardware.

    But if the manufacturer has not provided such updates, then full refund must be paid. And it is the retailer who is on the hook for this - they then have to get recompensed from their wholesaler, etc.
  • And so.. (Score:5, Insightful)

    by ACE209 ( 1067276 ) on Thursday April 06, 2017 @07:39PM (#54188753)
    ..the Internet developed antibodies.
  • by sinij ( 911942 ) on Thursday April 06, 2017 @08:24PM (#54188935)
    This is public service. I hope they catch the wrong guy.
  • Considering most of the people on /. are, in the main, IT sort of people, so it's not very surprising someone decided to take matters into their own hands and sort out the problem themselves. Surprised it took this long. I mean, Mirai's source code was available ages ago, I even downloaded it to take a look. What's amusing is my antivirus only picked it up a couple days ago.

    Good luck to them, I hope they are hiding their tracks properly, because this is still illegal.
    • I've never seen such a consensus on Slasdot before, more than 95% of posts supporting.
      Keep up the good work whoever you are.

  • by drew_kime ( 303965 ) on Friday April 07, 2017 @11:54AM (#54192273) Journal

    They're just bricking it for the sake of bricking it.

    No. They're bricking it for the sake of preventing it from being used in a botnet.

Life is a whim of several billion cells to be you for a while.

Working...