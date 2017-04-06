Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
Win a free pass to OSCON 2017 in Austin, TX May 10-11 courtesy of SourceForge. Click here to enter. ×
Botnet Security Communications Network Privacy The Internet

New Destructive Malware Intentionally Bricks IoT Devices (bleepingcomputer.com) 73

Posted by BeauHD from the vigilante-justice dept.
An anonymous reader writes: "A new malware strain called BrickerBot is intentionally bricking Internet of Things (IoT) devices around the world by corrupting their flash storage capability and reconfiguring kernel parameters. The malware spreads by launching brute-force attacks on IoT (BusyBox-based) devices with open Telnet ports. After BrickerBot attacks, device owners often have to reinstall the device's firmware, or in some cases, replace the device entirely. Attacks started on March 20, and two versions have been seen. One malware strain launches attacks from hijacked Ubiquiti devices, while the second, more advanced, is hidden behind Tor exit nodes. Several security researchers believe this is the work of an internet vigilante fed up with the amount of insecure IoT devices connected to the internet and used for DDoS attacks. "Wow. That's pretty nasty," said Cybereason security researcher Amit Serper after Bleeping Computer showed him Radware's security alert. "They're just bricking it for the sake of bricking it. [They're] deliberately destroying the device."

New Destructive Malware Intentionally Bricks IoT Devices More | Reply

New Destructive Malware Intentionally Bricks IoT Devices

Comments Filter:

  • I commend the effort... (Score:1)

    by Anonymous Coward

    carry on.

  • Sledgehammer approach. (Score:5, Informative)

    by mlheur ( 212082 ) on Thursday April 06, 2017 @06:44PM (#54188275)

    Despite how malicious this is, I'm oddly OK with it.

    • Re: (Score:1)

      by Anonymous Coward

      As a BoFH I also am. Secure your crap or higher somone to do it.

    • Re: (Score:2)

      by mellon ( 7048 )

      Yeah, this is wrong, so wrong, and yet I'm having a lot of trouble getting worked up about it. If your device is that hackable, it probably needs to be bricked for the sake of humanity. The Internet of Things That Go Bump In The Night gets exorcised...

      • I can break into your house because it's not secure enough. Is that OK too?

        Just because something isn't locked doesn't mean it's OK to access it. You're either civilized or you're not, and the person who released this code should be having a long stay in jail to think about the morality of what they've done.

        • Re:Sledgehammer approach. (Score:4, Insightful)

          by rgmoore ( 133276 ) <glandauer@charter.net> on Thursday April 06, 2017 @08:23PM (#54188689) Homepage

          I can break into your house because it's not secure enough. Is that OK too?

          If the house has already been taken over by a criminal gang, it's a different matter. That's a better analogy with a lot of these insecure IoT devices. They aren't just sitting there innocently; if they're vulnerable to being shut down by this malware, they're also vulnerable to being taken over by botnets. This is not just a theoretical worry; some of the big recent DDOS attacks have been by IoT device botnets.

          • I might punch you in the face some day. Possibly even shoot you. So, is it right to preemptively kill me just in case?

            No. Until there's an imminent credible threat, it's not right to take ANY kind of action against me.

            Same with these devices - the fact that they COULD be compromised in the future and used for destructive purposes is not sufficient justification for attacking them. Once they are and are being used to commit a crime, then yes, they should be open season.

            Now, if you want to start a class a

        • Re: (Score:2)

          by rtb61 ( 674572 )

          Don't think of it as breaking into some ones house. Think of it as spraying over someone's extremely reflective walls and roof blinding everyone around them with glare.

        • I can break into your house because it's not secure enough. Is that OK too?

          If you are my neighbor and you go away for the weekend and your external alarm goes off and nobody comes to shut it off and it doesn't turn off when I switch off your external panel (assuming you have one) I'm definitely going to bash it in with a hammer.

          If you have a device on your network making attacks against other people's resources, don't be surprised if they shut it down. And be happy that they didn't just rejigger it to flood your local network with shit traffic.

    • Exactly my first thought! Insecure "IoT" devices NEED to be disabled from accessing the internet and fucking it up for the rest of us. Besides, how can we watch our ads?!?
    • Yeah, came here to say this. Surprised I'm in the majority on this.

      If you can't figure out how to secure your device, or you are unable to do so, then so sad too bad. Hope a bunch of IoT vendors go tits up.

      • I'm not.
        I think most here on /. are of this general opinion. It's machiavellian for sure, but really does have the whole "Ends justify the means" feel to it.

        Hopefully (though doubtfully) the OEMs will be eating a lot of warranty returns. It is only if this costs the OEMs money that the problems will be fixed. If it only costs the end users money then not a ton will really happen.

        • It is wrong yes ... but so is the OEM's.

          SInce we have a overly conservative government at all 3 branches in the US you know nothing will ever be done about this problem for American companies that make these. The free market doesn't work as most users do not know what security is. Their phone is on the net so what is so bad about a camera etc.

          So why change? We are the externalized costs but they do not ever see accountability.

          Now comes payback. Even freaking routers are cloud IOT based these days?!! There a

    • Yep. Saw the report and my first thought was "is this really a bad thing?" Better they end up as bricks than fueling a LOIC.
    • Except this is super effective. I approve this medication.

    • Re: (Score:2)

      by gweihir ( 88907 )

      I don't know about malicious. Seems to be both well-intentioned and working well. Of course, vigilantism can be a problem, but I don't really see that here either. It is hard to fault it when law enforcement has consistently failed to do anything at all about a serious threat. And anybody that took the minimal precautions to secure their devices will not be affected either.

  • If pwnable easily it must die - network darwinism (Score:2, Interesting)

    by Anonymous Coward

    If it's secured, then it belongs on the network. If it's not secured, this is the best possible outcome, non-function and removal.

    Good job.

  • Crowdfund? (Score:5, Funny)

    by Anonymous Coward on Thursday April 06, 2017 @06:47PM (#54188299)

    Where is the kickstarter or indiegogo page for this project? I can't find it.

    • Hehehe - sorry, I ran out of mod points this morning.

      I wonder if the people exploiting Mirai for profit will start disinfecting this thing.

  • We knew it was coming... (Score:5, Interesting)

    by evolutionary ( 933064 ) on Thursday April 06, 2017 @06:49PM (#54188305)
    Okay, it was only a matter of time before somebody came around and starting exploiting all the backdoors/weak protection in this IoT(I pronounce "idiot") devices. The funny thing is, this may well be a public service in an odd way. At least no one's life is dependent on these devices..yet. If we started adopting these things carelessly in situations that could endanger lives, we'd be in serious trouble. Perhaps this is the wake up call we've desperately needed.

  • Was already broken (Score:3, Insightful)

    by bhetrick ( 1812392 ) on Thursday April 06, 2017 @07:20PM (#54188421)

    These devices were already broken. Now they are non-functional as well.

    • Re: (Score:1)

      by Anonymous Coward

      That's it. They got the ultimate upgrade.

  • So potentially a stupid question here, but given that we have a severe shortage of IP addresses due to exhaustion of the IPv4 space, how are all of these devices getting publicly addressable IP addresses to allow an incoming connection in the first place? If they're behind a NAT they should be naturally firewalled, otherwise who has the spare IPs to hand out to crappy little IoT devices?

  • is playing in the background.

  • If this happens to you, get a full refund. (Score:3)

    by robbak ( 775424 ) on Thursday April 06, 2017 @08:28PM (#54188719) Homepage
    There is no possible argument against this - a device that is built to be connected to the internet, but has a remotely accessible security flaw, cannot be deemed to be 'fit for the purpose for which it was sold', and so the customer is entitled to a full refund, if they desire, regardless of how old the device is.

    Arguably, you could consider installing available security updates within a reasonable timeframe - say, a few weeks after the customer has been informed of them - could be considered basic maintenance, as long as the procedure for applying the update is something that an ordinary user could do. In that case, the manufacturer and retailer could get away with an exchange program for bricked devices, where the devices are sent to a shop with JTAG, serial or other in-circuit programming equipment, or even just providing full instructions on how to unbrick, if this can be done without any additional hardware.

    But if the manufacturer has not provided such updates, then full refund must be paid. And it is the retailer who is on the hook for this - they then have to get recompensed from their wholesaler, etc.

  • And so.. (Score:5, Insightful)

    by ACE209 ( 1067276 ) on Thursday April 06, 2017 @08:39PM (#54188753)
    ..the Internet developed antibodies.

  • Public service (Score:3)

    by sinij ( 911942 ) on Thursday April 06, 2017 @09:24PM (#54188935)
    This is public service. I hope they catch the wrong guy.

Slashdot Top Deals

The goal of Computer Science is to build something that will last at least until we've finished building it.

Close