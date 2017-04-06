New Destructive Malware Intentionally Bricks IoT Devices (bleepingcomputer.com) 77
An anonymous reader writes: "A new malware strain called BrickerBot is intentionally bricking Internet of Things (IoT) devices around the world by corrupting their flash storage capability and reconfiguring kernel parameters. The malware spreads by launching brute-force attacks on IoT (BusyBox-based) devices with open Telnet ports. After BrickerBot attacks, device owners often have to reinstall the device's firmware, or in some cases, replace the device entirely. Attacks started on March 20, and two versions have been seen. One malware strain launches attacks from hijacked Ubiquiti devices, while the second, more advanced, is hidden behind Tor exit nodes. Several security researchers believe this is the work of an internet vigilante fed up with the amount of insecure IoT devices connected to the internet and used for DDoS attacks. "Wow. That's pretty nasty," said Cybereason security researcher Amit Serper after Bleeping Computer showed him Radware's security alert. "They're just bricking it for the sake of bricking it. [They're] deliberately destroying the device."
for the greater good:
1) protect individuals and society from the harms of shoddy IOT devices.
2) punish the companies producing them and create economic imperatives to design in security.
Win Win all around. Give those men a cookie!
Sledgehammer approach.
Despite how malicious this is, I'm oddly OK with it.
As a BoFH I also am. Secure your crap or higher somone to do it.
Nasty?! Isn't this better for everyone? (Score:2)
The security researcher calls this nasty?! It's genius!
It's certainly vigilante. But given the societal harm being caused by shoddy IOT devices, bricking them is quite arguably noble. Also, this could be good for the affected users too. Would you rather have your cheap IOT device fail and realize something is wrong with it or have it become an entry point for stealing critical data from your network or infecting your important devices with ransomware?
At least if your device breaks, you realize something is
Carry on soldier!
For all we know these *could be* any nations militia acting in proactive self-defense, and protecting the bulk of the Internet in the process.
Bravo !
Increased sales!
Users will just go out and buy another one.
Not to mention that in the long run, the impact of this would likley be that companies face immediate PR blowback that kills sales when they release shoddy devices. They will quickly learn that to make any money they need to pay attention to implementing reasonable security precautions.
Carry on soldier!
Reality check: The blame will fall on the engineers and the D team that made the decision that ultimately cause the engineering fail will get a bonus for reducing cost. The lesson they quickly learned LONG ago is that their paycheck increases when they prioritize speed to market and decreases when they consider security.
Reward 'bad' behavior, you get bad behavior. Punish 'good' behavior, you get more bad behavior.
Purchasers don't do this but it is because they don't know any better. No wonder why, the o
hopefully it prompts some effort towards producing more secure devices.
Sadly, it will not. There is a tremendous amount of money to be made selling insecure crap and absolutely no penalty for the companies producing and selling insecure crap.
That depends on where you are in the world.
Here in Australia a full refund of the purchase price is codified in law. Retailers will pick better suppliers as it costs them to refund.
Actually, if someone sells insecure crap that subsequently gets hacked and stops working as a result, in a lot of places that's going to be considered unfit for purpose or the legal equivalent and therefore entitle the owner to some sort of refund or other remedy at the vendor's expense. While I don't condone the vigilante aspect here, it might prove to be quite effective at highlighting how poor the state of security is in the IoT industry and forcing manufacturers of these devices not to cheap out so much
If insecure devices are likely to be bricked, security may become a selling point.
Security isnt a selling point already? people are stupid.
Yeah, this is wrong, so wrong, and yet I'm having a lot of trouble getting worked up about it. If your device is that hackable, it probably needs to be bricked for the sake of humanity. The Internet of Things That Go Bump In The Night gets exorcised...
If DRM has taught us anything, it's that the law is on the side of the weak-ass locks.
I can break into your house because it's not secure enough. Is that OK too?
Just because something isn't locked doesn't mean it's OK to access it. You're either civilized or you're not, and the person who released this code should be having a long stay in jail to think about the morality of what they've done.
Re:Sledgehammer approach. (Score:5, Insightful)
If the house has already been taken over by a criminal gang, it's a different matter. That's a better analogy with a lot of these insecure IoT devices. They aren't just sitting there innocently; if they're vulnerable to being shut down by this malware, they're also vulnerable to being taken over by botnets. This is not just a theoretical worry; some of the big recent DDOS attacks have been by IoT device botnets.
I might punch you in the face some day. Possibly even shoot you. So, is it right to preemptively kill me just in case?
No. Until there's an imminent credible threat, it's not right to take ANY kind of action against me.
Same with these devices - the fact that they COULD be compromised in the future and used for destructive purposes is not sufficient justification for attacking them. Once they are and are being used to commit a crime, then yes, they should be open season.
Now, if you want to start a class a
OK how about this, They have been comprimised. And they were killed for it. Does that make you happy?
Don't think of it as breaking into some ones house. Think of it as spraying over someone's extremely reflective walls and roof blinding everyone around them with glare.
I can break into your house because it's not secure enough. Is that OK too?
If you are my neighbor and you go away for the weekend and your external alarm goes off and nobody comes to shut it off and it doesn't turn off when I switch off your external panel (assuming you have one) I'm definitely going to bash it in with a hammer.
If you have a device on your network making attacks against other people's resources, don't be surprised if they shut it down. And be happy that they didn't just rejigger it to flood your local network with shit traffic.
Re: (Score:2)
If you can't figure out how to secure your device, or you are unable to do so, then so sad too bad. Hope a bunch of IoT vendors go tits up.
Re: (Score:3)
I'm not.
/. are of this general opinion. It's machiavellian for sure, but really does have the whole "Ends justify the means" feel to it.
I think most here on
Hopefully (though doubtfully) the OEMs will be eating a lot of warranty returns. It is only if this costs the OEMs money that the problems will be fixed. If it only costs the end users money then not a ton will really happen.
It is wrong yes
... but so is the OEM's.
SInce we have a overly conservative government at all 3 branches in the US you know nothing will ever be done about this problem for American companies that make these. The free market doesn't work as most users do not know what security is. Their phone is on the net so what is so bad about a camera etc.
So why change? We are the externalized costs but they do not ever see accountability.
Now comes payback. Even freaking routers are cloud IOT based these days?!! There a
Sledgehammer approach: aka Cancer Treatment (Score:1)
I don't know about malicious. Seems to be both well-intentioned and working well. Of course, vigilantism can be a problem, but I don't really see that here either. It is hard to fault it when law enforcement has consistently failed to do anything at all about a serious threat. And anybody that took the minimal precautions to secure their devices will not be affected either.
If pwnable easily it must die - network darwinism (Score:2, Interesting)
If it's secured, then it belongs on the network. If it's not secured, this is the best possible outcome, non-function and removal.
Good job.
Crowdfund? (Score:5, Funny)
Where is the kickstarter or indiegogo page for this project? I can't find it.
Hehehe - sorry, I ran out of mod points this morning.
I wonder if the people exploiting Mirai for profit will start disinfecting this thing.
We knew it was coming... (Score:5, Interesting)
What about a garage door opener that was bricked and a woman got killed because she was being chased by a maniac and her garage wouldn't let her in?
Re:We knew it was coming... (Score:4, Funny)
depends, did she submit a bad review on Amazon?
Re:We knew it was coming... (Score:4, Interesting)
Better than the two women that got killed because their insecure garage door opener let the maniac in.
At least no one's life is dependent on these devices..yet. If we started adopting these things carelessly in situations that could endanger lives, we'd be in serious trouble. Perhaps this is the wake up call we've desperately needed.
We already have life critical devices compromised. Remember that the early adopters of the IoT was hospitals, which have been compromised already. http://spectrum.ieee.org/view-... [ieee.org]
While this case was not the result of a hacker, but software error, todays radiation dispenser is about 100 percent likely to be attached to the internet. http://ccnr.org/fatal_dose.htm... [ccnr.org].
And it wouldn't be too surprising if people have been killed already. We just wouldn't hear abou tit, or the operators might not even kno
Was already broken (Score:4, Insightful)
These devices were already broken. Now they are non-functional as well.
That's it. They got the ultimate upgrade.
How Are These Devices Getting Public IPs? (Score:2)
So potentially a stupid question here, but given that we have a severe shortage of IP addresses due to exhaustion of the IPv4 space, how are all of these devices getting publicly addressable IP addresses to allow an incoming connection in the first place? If they're behind a NAT they should be naturally firewalled, otherwise who has the spare IPs to hand out to crappy little IoT devices?
Universal Plug and Play (UPnP) is enabled on most home routers. Most of these insecure IoT devices use UPnP to open port forwarding holes through the home router.
Yea that should have been gotten rid of in the 90's
Yea that should have been gotten rid of in the 90's
Right so you can get calls at 10 at night from Grandma guiding her on opening ports on her firewall settings with UDP to get her Ipad's itunes to work. I am sure that would work out great.
... and open a firewall exception for each of the 45 games you have on steam sounds fun too?
Fun fact: NAT doesn't naturally firewall anything.
Here's how you do NAT on Linux: iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE. See that "-o wan0"? The rule, and thus the NAT, only applies to outbound connections. It does nothing whatsoever to inbound connections! You can test this yourself if you want; just take a subnet where inbound connections work, add that NAT rule to the subnet's router, and you'll see that inbound connections continue to work just fine.
In any case, the answer to your questio
is playing in the background.
If this happens to you, get a full refund. (Score:4, Interesting)
Arguably, you could consider installing available security updates within a reasonable timeframe - say, a few weeks after the customer has been informed of them - could be considered basic maintenance, as long as the procedure for applying the update is something that an ordinary user could do. In that case, the manufacturer and retailer could get away with an exchange program for bricked devices, where the devices are sent to a shop with JTAG, serial or other in-circuit programming equipment, or even just providing full instructions on how to unbrick, if this can be done without any additional hardware.
But if the manufacturer has not provided such updates, then full refund must be paid. And it is the retailer who is on the hook for this - they then have to get recompensed from their wholesaler, etc.
And so.. (Score:5, Insightful)
Public service (Score:3)