New Destructive Malware Intentionally Bricks IoT Devices

An anonymous reader writes: "A new malware strain called BrickerBot is intentionally bricking Internet of Things (IoT) devices around the world by corrupting their flash storage capability and reconfiguring kernel parameters. The malware spreads by launching brute-force attacks on IoT (BusyBox-based) devices with open Telnet ports. After BrickerBot attacks, device owners often have to reinstall the device's firmware, or in some cases, replace the device entirely. Attacks started on March 20, and two versions have been seen. One malware strain launches attacks from hijacked Ubiquiti devices, while the second, more advanced, is hidden behind Tor exit nodes. Several security researchers believe this is the work of an internet vigilante fed up with the amount of insecure IoT devices connected to the internet and used for DDoS attacks. "Wow. That's pretty nasty," said Cybereason security researcher Amit Serper after Bleeping Computer showed him Radware's security alert. "They're just bricking it for the sake of bricking it. [They're] deliberately destroying the device."

I commend the effort...

[Anonymous Coward]

carry on.

Carry on...

[monkeyzoo]

... for the greater good:
1) protect individuals and society from the harms of shoddy IOT devices.
2) punish the companies producing them and create economic imperatives to design in security.

Re:

[Highdude702]

Win Win all around. Give those men a cookie!

Re:

[david_thornley]

For some reason, this reminds me of Team Rocket's entrance act.

Re:

[Anonymous Coward]

Hm, isn't it more of an economic incentive for producers to make insecure devices though when owners buy new ones to replace the bricked ones?

Not if the attitude of the owners becomes "screw buying a new one, it'll just get bricked again".

Consumer protection law

[DrYak]

Depends on the jurisdiction but in Europe companies are required to cover warranty for quite a significant period of time
(at least 24 months in this case. It might even be 36 months but I'm too lazy to google. Anyway given how recent this IoT craze is, most of the devices are definitely more recent than their warranty period and thus of course still covered)

The constructor *HAS* to replace such bricked devices through warranty, with the user only bearing the cost of sending the bricked device and the manufacturer covering the cost of the new replacement and shipping that back to the user. (During the first few months the shop that did sell the device can even handle the replacement themselve and ship the defective through their own channels. The user will become the replacement immediately and 100% for free).

So there is *definitely a strong economic incentive* to make the device secure.
If the device is vulnerable, it is going to cost a lot due to warranty replacement and shipping.

(And as pointed by others: if the replacements keep getting broken again, consumer will switch brands)

Re:

[david_thornley]

This is potentially a real problem for manufacturers.

The device isn't failing because of manufacturing defects or ordinary wear and tear or anything predictable. It's failing because it's been deliberately attacked. If I bought a computer, and someone else shot it, I'd expect the manufacturer to not be responsible.

It poses a considerable risk to a manufacturer. While the manufacturer might well have put in deficient security, but even if the manufacturer worked hard on security there are no guarante

stop working without any visible abuse.

[DrYak]

The device isn't failing because of manufacturing defects or ordinary wear and tear or anything predictable. It's failing because it's been deliberately attacked. If I bought a computer, and someone else shot it, I'd expect the manufacturer to not be responsible.

If you look into the details, a laptop isn't (normally) designed for the purpose of sustaining gun shots. The laptop getting shot and subsequently stopping to work isn't part of its normal operating mode.
Whereas a IoT device is supposed to be constantly connected to the Internet - that waht the "I" in "IoT" means. Being connected to the internet is part of their intended normal use.

If a manufacturer sells a lot of X, and the bad guys find a security hole, the manufacturer could be on the hook for an unlimited number of X without receiving any payment, since a customer could find a series of Xs bricked.

If a customer bought X, and suddenly X stops working even if the customer always used X as instructed and did nothing wrong the

Re:

[david_thornley]

The problem here is that a manufacturer who makes a solid effort to do everything right could suddenly have to replace almost every instance of a certain product line. It may not be immediately obvious how to make a device that's immune to that particular attack If the manufacturer doesn't have a satisfactory replacement, what happens?

What happens if a company manufactures a lock and it's forced? Does the company have to replace that lock?

No matter what, this is a new sort of risk for the company.

definition

[DrYak]

Wow. In Canada, a warranty would apply to manufacturing defects, which this clearly isn't.

It clearly is.
The manufacturer used a defective conponent, even if said component(*) is software (the stupidly insecure firmware) rather than hardware (it's not a broken capacitor). From the point of view of the end user, it's all the same : the user both a IoT gizmo, use it as intended, did nothing wrong, but suddenly the gizmo stopped working without any forewarning.

in EU and other european countries, manufacturing defects are defined as problems which aren't cause by neither excessive wear and tear, nor

Re:

[drakaan]

The alternative is that the same ridiculously insecure IoT device gets infected with malware that allows it to become part of a botnet. This is better than that. The worst case scenario where a device is part of a botnet has a potentially huge and not inconsequential effect on a potentially huge number of people, whereas bricking said insecure device leads to customer dissatisfaction and provides a real incentive for manufacturers to quit selling shitty, insecure devices to people who don't know any bette

Re:I commend the effort...

[Zocalo]

Ordinarily, I'd condemn this kind of vigilante action, but in this instance I'm hardly struggling with it at all. Mirai kicked off in early September 2016. It's now April 2017. That's six full months, almost to the day, that device owners, ISPs, and vendors have had to secure their devices, filter inbound scanning/outbound end-user traffic, and produce update firmware, yet there's very little evidence any of that is happening at scale (shocking, I know), so it's clearly not going to. The rest of us, meanwhile, have been subjected to continual port scanning and DDoS attacks. Taking vulnerable devices out of commission, placing the cost of that on owners and vendors, plus pressure from both on ISPs to start to filter the malicious traffic, is clearly the only approach that is going to work at this point, and might even encourage vendors to put a little more thought into security in future.

Carry on indeed. Hell, post the code like the original Mirai author did - we might as well wrap this up as fast as Mirai and its clones were able ramped up. Open Source, ftw!

Re:

[Zocalo]

Oh, yeah. Just in case the author(s) are reading this, for v2.0, you might want to consider looking into the following popular IoT ports as well (there are others, but these are the ones with the most activity):
22 - SSH
2222 - alt. SSH
2323 - alt. Telnet
5358 - Web Services API
6789 - Dahui admin port?
7547 - TR-069 management port
23231 - alt. Telnet
37777 - CCTV port forwarding

You're welcome.

Sledgehammer approach.

[mlheur]

Despite how malicious this is, I'm oddly OK with it.

Re:

[Anonymous Coward]

As a BoFH I also am. Secure your crap or higher somone to do it.

Nasty?! Isn't this better for everyone?

[monkeyzoo]

The security researcher calls this nasty?! It's genius!

It's certainly vigilante. But given the societal harm being caused by shoddy IOT devices, bricking them is quite arguably noble. Also, this could be good for the affected users too. Would you rather have your cheap IOT device fail and realize something is wrong with it or have it become an entry point for stealing critical data from your network or infecting your important devices with ransomware?

At least if your device breaks, you realize something is wrong with it and can complain to the manufacturer for a refund instead of it spying on you and/or serving as a node in a criminal's botnet.

Not to mention that in the long run, the impact of this would likley be that companies face immediate PR blowback that kills sales when they release shoddy devices. They will quickly learn that to make any money they need to pay attention to implementing reasonable security precautions.

Carry on soldier!

Re:

[Hylandr]

Carry on soldier!

For all we know these *could be* any nations militia acting in proactive self-defense, and protecting the bulk of the Internet in the process.

Bravo !

Re: Nasty?! Isn't this better for everyone?

[mspohr]

Increased sales!
Users will just go out and buy another one.

Re:

[monkeyzoo]

Increased sales!
Users will just go out and buy another one.

Not from the same manufacturer though. ;-)
At least eventually once they have a reputation for having their devices bricked.

Re:

[Anonymous Coward]

Not to mention that in the long run, the impact of this would likley be that companies face immediate PR blowback that kills sales when they release shoddy devices. They will quickly learn that to make any money they need to pay attention to implementing reasonable security precautions.

Carry on soldier!

Reality check: The blame will fall on the engineers and the D team that made the decision that ultimately cause the engineering fail will get a bonus for reducing cost. The lesson they quickly learned LONG ago is that their paycheck increases when they prioritize speed to market and decreases when they consider security.

Reward 'bad' behavior, you get bad behavior. Punish 'good' behavior, you get more bad behavior.

Purchasers don't do this but it is because they don't know any better. No wonder why, the o

Re:

[locofungus]

It's certainly vigilante. But given the societal harm being caused by shoddy IOT devices, bricking them is quite arguably noble. Also, this could be good for the affected users too.

Would you feel the same if it was a expert gang who were gaining entry into peoples homes and smashing their insecure IOT devices and then leaving (doing no other damage at all)

While I can understand the frustration that might have lead to this sort of attack, it, unfortunately, will probably not achieve the desired ends. End use

Re:

[Anonymous Coward]

Where is the proof that it was a malicious act?

"My webcam stopped working. I don't know why. Give me a new one or my money back."

Re:

[david_thornley]

When my iPod went through a wash cycle, it stopped working. I sent it to Apple, expecting to be told that it would cost $X to repair. I got a replacement back (the engraving was slightly different) for free. Surprised me.

Re:

[monkeyzoo]

How exactly do you change the SSID on a wifi dildo camera?

Wi-Fi sex toy with built-in camera fails penetration test
https://www.theregister.co.uk/... [theregister.co.uk]

Re:

[mellon]

Yeah, this is wrong, so wrong, and yet I'm having a lot of trouble getting worked up about it. If your device is that hackable, it probably needs to be bricked for the sake of humanity. The Internet of Things That Go Bump In The Night gets exorcised...

Re:

[Anonymous Coward]

Same here. I feel sorry for the person who's equipment no longer works, but these idiot companies have got to get off their ass and secure their shit.

I hope this creates a global class action lawsuit against all manufactures of any IoT device.

Re:

[DontBeAMoran]

If DRM has taught us anything, it's that the law is on the side of the weak-ass locks.

Re:

[Baron_Yam]

I can break into your house because it's not secure enough. Is that OK too?

Just because something isn't locked doesn't mean it's OK to access it. You're either civilized or you're not, and the person who released this code should be having a long stay in jail to think about the morality of what they've done.

Re:Sledgehammer approach.

[rgmoore]

I can break into your house because it's not secure enough. Is that OK too?

If the house has already been taken over by a criminal gang, it's a different matter. That's a better analogy with a lot of these insecure IoT devices. They aren't just sitting there innocently; if they're vulnerable to being shut down by this malware, they're also vulnerable to being taken over by botnets. This is not just a theoretical worry; some of the big recent DDOS attacks have been by IoT device botnets.

Re:

[Baron_Yam]

I might punch you in the face some day. Possibly even shoot you. So, is it right to preemptively kill me just in case?

No. Until there's an imminent credible threat, it's not right to take ANY kind of action against me.

Same with these devices - the fact that they COULD be compromised in the future and used for destructive purposes is not sufficient justification for attacking them. Once they are and are being used to commit a crime, then yes, they should be open season.

Now, if you want to start a class a

Re:

[Highdude702]

OK how about this, They have been comprimised. And they were killed for it. Does that make you happy?

Re:

[Aighearach]

If I see a burning house and a garden hose, I'm not going to wait to ask permission to enter the yard and utilize their water resource.

Re:

[david_thornley]

I'm cool with that. However, if you walk into my yard and take my hose and start spraying down my house because it could conceivably catch fire, I'm going to have words with you. Particularly if the windows are open.

Re:

[Aighearach]

You're grasping for apples and oranges. Attempt to apply your analogy to the actual events and see if it fits.

Is it even possible to brick an IoT device that isn't a public threat?

You're saying your house wasn't on fire. I'm saying I don't care, there was smoke and flames pouring out the window and your words don't change that.

Re:

[david_thornley]

What I am trying to say is that destroying people's property on the assumption that it might be a threat later on is wrong. Nobody's claiming that the bricking was justified because the devices were actually causing harm, and argument I'd be more sympathetic to. Nobody's pointing to smoke and flames. People are just saying that, if it might present a threat, the intruders are justified in bricking it.

As to whether it's possible to brick a device that's not a public threat, I don't know. It seems like

Re:

[Aighearach]

Nobody is misunderstanding you, it is just that when they say, "these devices are already a threat," and you say something like, "I don't see them as a threat," then you are in no way contradicting what others say. You're saying they're wrong, but the case you makes only says you wouldn't do what they did, not that they were wrong. We know for a fact that many of us believe these devices to be a threat as soon as they're connected to the network without being secured. In the same way that if a neighbor pile

Re:

[Opportunist]

There IS an immediate credible threat. A device that can trivially be taken over IS a threat.

What you have here is a loaded weapon lying right out in the front yard. Any criminal can walk by, pick it up and use it to commit a crime. Do you think this gun should be removed?

Re:

[rtb61]

Don't think of it as breaking into some ones house. Think of it as spraying over someone's extremely reflective walls and roof blinding everyone around them with glare.

Re:

[drinkypoo]

I can break into your house because it's not secure enough. Is that OK too?

If you are my neighbor and you go away for the weekend and your external alarm goes off and nobody comes to shut it off and it doesn't turn off when I switch off your external panel (assuming you have one) I'm definitely going to bash it in with a hammer.

If you have a device on your network making attacks against other people's resources, don't be surprised if they shut it down. And be happy that they didn't just rejigger it to flood your local network with shit traffic.

Re:Sledgehammer approach.

[freeze128]

I don't like your analogy because peoples houses aren't ALWAYS targeted by criminals. How about we replace "your house" with "your local bank".

Suppose your local bank just left money lying around on the floor of the lobby. If anyone takes that money, they are stealing. Is that OK? Of course not, but it's really risky and stupid to keep it there in the first place. Also, in order to be FDIC insured, the bank needs to take at least some minimal precautions, like storing the money in a vault, and maybe having an armed guard. If the bank doesn't do this, they would probably be robbed the most, and the FDIC would not insure them. Result - The bank would quickly go out of business and close.

The malware is breaking the law by bricking the device, but in this scenario, I'm the fucking FDIC, bitch! I demand better security on your IOT device, or you must shut it down.

Re:

[Aighearach]

You're either civilized or you're not

My, how sophisticated!

By the way, sitting in jail is likely to cause thoughts about ethics, not thoughts about morality. There is a difference.

Re:

[Opportunist]

If you install a revolving door and your home is used as a squat by the local crack junkie population who terrorize the neighborhood, and the police doesn't do diddly squat against it, what should I do as your neighbor? Grin and bear it?

Re:

[david_thornley]

Tell you what. You might install a revolving door and invite the crack junkies in. I can't know you won't. Is it OK if I burn your house down now to avoid that problem?

Re:

[Opportunist]

Sure, if you can get in through the door without breaking a lock.

Re:

[coofercat]

It's probably more like cruising around all the streets in the world looking for houses that are empty but have their doors open. Then, going into the house and barricading all the doors and windows so that no one (not even the owner) can get in without some specialist help (eg. locksmiths, trades people etc).

Re:

[GerryGilmore]

Exactly my first thought! Insecure "IoT" devices NEED to be disabled from accessing the internet and fucking it up for the rest of us. Besides, how can we watch our ads?!?

Re:

[Snotnose]

Yeah, came here to say this. Surprised I'm in the majority on this.

If you can't figure out how to secure your device, or you are unable to do so, then so sad too bad. Hope a bunch of IoT vendors go tits up.

Re:Sledgehammer approach.

[networkBoy]

I'm not.
I think most here on /. are of this general opinion. It's machiavellian for sure, but really does have the whole "Ends justify the means" feel to it.

Hopefully (though doubtfully) the OEMs will be eating a lot of warranty returns. It is only if this costs the OEMs money that the problems will be fixed. If it only costs the end users money then not a ton will really happen.

Re:

[Billly Gates]

It is wrong yes ... but so is the OEM's.

SInce we have a overly conservative government at all 3 branches in the US you know nothing will ever be done about this problem for American companies that make these. The free market doesn't work as most users do not know what security is. Their phone is on the net so what is so bad about a camera etc.

So why change? We are the externalized costs but they do not ever see accountability.

Now comes payback. Even freaking routers are cloud IOT based these days?!! There a

Re:

[StayFrosty]

Even freaking routers are cloud IOT based these days?!!

What the hell does that even mean? What does IOT even mean? Since when did routers (which have always had vulnerabilities and don't get patched often) get lumped in with light bulbs and security cameras? What about unpatched servers or workstations with direct connections to the internet (think cloud hosting providers)? Routers are the "things" that are responsible for traffic going anywhere. Servers are "things" that provide access to services on the internet. I guess the enter internet is an "intern

Warranty mandatory in EU

[DrYak]

Hopefully (though doubtfully) the OEMs will be eating a lot of warranty returns. It is only if this costs the OEMs money that the problems will be fixed.

Such warranty return are mandatory for the OEM to accept in Europe, at least 24 months (I think, it might by 36) and given how recent this IoT craze is, most devices still qualify for such returns.

The cost might not get all the way to the cheap-ass chinese no-name manufacturer who did actually commit a device with such atrocious security.
But the cost won't burden the end user, it would at least be a problem for the brand that decided to have their device manufactured, without exerting the necessary caution

Re:

[eth1]

I'm not.
I think most here on /. are of this general opinion. It's machiavellian for sure, but really does have the whole "Ends justify the means" feel to it.

Hopefully (though doubtfully) the OEMs will be eating a lot of warranty returns. It is only if this costs the OEMs money that the problems will be fixed. If it only costs the end users money then not a ton will really happen.

I was thinking it'd be neat if the malware had a database of warranty information and geo-IP-based warranty laws, and it actually tried to figure out if the device was still under warranty. Silently close the backdoor and go dormant if it thinks it's not under warranty, brick it if it thinks it is.

Re:

[Cyberpunk Reality]

Yep. Saw the report and my first thought was "is this really a bad thing?" Better they end up as bricks than fueling a LOIC.

Sledgehammer approach: aka Cancer Treatment

[n329619]

Except this is super effective. I approve this medication.

Re:

[gweihir]

I don't know about malicious. Seems to be both well-intentioned and working well. Of course, vigilantism can be a problem, but I don't really see that here either. It is hard to fault it when law enforcement has consistently failed to do anything at all about a serious threat. And anybody that took the minimal precautions to secure their devices will not be affected either.

Re:

[Opportunist]

Vigilantism logically happens when law enforcement fails to uphold a law that is in the interest of the people. This is why it's not only critical that the law reflects the ideals of the population but also that it's executed. If you have laws that run contrary to what the people consider right, you can only enforce them with force against your own people and you can logically assume that your own population fights you. This is, among other things, what fell communism.

If you're unwilling or unable to establ

Re:

[Anonymous Coward]

hopefully it prompts some effort towards producing more secure devices.

Sadly, it will not. There is a tremendous amount of money to be made selling insecure crap and absolutely no penalty for the companies producing and selling insecure crap.

Re:Sledgehammer approach.

[marka63]

That depends on where you are in the world.

Here in Australia a full refund of the purchase price is codified in law. Retailers will pick better suppliers as it costs them to refund.

Re:

[Anonymous Brave Guy]

Actually, if someone sells insecure crap that subsequently gets hacked and stops working as a result, in a lot of places that's going to be considered unfit for purpose or the legal equivalent and therefore entitle the owner to some sort of refund or other remedy at the vendor's expense. While I don't condone the vigilante aspect here, it might prove to be quite effective at highlighting how poor the state of security is in the IoT industry and forcing manufacturers of these devices not to cheap out so much

Re:

[rgmoore]

If insecure devices are likely to be bricked, security may become a selling point.

Re:

[Highdude702]

Security isnt a selling point already? people are stupid.

Re:

[quantumphaze]

In peoples defence, the box has a dozen dot points touting random security protocols (SSH, SSL, HTTPS, Radius, SSL, PPTP, L2TP, did we mention SSL).
They never disclose the root:root user/pass on an unsecured Telnet back-door left over by the developers.
# flash_erase /dev/mtd0 0 0 it's for the best.

Re:

[Highdude702]

I completely agree. it's one thing if the items are aimed towards power users. It's another if it's aimed towards the general public for purchase. The only people to blame here are the manufacturers and whoever is behind this attack is doing the entire world a favor

Re:

[Opportunist]

Yes it will. Companies may not care about your security, but they do care about you coming and demanding refund or replacement. That cuts into their bottom line and that's what they do care about.

Re:

[harvey the nerd]

I'd rather have a brick than a spy.

If pwnable easily it must die - network darwinism

[Anonymous Coward]

If it's secured, then it belongs on the network. If it's not secured, this is the best possible outcome, non-function and removal.

Good job.

Crowdfund?

[Anonymous Coward]

Where is the kickstarter or indiegogo page for this project? I can't find it.

Re:

[bill_mcgonigle]

Hehehe - sorry, I ran out of mod points this morning.

I wonder if the people exploiting Mirai for profit will start disinfecting this thing.

We knew it was coming...

[evolutionary]

Okay, it was only a matter of time before somebody came around and starting exploiting all the backdoors/weak protection in this IoT(I pronounce "idiot") devices. The funny thing is, this may well be a public service in an odd way. At least no one's life is dependent on these devices..yet. If we started adopting these things carelessly in situations that could endanger lives, we'd be in serious trouble. Perhaps this is the wake up call we've desperately needed.

Re:

[DontBeAMoran]

What about a garage door opener that was bricked and a woman got killed because she was being chased by a maniac and her garage wouldn't let her in?

Re:We knew it was coming...

[networkBoy]

depends, did she submit a bad review on Amazon?

Re:

[ZenShadow]

Posting to remove bad mod. Bah.

Re:We knew it was coming...

[Zaelath]

Better than the two women that got killed because their insecure garage door opener let the maniac in.

Re:

[Ol Olsoc]

At least no one's life is dependent on these devices..yet. If we started adopting these things carelessly in situations that could endanger lives, we'd be in serious trouble. Perhaps this is the wake up call we've desperately needed.

We already have life critical devices compromised. Remember that the early adopters of the IoT was hospitals, which have been compromised already. http://spectrum.ieee.org/view-... [ieee.org]

While this case was not the result of a hacker, but software error, todays radiation dispenser is about 100 percent likely to be attached to the internet. http://ccnr.org/fatal_dose.htm... [ccnr.org].

And it wouldn't be too surprising if people have been killed already. We just wouldn't hear abou tit, or the operators might not even kno

Re:

[Opportunist]

Intelligent Devices, Internet Of Things.

Everyone buying them is a good example for the acronym thereof.

Re:

[zifn4b]

IoT(I pronounce "idiot") devices

The Internet of Things shall henceforth be known as the catchy and marketable Silicon Valley-ish term: ID10T. Marketing companies please feel free to use this idea freely. Want to crank it to 10? ID10T. See how cool that is? You're welcome.

Was already broken

[bhetrick]

These devices were already broken. Now they are non-functional as well.

Re:

[Anonymous Coward]

That's it. They got the ultimate upgrade.

How Are These Devices Getting Public IPs?

[rsmith-mac]

So potentially a stupid question here, but given that we have a severe shortage of IP addresses due to exhaustion of the IPv4 space, how are all of these devices getting publicly addressable IP addresses to allow an incoming connection in the first place? If they're behind a NAT they should be naturally firewalled, otherwise who has the spare IPs to hand out to crappy little IoT devices?

Re:

[Anonymous Coward]

Universal Plug and Play (UPnP) is enabled on most home routers. Most of these insecure IoT devices use UPnP to open port forwarding holes through the home router.

Re:

[Highdude702]

Yea that should have been gotten rid of in the 90's

Re:

[Billly Gates]

Yea that should have been gotten rid of in the 90's

Right so you can get calls at 10 at night from Grandma guiding her on opening ports on her firewall settings with UDP to get her Ipad's itunes to work. I am sure that would work out great. ... and open a firewall exception for each of the 45 games you have on steam sounds fun too?

Re:

[PetiePooo]

Right so you can get calls at 10 at night from Grandma guiding her on opening ports on her firewall settings with UDP to get her Ipad's itunes to work

If uPNP weren't available, iTunes and your games would have been written with some other connection method. They'd be making more use of STUN/TURN/ICE or just ensuring that all connections from the enduser are outbound. uPNP enabled programmers to be lazy in how they engineered connectivity. It is insecure by design, "but hey, since it's ubiquitous, let's use it!"

Re:

[Highdude702]

Funny you say that because I live behind a NAT with 0 forwarded ports. iTunes and every one of my steam games work perfectly fine. Try again.

Re:

[Billly Gates]

Turn off upnp on your Nat router and let me know how well everything works?

Re:

[Highdude702]

lol. you dont understand. My router thats before the NAT has UPNP disabled, as has every one ive ever owned. But the NAT router thats ahead of it ALSO does not have UPNP enabled. Not many things require incoming ports(which is what UPNP configures) Everything else is in the packet its self. Should go read up on how the internet works before you once again look like a moron talking to me about the internet and the way it functions.

Re:How Are These Devices Getting Public IPs?

[Dagger2]

Fun fact: NAT doesn't naturally firewall anything.

Here's how you do NAT on Linux: iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE. See that "-o wan0"? The rule, and thus the NAT, only applies to outbound connections. It does nothing whatsoever to inbound connections! You can test this yourself if you want; just take a subnet where inbound connections work, add that NAT rule to the subnet's router, and you'll see that inbound connections continue to work just fine.

In any case, the answer to your question is that people set up port forwards for their cameras because they want to view the camera when they're away from home. IPv6 would help a lot here because it makes it significantly more difficult to scan for these devices, unlike in v4 where it's pretty trivial to exhaustively scan the entire address space.

Re:

[coofercat]

Most cameras and other things with a phone-based interface will try to automatically open ports on the firewall (via upnp). A lot of routers have upnp enabled by default, and so this works in a lot of cases. For those people with routers that don't play along, the product will ask them to setup port forwarding - let's be honest, most people who just bought a webcam to watch over their driveway will do anything the product tells them to do because they want to watch their driveway when they're out of the hou

The world's tiniest violin

[Kernel Kurtz]

is playing in the background.

If this happens to you, get a full refund.

[robbak]

There is no possible argument against this - a device that is built to be connected to the internet, but has a remotely accessible security flaw, cannot be deemed to be 'fit for the purpose for which it was sold', and so the customer is entitled to a full refund, if they desire, regardless of how old the device is.

Arguably, you could consider installing available security updates within a reasonable timeframe - say, a few weeks after the customer has been informed of them - could be considered basic maintenance, as long as the procedure for applying the update is something that an ordinary user could do. In that case, the manufacturer and retailer could get away with an exchange program for bricked devices, where the devices are sent to a shop with JTAG, serial or other in-circuit programming equipment, or even just providing full instructions on how to unbrick, if this can be done without any additional hardware.

But if the manufacturer has not provided such updates, then full refund must be paid. And it is the retailer who is on the hook for this - they then have to get recompensed from their wholesaler, etc.

This is not about the manufacturer's warranty

[robbak]

The written warranty gives the customer additional rights, such as replacement where the law only specifies repair, or give you a repair for something that could be normal wear-and-tear. But this is about 'implied warranties', such as a warranty of fitness, which the manufacturer or retailer cannot annul with pieces of paper. So they can write what they want, it doesn't matter.

If you were sold a device to do a certain thing, and it was suitable for it, then you are due a refund.

And so..

[ACE209]

..the Internet developed antibodies.

Public service

[sinij]

This is public service. I hope they catch the wrong guy.

Re:

[Opportunist]

Oh that would be win-win if they charged him...

Well I am not surprised

[LordWabbit2]

Considering most of the people on /. are, in the main, IT sort of people, so it's not very surprising someone decided to take matters into their own hands and sort out the problem themselves. Surprised it took this long. I mean, Mirai's source code was available ages ago, I even downloaded it to take a look. What's amusing is my antivirus only picked it up a couple days ago.

Good luck to them, I hope they are hiding their tracks properly, because this is still illegal.

Re:

[Falconhell]

I've never seen such a consensus on Slasdot before, more than 95% of posts supporting.
Keep up the good work whoever you are.

Willful ignorance

[drew_kime]

They're just bricking it for the sake of bricking it.

No. They're bricking it for the sake of preventing it from being used in a botnet.

Re:

[Opportunist]

...unless of course the manufacturer was so "smart" to think that the data he gets from the item is absolutely critical, so the toaster only works if it's online...

Oh please let that bullshit backfire on them, just once!

Re:

[Falconhell]

Whatever you do, dont fix the toaster, its a bastard.

Re:

[Anonymous Coward]

It's not about anarchy; it's the fact that these devices need to be off the public internet until they are secured properly.

This is a fact, as the IoT botnets have nearly knocked the root DNS servers offline and can generate traffic that threatens to overwhelm the best DDoS-protection providers (Cloudflare). Nevermind the fact that most people and businesses could even afford Cloudflare in the first place.

There is no legal means of forcing the manufacturers and owners to secure them, so most people are supp