Malware Hunts And Kills Poorly Secured Internet Of Things Devices Before They Can Be Integrated Into Botnets

from the battle-of-the-brick dept

Researchers say they’ve discovered a new wave of malware with one purpose: to disable poorly secured routers and internet of things devices before they can be compromised and integrated into botnets. We’ve often noted how internet-of-broken-things devices (“smart” doorbells, fridges, video cameras, etc.) have such flimsy security that they’re often hacked and integrated into botnets in just a matter of seconds after being connected to the internet. These devices are then quickly integrated into botnets that have been responsible for some of the worst DDoS attacks we’ve ever seen (including last October’s attack on DYN).

And most security researchers firmly believe we haven’t seen anything yet.

Enter PDoS (permanent denial of service) attack bots, which scan the internet for routers with default, unchanged passwords, or “smart” doorbells, dolls or other devices with paper-mache grade security. From there, PDoS attack bots issue a series of commands that wipe device media, corrupt all storage, and disconnect the device from the internet. Last month, researchers from security firm Radware set up an intentionally poorly-secured honeypot that they say saw roughly 2,250 PDoS attempts during just a four-day span.

The lion’s share of these attacks came from two botnets dubbed BrickerBot.1 and BrickerBot.2 — with nodes busily bricking poorly-secured devices around the world. Initially researchers say they thought that somebody crafted malware specifically to tackle the IOT threat. But given the broad targeting of the botnets (including server-attached storage devices), they also think it’s possible that the goal may just be good, old, vanilla mayhem:

“When I discovered the first BrickerBot, I thought it was a drastic attempt to stop the IoT Botnet DDoS threat,” Radware researcher Pascal Geenens told Ars. “I thought this was a competitor hacker who wanted to take out his competition and get access to the list of IP [addresses] of bots that were in the competitor’s botnet. But upon discovery of the second BrickerBot this theory changed, as the second one is targeting any Linux-based system?not only embedded, BusyBox-based Linux with flash storage. What motivates people to randomly destroy things? Anger, maybe? A troll, maybe?”

As it stands, BrickerBot.2 can only access machines that feature default administrative passwords and have the telnet protocol enabled, limiting the overall potential impact. Regardless, the end result still isn’t pleasant for those on the receiving end of a BrickerBot.2 attack:

“…In addition to corrupting the storage device, BrickerBot.2 wipes all stored files, removes the default Internet gateway, disables TCP timestamps, and limits the maximum number of kernel threads to just one. That all but ensures that most damaged devices won’t be restored without a major undertaking. Radware has more details about the attacks here.”

It’s still entirely possible the goal here is to actually help the internet by killing poorly-secured hardware before they can be conscripted into the shitshow that is the internet of things. After all, BrickerBot.2 appears to be an evolution of the Linux.Wifatch malware, which first appeared in October 2015. It seems more than likely that additional malware strains taking cues from the Mirai malware will inevitably appear in the wild, the goal potentially being not necessarily mayhem — but preventing the massive, crippling DDoS attacks most security experts feel are inevitable in the next year or two.

The problem (aside from this being illegal and destructive) is that the type of person that’s likely to go out and purchase a poorly-secured “gee whiz” IOT device or router without considering security — is the same type of person that’s not going to understand why that device just stopped working for no coherent reason. As a result, they’re likely to rush out and buy another, poorly-secured device, bringing the incompetence full circle with a zero net gain. As such, Security expert Victor Gevers is urging malware authors like this to consider a more constructive path toward the same end goal:

“These attacks are very easy to execute, and I think this just the beginning,” (Gevers) told Bleeping Computer. “I don’t want to label this work as dark, but I think there are less destructive ways to achieve the same goal.” “Instead of bricking you could also allow the devices to still work and just patch the vulnerability. This requires a bit more finesse.”

Granted an even better solution? Stop selling (and buying) hardware with paper-mache grade security in the first place.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Malware Hunts And Kills Poorly Secured Internet Of Things Devices Before They Can Be Integrated Into Botnets”

Subscribe: RSS Leave a comment
Ninja (profile) says:

Re: Don't bother with finesse.

My thoughts. Keep bricking the new stupid iot thing they buy until they stop buying crappy products. I do believe issuing patches would be much, much better but how do you do it for each and every model out there? If you can brick them all with standard commands then just do it and hurt these bad companies in their pockets by destroying customer trust.

It could be nice if they could show a message to the user warning them they bought crap and that this is the reason the thing is being wasted.

TKnarr (profile) says:

Re: Re:

Have to agree. Bricking the devices (or close enough that that kind of consumer won’t be able to unbrick it) will give those devices, and if it happens commonly enough that brand, a rep for being unreliable and consumers will start to avoid them. There’s a point where we have to say “Subtle hasn’t worked, let’s try not-subtle.” and I’m pretty sure we’re well past it. It’s not like it’s not possible to design consumer hardware/firmware that’s secure, it’s just that the entity responsible for it doesn’t bear the cost of not doing it.

Anonymous Coward says:

Re: Re: Re:

Exactly. Bricking them gives the guaranteed feedback of poor reputation and the possible advantage of RMA costs to the manufacturer.

If you think in goals (get rid of unsecured devices) you end up playing games of whackamole. You need to think in terms of incentives (how do I get rid of incentives to produce unsecured shit). You need to treat the disease, not the symptoms.

The disease is “it’s more priftable to skip security because the target group does neither care for nor understand iot security”. If you can change something to make it less priftable, you are working toward a cure.

The recently proposed legislation requiring “reasonable security” for any connected device treats the same disease, and while the vague language had it’s own problems, it would be a legally and ethically preferable method to hit irresponsible device manufactures directly with big fines instead of hitting them in a grassroots attack via their customers.

Richard M says:

Brickerbot author says...

“The author of BrickerBot, which “bricks” IoT devices by rewriting the flash storage space and wiping files, has emerged to explain that the malware first attempts to secure the units without damaging them.

Failing that, it reverts to “plan B”, i.e. actions that result in the device being rendered temporarily or permanently unusable.”

Killing IOT devices that people have bought and paid for is not really what I would call the best way to go about this. However this is going to force companies to better secure their products or they are going to have a hard time staying in business.

Consumers will not notice (and most will not really care) if their devices are part of a botnet but they sure as hell will care that the IOT device they purchased quits working.

Anonymous Coward says:

As a result, they’re likely to rush out and buy another, poorly-secured device

Not really. They’re unlikely to buy the exact same device again (seeing as the first one didn’t work), so they’ll buy a different such device which will then "break" again. The process will repeat ad nauseam until they find a secure device.

Or maybe I have too much faith in humanity.

R.H. (profile) says:

Re: Re: Given all the needlessly internet-connected devices...

I live about a mile from a small airport. Near airports, those clocks don’t work at all due to radar and all the other EM interference that comes from airports. I learned that in college when, due to my school’s aviation program, my dorm was within sight distance of a working airport and my auto setting watch no longer set itself.
Try explaining that to your average consumer.

Also, in my experience, radio setting clocks tend not to keep time very well since they’re supposed to get reset daily. So, mine loses about 2 minutes a month requiring manual setting.

Anonymous Coward says:


Enter PDoS (permanent denial of service) attack bots

I still haven’t seen any details on whether it’s really "permanent". People are saying that, but does it actually wipe the recovery code that’s common on routers? If not, you could hold the reset button and TFTP a new image over (something more secure, maybe OpenWRT). That would make the DoS temporary, like wiping a PC’s hard drive rather than its BIOS.

Anonymous Coward says:

Re: Re: "Permanent"

Yeah but anyone who could be swept up in these PDoS attacks would not know how to do that.

They’ll be talking to someone who "knows computers", or taking it in for service. I’m wondering whether those people will be able to do anything. JTAG recovery is esoteric, but TFTP recovery is something that could easily be done in any computer shop.

Anonymous Coward says:

Re: Re: Re: "Permanent"

In theory, any device reset into their prior state should be targeted and disabled again, so you could argue it DoSuf (Denial of Service until fixed). Once someone who resets a device is clever enough to patch and secure it at the same time, your device will keep working and at least the short-term goal (getting rid of unsecured IoT devices) is met.

Jim Hacker (user link) says:

Bot me no bots

This article from three days ago has an interview with the author of BrickerBot in which he claims to have bricked over 2 million devices. He says that his algorithm bricks them as a last resort after trying various ways to disinfect them and that the researchers’ honeypots are not similar enough to real IoT devices for BrickerBot to respond appropriately.

I think it’s an interesting experiment. Something needs to prod manufacturers or standards bodies or (last resort) governments into mandating good security and privacy practices. If BrickerBot is in the wild and keeps bricking new devices, retailers and manufacturers will see a stream of returned items and maybe do something.

TasMot (profile) says:

This is not a good approach

I work as a software developer and getting devices correctly configured can be hard. Just bricking them is dumb. It would be nice if they got smart, configured it correctly, and changed the password to their own. Many people are of the “plug and play” variety. If the gadget can just plug in and start working they are happy.

I know it is easy to say people are too stupid, but my mother just turned 80. She doesn’t want to learn about URL’s, browsers, IP addressing, and so on. If her router would just plug in and she can get on “The Internet” she is happy.

Since these hackers are so smart they can hack in and brick the routers and other gadgets, why not fix them? Apply the patches and then secure the router with a new ID and password. Make it a random password and secure it in a database so that they can go back and apply updates as necessary.

Most likely the IOT owners will never even know they were hacked. If they do a reset so that they can gain some control, they will at least have an updated and patched system. Make it even better, include a custom patch that will force a password entry, even if they forget the password they put in, it won’t be a default one. Especially don’t let them use one from the books (like password, 1234, and etc.).

Anonymous Coward says:

Re: This is not a good approach

And remove any interest in any IoT company ever to actually produce secured devices, because they employ the “random hacker autosecuring technique”.

This method would just shift the responsibility for a working network from those actually being paid for the devices to an unpaid, unrespected group of voluntary coding slaves.

Anonymous Coward says:

It’s distressing to see the number of people saying bricking the devices is a good thing. No, it’s not. You’re damaging the property of someone else; someone who probably doesn’t know the first thing about IoT, security or anything. Let’s be blunt, this is malware performing a DoS.

How would you feel if it was YOUR device that was bricked? You’d be screaming for the perpertrator to be brought to justice.

How would you feel if it a manufacturer and not a malware author that was bricking the devices? You’d be screaming about how products you buy aren’t really yours, the manufacturer is evil, we need new laws and so.

Some commenters seem perfectly fine with their double standards.

Anonymous Coward says:

Re: Re:

If MY device was bricked I’d scream and curse bloody murder -at myself for not securing the device.

I agree this is illegal and something that should be solved some other way. But it is an effective strategy to fix the network and the underlying incentives that produce the problem before the poor business practices of IoT companies seriously damage or even kill the net as we know it. Yes, that’s a bit of an overdramatization, but it is where this is headed longterm.

Regarding if the company was bricking them and not owning them: There are fundamentally different facts there. Someone selling me a device I can’t really operate without their consent and support even after the sale is not a real sale. Someone destroying my property because it is not adequatly secured against criminal use and I’m not competent or interested enough in this to fix it is vigilantism for the greater good. As the “vigilantism” implies, that action is troublesome in itself, and lends itelf to a lot of logical and ethical debate, but it is a completely different debate from “this sale is no real sale and this product ist not rreally my property although I paid for it”.

Roger Strong (profile) says:

Re: Re: Re:

If MY device was bricked I’d scream and curse bloody murder -at myself for not securing the device.

Likewise if my car had a safely-affecting design flaw in the airbags or ignition switch, it would be my own fault for not detecting it and fixing it myself.

All those Samsung Note 7 owners whose phones caught fire before the recall have only themselves to blame for not detecting and fixing the problem on their own.


Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...