Malware Hunts And Kills Poorly Secured Internet Of Things Devices Before They Can Be Integrated Into Botnets
from the battle-of-the-brick dept
Researchers say they've discovered a new wave of malware with one purpose: to disable poorly secured routers and internet of things devices before they can be compromised and integrated into botnets. We've often noted how internet-of-broken-things devices ("smart" doorbells, fridges, video cameras, etc.) have such flimsy security that they're often hacked and integrated into botnets in just a matter of seconds after being connected to the internet. These devices are then quickly integrated into botnets that have been responsible for some of the worst DDoS attacks we've ever seen (including last October's attack on DYN).
And most security researchers firmly believe we haven't seen anything yet.
Enter PDoS (permanent denial of service) attack bots, which scan the internet for routers with default, unchanged passwords, or "smart" doorbells, dolls or other devices with paper-mache grade security. From there, PDoS attack bots issue a series of commands that wipe device media, corrupt all storage, and disconnect the device from the internet. Last month, researchers from security firm Radware set up an intentionally poorly-secured honeypot that they say saw roughly 2,250 PDoS attempts during just a four-day span.
The lion's share of these attacks came from two botnets dubbed BrickerBot.1 and BrickerBot.2 -- with nodes busily bricking poorly-secured devices around the world. Initially researchers say they thought that somebody crafted malware specifically to tackle the IOT threat. But given the broad targeting of the botnets (including server-attached storage devices), they also think it's possible that the goal may just be good, old, vanilla mayhem:
"When I discovered the first BrickerBot, I thought it was a drastic attempt to stop the IoT Botnet DDoS threat," Radware researcher Pascal Geenens told Ars. "I thought this was a competitor hacker who wanted to take out his competition and get access to the list of IP [addresses] of bots that were in the competitor's botnet. But upon discovery of the second BrickerBot this theory changed, as the second one is targeting any Linux-based system—not only embedded, BusyBox-based Linux with flash storage. What motivates people to randomly destroy things? Anger, maybe? A troll, maybe?"
As it stands, BrickerBot.2 can only access machines that feature default administrative passwords and have the telnet protocol enabled, limiting the overall potential impact. Regardless, the end result still isn't pleasant for those on the receiving end of a BrickerBot.2 attack:
"...In addition to corrupting the storage device, BrickerBot.2 wipes all stored files, removes the default Internet gateway, disables TCP timestamps, and limits the maximum number of kernel threads to just one. That all but ensures that most damaged devices won't be restored without a major undertaking. Radware has more details about the attacks here."
It's still entirely possible the goal here is to actually help the internet by killing poorly-secured hardware before they can be conscripted into the shitshow that is the internet of things. After all, BrickerBot.2 appears to be an evolution of the Linux.Wifatch malware, which first appeared in October 2015. It seems more than likely that additional malware strains taking cues from the Mirai malware will inevitably appear in the wild, the goal potentially being not necessarily mayhem -- but preventing the massive, crippling DDoS attacks most security experts feel are inevitable in the next year or two.
The problem (aside from this being illegal and destructive) is that the type of person that's likely to go out and purchase a poorly-secured "gee whiz" IOT device or router without considering security -- is the same type of person that's not going to understand why that device just stopped working for no coherent reason. As a result, they're likely to rush out and buy another, poorly-secured device, bringing the incompetence full circle with a zero net gain. As such, Security expert Victor Gevers is urging malware authors like this to consider a more constructive path toward the same end goal:
"These attacks are very easy to execute, and I think this just the beginning," (Gevers) told Bleeping Computer. "I don't want to label this work as dark, but I think there are less destructive ways to achieve the same goal." "Instead of bricking you could also allow the devices to still work and just patch the vulnerability. This requires a bit more finesse."
Granted an even better solution? Stop selling (and buying) hardware with paper-mache grade security in the first place.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
The First Word
“Given all the needlessly internet-connected devices...
Why can't we have an oven whose clock automatically fetches the proper time after a power outage?Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Don't bother with finesse.
[ link to this | view in chronology ]
Re: Don't bother with finesse.
It could be nice if they could show a message to the user warning them they bought crap and that this is the reason the thing is being wasted.
[ link to this | view in chronology ]
Re: Re: Don't bother with finesse.
Then the vendors can brick the devices for unauthorized alterations.
[ link to this | view in chronology ]
Internet Of Shit
[ link to this | view in chronology ]
It also doesn't help motivate companies to stop producing devices with insecure firmware... OR motivate consumers to stop buying it...
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
If you think in goals (get rid of unsecured devices) you end up playing games of whackamole. You need to think in terms of incentives (how do I get rid of incentives to produce unsecured shit). You need to treat the disease, not the symptoms.
The disease is "it's more priftable to skip security because the target group does neither care for nor understand iot security". If you can change something to make it less priftable, you are working toward a cure.
The recently proposed legislation requiring "reasonable security" for any connected device treats the same disease, and while the vague language had it's own problems, it would be a legally and ethically preferable method to hit irresponsible device manufactures directly with big fines instead of hitting them in a grassroots attack via their customers.
[ link to this | view in chronology ]
Brickerbot author says...
Failing that, it reverts to “plan B”, i.e. actions that result in the device being rendered temporarily or permanently unusable."
https://www.helpnetsecurity.com/2017/04/24/brickerbot-damage/
Killing IOT devices that people have bought and paid for is not really what I would call the best way to go about this. However this is going to force companies to better secure their products or they are going to have a hard time staying in business.
Consumers will not notice (and most will not really care) if their devices are part of a botnet but they sure as hell will care that the IOT device they purchased quits working.
[ link to this | view in chronology ]
As a result, they're likely to rush out and buy another, poorly-secured device
Not really. They're unlikely to buy the exact same device again (seeing as the first one didn't work), so they'll buy a different such device which will then "break" again. The process will repeat ad nauseam until they find a secure device.
Or maybe I have too much faith in humanity.
[ link to this | view in chronology ]
Given all the needlessly internet-connected devices...
[ link to this | view in chronology ]
Re: Given all the needlessly internet-connected devices...
[ link to this | view in chronology ]
Re: Re: Given all the needlessly internet-connected devices...
[ link to this | view in chronology ]
Re: Given all the needlessly internet-connected devices...
[ link to this | view in chronology ]
Re: Re: Given all the needlessly internet-connected devices...
I live about a mile from a small airport. Near airports, those clocks don't work at all due to radar and all the other EM interference that comes from airports. I learned that in college when, due to my school's aviation program, my dorm was within sight distance of a working airport and my auto setting watch no longer set itself. Try explaining that to your average consumer.
Also, in my experience, radio setting clocks tend not to keep time very well since they're supposed to get reset daily. So, mine loses about 2 minutes a month requiring manual setting.
[ link to this | view in chronology ]
Re: Given all the needlessly internet-connected devices...
My ovens time never resets.
[ link to this | view in chronology ]
"Permanent"
I still haven't seen any details on whether it's really "permanent". People are saying that, but does it actually wipe the recovery code that's common on routers? If not, you could hold the reset button and TFTP a new image over (something more secure, maybe OpenWRT). That would make the DoS temporary, like wiping a PC's hard drive rather than its BIOS.
[ link to this | view in chronology ]
Re: "Permanent"
[ link to this | view in chronology ]
Re: Re: "Permanent"
They'll be talking to someone who "knows computers", or taking it in for service. I'm wondering whether those people will be able to do anything. JTAG recovery is esoteric, but TFTP recovery is something that could easily be done in any computer shop.
[ link to this | view in chronology ]
Re: Re: Re: "Permanent"
[ link to this | view in chronology ]
Bot me no bots
I think it's an interesting experiment. Something needs to prod manufacturers or standards bodies or (last resort) governments into mandating good security and privacy practices. If BrickerBot is in the wild and keeps bricking new devices, retailers and manufacturers will see a stream of returned items and maybe do something.
https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-mil lion-devices/
[ link to this | view in chronology ]
Well done!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
they're often hacked and integrated into botnets in just a matter of seconds after being connected to the internet.
[ link to this | view in chronology ]
This is not a good approach
I know it is easy to say people are too stupid, but my mother just turned 80. She doesn't want to learn about URL's, browsers, IP addressing, and so on. If her router would just plug in and she can get on "The Internet" she is happy.
Since these hackers are so smart they can hack in and brick the routers and other gadgets, why not fix them? Apply the patches and then secure the router with a new ID and password. Make it a random password and secure it in a database so that they can go back and apply updates as necessary.
Most likely the IOT owners will never even know they were hacked. If they do a reset so that they can gain some control, they will at least have an updated and patched system. Make it even better, include a custom patch that will force a password entry, even if they forget the password they put in, it won't be a default one. Especially don't let them use one from the books (like password, 1234, and etc.).
[ link to this | view in chronology ]
Re: This is not a good approach
This method would just shift the responsibility for a working network from those actually being paid for the devices to an unpaid, unrespected group of voluntary coding slaves.
[ link to this | view in chronology ]
How would you feel if it was YOUR device that was bricked? You'd be screaming for the perpertrator to be brought to justice.
How would you feel if it a manufacturer and not a malware author that was bricking the devices? You'd be screaming about how products you buy aren't really yours, the manufacturer is evil, we need new laws and so.
Some commenters seem perfectly fine with their double standards.
[ link to this | view in chronology ]
Re:
I agree this is illegal and something that should be solved some other way. But it is an effective strategy to fix the network and the underlying incentives that produce the problem before the poor business practices of IoT companies seriously damage or even kill the net as we know it. Yes, that's a bit of an overdramatization, but it *is* where this is headed longterm.
Regarding if the company was bricking them and not owning them: There are fundamentally different facts there. Someone selling me a device I can't really operate without their consent and support even after the sale is not a real sale. Someone destroying my property because it is not adequatly secured against criminal use and I'm not competent or interested enough in this to fix it is vigilantism for the greater good. As the "vigilantism" implies, that action is troublesome in itself, and lends itelf to a lot of logical and ethical debate, but it is a completely different debate from "this sale is no real sale and this product ist not rreally my property although I paid for it".
[ link to this | view in chronology ]
Re: Re:
Likewise if my car had a safely-affecting design flaw in the airbags or ignition switch, it would be my own fault for not detecting it and fixing it myself.
All those Samsung Note 7 owners whose phones caught fire before the recall have only themselves to blame for not detecting and fixing the problem on their own.
/s
[ link to this | view in chronology ]
The Internet of Fixing Things
And to break a broken thing is doubly so.
[ link to this | view in chronology ]
[ link to this | view in chronology ]