April 10, 2017 By Douglas Bonderud 2 min read

It’s the worst outcome of any malware attack: devices rendered completely useless. Bleeping Computer reported that new strains of corrupted code known as BrickerBot are doing just that by corrupting IoT devices, changing parameters and essentially making them expensive paperweights. Here’s how it works.

Permanent Denial-of-Service

Distributed denial-of-service (DDoS) threats are now commonplace. For example, the recent Mirai attacks turned ordinary devices into malicious bots that crashed large company websites and internet service providers alike. Ars Technica noted, however, that BrickerBot occupies a different attack space — permanent denial-of-service (PDoS).

By compromising vulnerable, Linux-based routers, bridges and IoT devices, it’s possible for the malware to wipe all device files, corrupt existing storage or sever the internet connection, effectively destroying the devices. While recovery might be possible, it’s often too expensive and time-consuming on a per-device basis.

Burgeoning Bricks

Bleeping Computer explained that BrickerBot was first detected using honeypot servers maintained by security firm Radware. The attacks started on March 20 by targeting Linux BusyBox-based IoT devices with two separate strains, BrickerBot.1 and BrickerBot.2. The malware starts with a scan for open Telnet ports, then looks for devices that still use default security credentials. If an opportunity is detected, BrickerBot logs in and goes to work.

While the command structures differ between the two versions, the ultimate results are the same: BrickerBot writes random bits to the device to render flash storage useless, disables TCP timestamps to hamper internet connections, lowers the maximum kernel threads to one (down from tens of thousands) to stop kernel operations, and finally reboots the device.

The result is PDoS, also known as “phlashing,” which leaves the device unusable.

Malicious Motives for IoT Devices

So far, attack rates are reasonably high — Radware detected 1,895 PDoS attempts over just four days. Most of these came from BrickerBot.1, which uses IPs from all over the world connected to Ubiquiti network devices running older versions of the Dropbear SSH server. Version .2 is more sophisticated, using hidden Tor exit nodes to make tracking almost impossible, but it is only responsible for a fraction of observed attacks.

While researchers have tracked down origins and uncovered code specifics, they’re still not sure why the malware exists. There’s no ransom demand and no expectation of action on the part of compromised users. Instead, the malware author seems intent on ruining as many devices as possible.

Some experts say this could be the work of an internet vigilante, out to offer a practical — albeit extremely harsh — lesson to companies and users who don’t change default security settings. More worrisome? Chairman of the GDI.foundation, Victor Gevers, told Bleeping Computer these attacks “are very easy to execute,” and are “just the beginning” of similar efforts.

Protecting Vulnerable Devices

So what can companies do to protect their growing IoT device environment? It all comes back to basic security hygiene.

Always change default logins and passwords before making the device accessible to users. It’s also a good idea to monitor open Telnet ports — there’s no reason to give attackers a leg up in searching out compromised devices.

Bottom line? IoT devices remain popular attack vectors because companies don’t properly secure entry points. New brick-based attacks exploit poor security practices by permanently ruining devices, and avoiding this outcome demands an IoT house built on solid ground, not the assumed safety of default foundations.

More from

CISA’s cyber incident reporting portal: Progress and future plans

3 min read - On August 29, 2024, CISA announced the launch of a new cyber-incident Reporting Portal, part of the new CISA Services Portal.“The Incident Reporting Portal enables entities and individuals reporting cyber incidents to create unique accounts, save reports and return to submit later, and eliminate the repetitive nature of inputting routine information such as contact information,” says Lauren Boas Hayes, Senior Advisor for Technology & Innovation, at CISA.Shortly after the announcement, Security Intelligence reported on how the portal was designed and…

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today