It’s the worst outcome of any malware attack: devices rendered completely useless. Bleeping Computer reported that new strains of corrupted code known as BrickerBot are doing just that by corrupting IoT devices, changing parameters and essentially making them expensive paperweights. Here’s how it works.
Distributed denial-of-service (DDoS) threats are now commonplace. For example, the recent Mirai attacks turned ordinary devices into malicious bots that crashed large company websites and internet service providers alike. Ars Technica noted, however, that BrickerBot occupies a different attack space — permanent denial-of-service (PDoS).
By compromising vulnerable, Linux-based routers, bridges and IoT devices, it’s possible for the malware to wipe all device files, corrupt existing storage or sever the internet connection, effectively destroying the devices. While recovery might be possible, it’s often too expensive and time-consuming on a per-device basis.
Bleeping Computer explained that BrickerBot was first detected using honeypot servers maintained by security firm Radware. The attacks started on March 20 by targeting Linux BusyBox-based IoT devices with two separate strains, BrickerBot.1 and BrickerBot.2. The malware starts with a scan for open Telnet ports, then looks for devices that still use default security credentials. If an opportunity is detected, BrickerBot logs in and goes to work.
While the command structures differ between the two versions, the ultimate results are the same: BrickerBot writes random bits to the device to render flash storage useless, disables TCP timestamps to hamper internet connections, lowers the maximum kernel threads to one (down from tens of thousands) to stop kernel operations, and finally reboots the device.
The result is PDoS, also known as “phlashing,” which leaves the device unusable.
Malicious Motives for IoT Devices
So far, attack rates are reasonably high — Radware detected 1,895 PDoS attempts over just four days. Most of these came from BrickerBot.1, which uses IPs from all over the world connected to Ubiquiti network devices running older versions of the Dropbear SSH server. Version .2 is more sophisticated, using hidden Tor exit nodes to make tracking almost impossible, but it is only responsible for a fraction of observed attacks.
While researchers have tracked down origins and uncovered code specifics, they’re still not sure why the malware exists. There’s no ransom demand and no expectation of action on the part of compromised users. Instead, the malware author seems intent on ruining as many devices as possible.
Some experts say this could be the work of an internet vigilante, out to offer a practical — albeit extremely harsh — lesson to companies and users who don’t change default security settings. More worrisome? Chairman of the GDI.foundation, Victor Gevers, told Bleeping Computer these attacks “are very easy to execute,” and are “just the beginning” of similar efforts.
Protecting Vulnerable Devices
So what can companies do to protect their growing IoT device environment? It all comes back to basic security hygiene.
Always change default logins and passwords before making the device accessible to users. It’s also a good idea to monitor open Telnet ports — there’s no reason to give attackers a leg up in searching out compromised devices.
Bottom line? IoT devices remain popular attack vectors because companies don’t properly secure entry points. New brick-based attacks exploit poor security practices by permanently ruining devices, and avoiding this outcome demands an IoT house built on solid ground, not the assumed safety of default foundations.