April 27, 2017 By Larry Loeb 2 min read

Sierra Tel (ST) won’t forget April 10. On that date this year, the California-based telecommunications company may have been taken down by two warring families of botnets that attacked an Internet of Things (IoT) device in its network.

An IoT Device With a Checkered History

When its customers in Mariposa and Oakhurst, California, started to complain that they had lost all connectivity, the company determined that all these customers were using the same modem, the ZyXel HN51.

While ST diagnosed the cause of the problem rather quickly, Bleeping Computer reported that it took until April 22 for all the affected customers to obtain replacement devices. Frustrated customers quickly exhausted available supplies of the modem when the company offered them an opportunity to swap out old devices at its offices.

The ZyXel HN51 has a checkered history. This is the same modem that caused Deutsche Telekom to go offline for nearly a full day last year, according to Bleeping Computer. It took the German ISP about that long to regain control over its devices through a firmware update. A week later, some British ISPs experienced the same problem. At the time, the Mirai IoT botnet was thought to be the culprit.

The ZyXel modem uses the TR-069 control interface as a way for system administrators to assert hardware-level control on modems in a network. But that interface can be exploited, according to SANS, requiring strict filtering at the network or modem interface to prevent the exploits from occurring.

Vigilante Justice

It’s possible that a vigilante IoT construct could have caused this failure while trying to neutralize rogue IoT devices. One such construct, BrickerBot, is said to be able to wipe any onboard memory in a device and rewrite it with random garbage, Bleeping Computer reported. That would require device replacement, which is just what ST was forced to do.

A clear solution is nowhere in sight. Other unknown threat actors may be at work here as well, and this particular modem has proven to be exploitable. But a system operator such as ST must be aware of the actions that need to be implemented by a network to avoid bricked devices. No matter how or why they get bricked, they’ll almost always come with irate customers attached.

More from

CISA hit by hackers, key systems taken offline

3 min read - The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked.“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed…

Cloud security evolution: Years of progress and challenges

7 min read - Over a decade since its advent, cloud computing continues to enable organizational agility through scalability, efficiency and resilience. As clients shift from early experiments to strategic workloads, persistent security gaps demand urgent attention even as providers expand infrastructure safeguards.The prevalence of cloud-native services has grown exponentially over the past decade, with cloud providers consistently introducing a multitude of new services at an impressive pace. Now, the contemporary cloud environment is not only larger but also more diverse. Unfortunately, that size…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today