back to article Forget Mirai – Brickerbot malware will kill your crap IoT devices

A new form of attack code has come to town and it uses techniques similar to Mirai to permanently scramble Internet of Things devices. On March 20 researchers at security shop Radware spotted the malware, dubbed Brickerbot, cropping up in honeypots it sets up across the web to lure interesting samples. In the space of four …

  1. Adrian 4
    Holmes

    DOS ?

    Sounds like a denial-of-botting, rather than denial of service. A vigilante for insecure Things.

  2. Anonymous Coward
    Anonymous Coward

    Unless they a CISCO hardcoded passwords

    Added to the firmware by incompetant engineers or forced to add by the Spooks.

  3. The obvious
    Mushroom

    Is it just me who is secretly applauding this...

    just a little bit. It's an extreme, harsh and utterly illegal way to encourage vendors to deal with their security issues, but perhaps a shedload of support calls and returned 'faulty' items might get their attention.

    ...then again pigs might fly past satan skiing to work first!

    1. Doctor Syntax Silver badge

      Re: Is it just me who is secretly applauding this...

      "a shedload of support calls and returned 'faulty' items might get their attention."

      As Charles 9 keeps telling us, a lot of this stuff is bought on the grey markets which might make support and returns more difficult. However, it will affect reputations and make buyers a lot more careful in future when they come to replace the bricked items. That, more than anything, will grab vendors' attention.

      And the oft touted argument of price competition between vendors really doesn't come into it. There's no point in being a penny or two cheaper than the competition if nobody's buying your product because it's known to get bricked.

      1. Charles 9

        Re: Is it just me who is secretly applauding this...

        "And the oft touted argument of price competition between vendors really doesn't come into it. There's no point in being a penny or two cheaper than the competition if nobody's buying your product because it's known to get bricked."

        Unless, of course, THEY'RE getting bricked, too, meaning you're damned if you do and damned if you don't.

        1. Doctor Syntax Silver badge

          Re: Is it just me who is secretly applauding this...

          "Unless, of course, THEY'RE getting bricked, too, meaning you're damned if you do and damned if you don't."

          That's the point. This is going to brick insecure devices in general. If you're making one of them you'll find both you and your equally insecure competitors are having your products bricked. In any case you're almost certainly just relabelling the same product as your competitors. If you don't tighten up your operation you're toast. And if they don't your competitors are also toast. Those of you who get wise have taken on some extra costs but you're still alive but, because you've all had to take on extra costs (either by your upstream vendor improving the product or changing to another vendor's product) you're all moving in step. It remains the same competitive market but at a slightly higher price until the extra cost has been absorbed.

          The alternative is that the generic Chinese approach gets such a bad reputation so quickly that only well-known brands are able to sell by getting a non-bricking reputation. This could even be an operation by someone with a better product aiming to wipe out the competition.

          At the moment it seems to be working on a thing by thing basis from C & C servers. If it gets turned into a worm it will propagate a lot faster.

      2. Anonymous Coward
        Anonymous Coward

        @Doctor Syntax - make buyers more careful in future

        The problem is that many of these IoT devices are white label, and many companies will buy them wholesale and brand them. So you buy a device from CompanyOne, and it gets bricked and say "I'm never buying from CompanyOne ever again!" and buy CompanyTwo's product, which turn out to be wholesaled from the same white label firm.

        If the white label firm sees a drop in business from relabelers like CompanyOne and CompanyTwo, no matter, they probably operate under multiple names so they can "shut down" the tainted name and move on to the next without having to actually fix the issue. Because that would cost money, especially if they wanted to truly secure them rather than just fixing issues that are currently being exploited.

        The only real solution is to buy from a reputable company you know stands behind their products, but of course then you are paying a lot more so that's a step most won't take.

        1. Doctor Syntax Silver badge

          Re: @Doctor Syntax - make buyers more careful in future

          "but of course then you are paying a lot more so that's a step most won't take."

          It depends on how many cheap devices they buy and get bricked. The penny will drop eventually.

          1. Anonymous Coward
            Anonymous Coward

            Re: @Doctor Syntax - make buyers more careful in future

            True, but most will give up on IoT after being burned a couple times. In most cases (i.e. internet connected bulbs and door locks, that sort of useless crap) that will be a good thing.

        2. heyrick Silver badge

          Re: @Doctor Syntax - make buyers more careful in future

          "and many companies will buy them wholesale and brand them.

          I am in the process of hacking my cheap IP camera and it seems that there are many "brands" that just take what I think is a Wancam and push in their own front end with branding - I've pretty much done that myself by changing the rubbish web UI to give me a 2K page instead of 160K with loads of pointless scripting such as ~90K of JQuery...

          I wonder if the rebrand companies even have access to the source code, or is it a matter of patching in a few company specific details?

          I dream that one day companies will be more open with regards the firmware (cough, isn't it basically hacked about bits of Linux with an even more hacked version of GoAhead baked in?, cough) but sadly I think that day will be a long time coming... so acceptable (if not outstanding) hardware will continue to be let down by half assed software that is barely touched beyond "it works enough to make an actual product".

    2. Unicornpiss

      Re: Is it just me who is secretly applauding this...

      I hear what you're saying, and can't really disagree, but most of the people that buy these devices are just techy enough to get them to (mostly) work. While it might eliminate some completely insecure devices that could be used in other exploits, mostly it's just adding another headache in the lives of poor bastards that just want to automate their homes, and of course for everyone in customer service that will have to get an earful from every person with a bricked device.

      1. Doctor Syntax Silver badge

        Re: Is it just me who is secretly applauding this...

        "mostly it's just adding another headache in the lives of poor bastards that just want to automate their homes"

        And the poor bastards who, by trying to automate their homes (in itself a solution looking for a problem) are becoming a headache to vast swathes of the internet. Look on it as overall optimisation.

        As a lot of the targets of botnet herders and of this attack seem to be security DVRs it's likely that at least some of them will have been installed by "professionals". If someone prompting themselves as a security professional installs an IoT device without securing then their customer care operation deserves all the grief it gets.

      2. Mark 85

        @Unicornpiss -- Re: Is it just me who is secretly applauding this...

        but most of the people that buy these devices are just techy enough to get themselves in trouble.

        FTFY. I've come across more than few who think they "understand" tech but really haven't a clue. And usually don't care as they can pick up the phone and call someone who knows a bit more. Not much... but enough to either create another problem or end up trashing the whole thing.

    3. John Smith 19 Gold badge
      Unhappy

      " Is it just me who is secretly applauding this... "

      No.

      In fact it looks like a sort of "inoculation" for stupid developers.

      It keeps infecting stuff till they take the (fairly) elementary precautions against it or the customers acquire the knowledge to stop it infecting them.

      It appears to be applying ecological pressure to the IoT eco system.

      It's evolving smarter devs and smarter users.

      It's pretty ruthless behavior from whoever developed it but basically they seem to want IoT to evolve or die. Otherwise the malware does not seem to actually do anything which is just weird.

      I wonder if we'll find the developer is called Ajax.

      1. Anonymous Coward
        Anonymous Coward

        Re: " Is it just me who is secretly applauding this... "

        Any of this stuff that's sold in the EU presumably has a CE declaration (from manufacturer or importer) and therefore presumably product liability legislation applies?

        "the malware does not seem to actually do anything which is just weird."

        Kodi doesn't do particularly much either, and what it does do is generally legit, but based on the press coverage it's getting at the moment, maybe someone should tell the FACT/FIFA people that future generations of carp IoTware are just another option for depriving the Rights Owners of their rightfully earned revenues (they're clearly not worried about technicalities or law)

        That'd get them off the market in double quick time, surely?

    4. Adam 1

      Re: Is it just me who is secretly applauding this...

      We've seen this movie before somewhere...

      The difference that i can see here is that PCs were never set and forget concepts. They had service packs, antivirus definitions and the like. But who, when purchasing their next light bulb, is thinking "how do I apply security patches? Whilst i don't condone vigilante hacking, it's hard to feel sympathy for an industry that has produced so much crap security with bad practices even at a 101 level (hard coded passwords, missing even basic user permissions, running unnecessary daemons with root access, the list goes on). Maybe some bricked returns will score some pretty rubbish eBay/Amazon reviews and will ward off bricks and mortar retailers from stocking such products. The iot industry (and I include car manufacturers here) need to understand that software isn't an engineer and forget enterprise, and if they can't learn the lessons of that industry then pull back and sell regular light bulbs/door locks/cameras/cars/whatever until they do learn those lessons.

      I'm not hopeful though. Best security practice starts with collect as little data as you need to function, run as few services as is needed to accomplish that task, and run those services with as few rights as possible. This is the very antithesis of iot.

  4. Steve Davies 3 Silver badge
    Mushroom

    Who in their right mind...

    oh never mind.

    The is nowt a stupid as folk

    [see icon] That is the inevitable result. Perhaps then the Idiots might learn...

    And yes, pigs have learned to fly (following on from that famous one a Battersea Power Station)

  5. Your alien overlord - fear me

    Whats the probability that it was written/commissioned by someone who has been on the receiving end of a bot DDoS attack and is just making sure they don't get hit again?

    1. Doctor Syntax Silver badge

      "Whats the probability that it was written/commissioned by someone who has been on the receiving end of a bot DDoS attack"

      Or someone with a better device to sell clearing away the competition?

      1. Charles 9

        Unlikely as it would probably cost less to do a fly-by-night and reappear a few weeks later under a new name.

        1. Doctor Syntax Silver badge

          "Unlikely as it would probably cost less to do a fly-by-night and reappear a few weeks later under a new name."

          Rinse and repeat every few weeks until the market learns that no cheap devices survives for long? Fine if you want to keep driving round in a Robin Reliant van.

          Build a brand that earns a good reputation and that brand is actually of value. That's where the big money is in the long term.

          1. Charles 9

            Then why don't you hear about Kirby and Electrolux vacuum cleaners anymore, despite them being among the most reliable vacuum cleaner brands in history? Reputation can have some meaning, but it can only go so far.

            The consequences would have to be more severe for most bling customers to take the step up. And that's assuming the more-expensive brands don't get hit, too, staining the entire industry.

            1. Doctor Syntax Silver badge

              "Then why don't you hear about Kirby and Electrolux vacuum cleaners anymore"

              Never heard of Kirby. But we have a Bosch branded vacuum cleaner, a Hotpoint branded washing machine, both bought fairly recently replacing Vax & Zanussi. Dishwasher is AEG. Freezer is Zanussi. I'm not sure how familiar these are in the US but they're all well known brands here.

              One of the possible fates of good brands is that they can get asset stripped. Some firm of beancounters the brand and, not having any idea themselves of how to build an electric kettle* or whatever cuts corners to bring the price down and eventually ruins it. However the original owners who put in the work had a valuable brand and got paid for it.

              *You may recognise recent experience speaking here. So far Amazon Basics looks like they've got their kettles built by someone who knows how to do the job better than the well-known brand. But then Amazon now have a brand to look after.

              1. druck Silver badge
                Flame

                Brands aren't even consistent any more. Some of the better named white good manufacturers don't make their lower end models, but farm them out to cheaper companies. It might allow them to cover more market segments, but if those models don't have the same quality and reliability, it's going to bring down the entire brand. See exploding tumble dryers for example.

            2. Richard 12 Silver badge

              I have a Kirby vacuum cleaner.

              Well, carpet maintenance system as it does rather a lot more than just brush & vacuum.

              1. Anonymous Coward
                Anonymous Coward

                I used to be

                a Kirby door to door salesman back in my youth (mid 80s).

                They were a £1000 then!!!!

            3. Anonymous Coward
              Anonymous Coward

              Kirby still gets a "Recommended" rating in Consumer Reports.

              -- http://www.consumerreports.org/products/upright-vacuum/ratings-overview/

              ... of course, the Missus' >20 year old "Generation III" is still doing quite well, thank you.

          2. Anonymous Coward
            Anonymous Coward

            Use a proper OS (VxWorks) made by adults!

            An IoT device using generic Linux is the equivalent of a Reliant Robin Ambulance!

  6. the Jim bloke

    I think the best way to describe this

    Is environmentally imposed quality assurance

    make the operating conditions hostile to insecure devices and they will fail to thrive.

    In the darwinist 'survival of the fittest' meme, this malware eliminates those 'unfit to live'

    I think its a good thing, and there should be more of it, the only drawback is its dependency on central C&C.

    1. Doctor Syntax Silver badge

      Re: I think the best way to describe this

      "I think its a good thing, and there should be more of it, the only drawback is its dependency on central C&C."

      Looking at the attacks they interrogate various aspects of the system although it's not immediately obvious what they were doing with it. The second one in particular collects quite a lot of detail. This puzzled me until I realised it wasn't a script running on the device, it was running on the C & C server which will be collecting intelligence on the devices being attacked. It seems quite possible that this is in part an analysis phase to design a worm which will brick devices a whole lot faster.

  7. GrapeBunch

    Doomsday?

    I can't help thinking that with more development effort, this sort of malware will be able to brick every gas or electric smart meter on the planet. Darwin this, Darwin that. On the frostiest night of the year, naturally. Deployed by a kid wearing short trousers, football boots, and a Motörhead T-shirt inherited from his grandpa.

  8. stephanh
    FAIL

    telnet??!!?

    It is 2017 and there are still people enabling telnet on whatever kind of device?

    Installing telnet should be punishable by a public flogging. Or a stern warning not to do it again.

    1. Charles 9

      Re: telnet??!!?

      What is telnet more or less than a simple raw connection to an address and port accessible to a console? Heck, you can connect to a web server's port 80 and, knowing the right sequences, pretend to be a simple web browser. Telnet will never go away because it's essentially the building block for any other socket-based protocol.

      1. heyrick Silver badge

        Re: telnet??!!?

        "you can connect to a web server's port 80 and, knowing the right sequences, pretend to be a simple web browser."

        Back around turn of the millennium, I used to use telnet to log into my pop3 server to check mail. A few simple commands, and it was often quicker than starting up the email software.

        Now? Thwarted by encrypted connections and no longer necessary since mobile phones and tablets can do mail checking as a background task.

        1. Paul

          Re: telnet??!!?

          use "openssl s_client -connect host:port" instead of "telnet host port" to do the equivalent thing over an ssl socket.

      2. stephanh

        Re: telnet??!!?

        Perhaps connecting a telnet client to port 80 is a fun and educational exercise. However this device runs a telnet *server*. Telnet sends (typically) arbitrary shell commands over a plaintext connection, so anybody who can send packages to the telnet port can 0wn the device.

        Unfortunately BusyBox contains a built-in telnet server and no ssh server, so any security-unaware IOT engineer (please excuse the tautology) will choose the path of least resistance and use telnetd instead of sshd.

        1. Richard 12 Silver badge

          Re: telnet??!!?

          Perhaps it is time to push an update to Busybox to make SSH the default instead.

          Anybody already on that mailing list?

          1. Charles 9

            Re: telnet??!!?

            WONTFIX. They say to install dropbear instead.

            That said, firms using busybox in release hardware should be pressed to compile their versions NOT to have the telnet daemon included.

            1. Doctor Syntax Silver badge

              Re: telnet??!!?

              "WONTFIX. They say to install dropbear instead."

              Which in turn has had its problems, e.g. https://www.theregister.co.uk/2015/02/20/250000_routers_have_duplicate_ssh_keys/

              If someone is serious about bricking mass deployments of vulnerable kit upatched versions of that could be near the top of the list.

  9. jsusanka

    Telnet really?

    Anybody that deploys any Unix computer with telnet installed and answering is a moron and should consider a career change.

    1. Doctor Syntax Silver badge

      Re: Telnet really?

      "Anybody that deploys any Unix computer with telnet installed and answering is a moron and should consider a career change."

      The people deploying these don't know they're deploying a Unix computer. They think they're installing a gadget they bought in a box that says video camera, video recorder, thermostat or whatever.

      1. Charles 9

        Re: Telnet really?

        He's talking the VENDORS. Though they're probably as clueless as the end users as well.

        1. Richard 12 Silver badge

          Re: Telnet really?

          Most of the vendors think that as well.

          Heck, apparently camera dildos have the same firmware pack as IoT security cameras.

    2. Anonymous Coward
      Anonymous Coward

      Re: Telnet really?

      In a previous job, we had a fat client app which would only use telnet to connect to the server (limitation in the app, can't recall if an upgrade would have fixed it, but there probably wasn't budget for an upgrade anyway), so had to have telnet enabled (which was a gripe with the app support team...). We eventually got some Heath Robinson solution working with stunnel and limited telnet to localhost only which removed the worst of the problems, but there are configurations out there that require telnet due to crap applications.

      1. Doctor Syntax Silver badge

        Re: Telnet really?

        "but there are configurations out there that require telnet due to crap applications."

        The problem here isn't telnet being used because it's needed. It's telnet being used despite not being needed or not having secure passwords if it is.

  10. Anonymous Coward
    Anonymous Coward

    Don't forget BusyBox...

    ... it's one of the issues. To keep the footprint compact, not all the libraries used are reliable ones. I had more than one issues with devices using BusyBox.

  11. jason.bourne
    Pint

    +1 for Robin Hood

    I finally registered after years of sharing links to El Reg.

    I just wanted to thank the author of this bot and share a pint with this half of the internet.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like