BrickerBot Takes Down your IoT Devices Permanently

There is a new class of virii in town, specifically targeting Internet of Things (IoT) devices. BrickerBot and its variants do exactly as their name says, turning your smart devices into bricks. Someone out there has gotten tired of all the IoT security flaws and has undertaken extreme (and illegal) measures to fix the problem. Some of the early reports have come in from a security company called Radware, who isolated two variants of the virii in their honeypots.

In a nutshell, BrickerBot gains access to insecure Linux-based systems by using brute force. It tries to telnet in using common default root username/password pairs. Once inside it uses shell commands (often provided by BusyBox) to write random data to any mounted drives. It’s as easy as

dd if=/dev/urandom of=/dev/sda1

With the secondary storage wiped, the device is effectively useless. There is already a name for this: a Permanent Denial-of-Service (PDoS) attack.

Now any card carrying Hackaday reader will know that a system taken down like this can be recovered by re-flashing through USB, JTAG, SD, other methods. However, we’re not BrickerBot’s intended audience. We’ve all changed our devices default passwords, right? RIGHT?

For more IoT security, check out Elliot’s excellent article about botnets earlier this year, and its follow-up.

82 thoughts on “BrickerBot Takes Down your IoT Devices Permanently

    1. Yeah there is that little problem, and for older gear (more than 2 years) you are just going to get something that is unsupported and full of known security flaws.

      If you can’t put open firmware on a device you are screwed, it is just a matter of time, but if you do have the FOSS option the chances are you will be a lot less likely to see your device bricked/compromised in the first place.

      I can’t condone such tactics, it isn’t like a white worm that patches holes and moves on, it is still causing a lot of economic damage, just sooner rather than later, and all at once. Do you want the slow rot option of the bulldozer through the front door? Perhaps it is an act of self-defence by people sick of being attacked through these IoT devices when they are compromised, or perhaps it is somebody doing it “just because they can”, we will probably never know.

      Now can somebody tell be why my laser printer is spewing out pages covered in swastikas? ;-)

        1. Be a semantics nazi all you like, but don’t be surprised if people shun or don’t like you.
          Secondly, you may know that there is not a definitive dictonary for any spoken language; it’s usage and meanings of words change over time. So while ‘swastika’ may have meant ‘indian symbol for…’, it’s (mirrored) usage by the nazi’s has tainted its image with all the horrors of nazism and WW2. So no, ‘swastika’ does not mean ‘prosperity, luck, etc.’ anymore, it _is_ a nazi symbol.
          Furthermore, seemingly innocent nitpickings like these are often harboured by induviduals that wish to change (the perception of) the past, to make their favorite ideology look less bad…So how about you, are you a closet-nazi, do you air your ubermensch fantasies openly?

          1. Jelle, you just made yourself guilty of reverse discrimination. Do you know why? Because of your questions. First one is OK, because it was meant to clarify if I am a closet-nazi or not. On the contrary, your second question already implies that I have “ubermensch fantasies”, so you only want to know if I am airing them openly or not. That second question was wrong.

            FYI, I am not trying to spread any political ideology, but you are acting like an activist with a strong agenda.
            Please chill down and have a nice weekend.

          2. You don’t have to be a Nazi to dislike seeing formerly good symbols drawn through the mud because of how one group decided to use them. I can understand and agree with shunning the Nazi version of the swastika,(black on red and rotated 45°) but not all swastikas are evil despite what modern society tells you.

          3. Kind of like the name “Hitler” being tainted. William Patrick Stuart-Houston changed is name from Hitler (he was Adolph’s nephew) and served in the US Navy during WW2. So not all Hitlers were evil (actually, just one), which makes the point that something relatively innocent can get trained)

          4. “My swastika isn’t the evil nazi version, it’s the friendly Hindu version. That’s why I painted it on the synagogue door, officer”.
            Please remember context, people. In Asia, yes, the swastika is likely to be well received. In the west, no.

      1. FOSS isn’t A panacea for security. Most web servers are running FOSS, but they’re regularly hacked. Isn’t busybody FOSS anyway? Doesn’t prevent stupid default passwords.

        1. Your logic is flawed, the point is that FOSS ensures that you have the information needed to maximise your security. It is your responsibility use that freedom wisely. There is no panacea for stupid but for the DIY HAD crowd that generally isn’t an issue, with the exception of several well recognised fools.

    2. Obligatory
      If the system breaks down the consequences will still be very painful. But the bigger the system grows the more disastrous the results of its breakdown will be, so if it is to break down it had best break down sooner rather than later.
      “Introduction”, item 3
      Theodore John Kaczynski, Ph.D., also known as the Unabomber

  1. I’ve purchased a few dozen of those little ONVIF IP cameras from eBay that come in black metal cans. They’re super inexpensive and work extremely well… however they all have telnet open. It wasn’t until recently that I found the root password. Unfortunately the default root password is a necessary evil with these cameras as the configuration software depends on it. Additionally, you cannot setup the cameras through the web interface. You NEED the factory (Windows only) software. Hooray for programming gore!

    Also I don’t trust factory Chinese firmware as far as I can throw it. I’ve already caught one device that fed a constant stream of data back to China. It was a Doorbell from Best Buy, also with a wide open (i.e. no username/password) telnet session. I kinda like being able to get into the brain of these devices to see what evil spy daemons are running.

    1. To clarify a bit. They all live on their own happy little island on a VLAN on my network. No internet access. And the others that I have purchased are mounted to an industrial robot with no internet access. But still.

      That raises a good question though. How much impact will this bot even have? Anybody who buys these things is just going to plug them into a residential router. NAT is going to filter any incoming connections.

      1. Most all home users do not have any such infrastructure setup like we typically do.

        You already noticed the outgoing connections part of the problem, which a default home router will happily translate and forward on its way.
        As for incoming being blocked by NAT, look up the UPnP protocol, something else usually enabled by default on home routers. These devices can easily punch a hole in those NAT forward tables for incoming connections if their software so desired to do it.

        1. not the infrastructure and not the knowledge! Seriously, if you go into let’s say a shopping mal and ask random people what a “VLAN” his, how many correct answers will you get? Even with “IPv4” or even “Browser” the results won’t be god. :-/

    2. A lot of them setup reverse proxies so they can get accessed from the internet without any user setup.. Not sure if they actually send other real info… I’ve watched packet dumps from them and there’s not enough data for video/audio going while idle… I have my internet of holes blocked from directly accessing the internet…

    3. > I kinda like being able to get into the brain of these devices to see what evil spy daemons are running.
      You might be interested in side channel analysis/attacks, glitch attacks and stuff like this – but beware, you can spend A LOT of time once you get into this… Micah Elizabeth Scott (scamline) is doing some really interesting stuff but her streams are reeeaaalllllyyy long. https://www.youtube.com/user/micahjd/videos You might be able to find some abstracts on her website.

    4. Did you manage to clean them up? I got some pan/tilt cameras at an awesome price on singles day, but found they dial a Chinese server (to connect to the mobile app which I don’t want – I want a local stream). So they’re sitting in a box unused.

  2. I don’t see the problem. If it takes something like this to motivate developers to put in even the most rudimentary security for their products to protect their customers… so be it. With IoT increasingly linked to physical processes, it is even a safety concern from various hazards… not to mention the obvious privacy issues. Security has always advanced from the failures… and IoT has certainly been a failure as far as security is concerned. It’s time to learn and improve.

    1. The problem is that the method punishes the perpetrator, the company, and their victim, the consumer. The smartest option would patch the holes and add “advertising” into the data stream associated with the device that made it clear to the user what the situation was and how to make better purchasing choices in the future, that would just punish the companies producing this insecure IoT crap.

        1. The consumer is just as culpable in making informed choices as the errant manufacturer. With compromised devices come increased pressure on the manufacturers for quality code and more informed consumers.. Win-Win.

          1. Which is why no one bought VW diesels, etc? Most people aren’t able to make informed decisions. Even people like us can’t usually tell if a device is secure before buying it and poking at it. No one advertises devices with “100% more open telnet ports, now with a new improved default password” etc!

        1. Nope. The fake FTDI did not spread ransomware and DDOS, but unsafe connected device does. It is more like a car that is not fit to be used in road traffic because it prones to explode each 100 miles. I am OK with any measure that makes such car out of roads,

  3. Can somebody shed some light on the possibility and probability that this bot is modified into a self-spreading virus (i.e. when it compromises a device, before bricking it, it first uses it to find a few more devices to spread itself to) that would cause the overnight bricking of many thousands or even millions of devices?

    1. Bricking it is trivial, just a loop overwriting storage.

      More worrisome is if they simply leave the device seeming to function normal and use it to monitor your home. Gone on vacation? Home alone? Doors are locked? No problem, infect the back door lock… unlock it. Your address can be found from your IP. Burglars-R-Us will be right over. Stalker’s delight.

      The more code and memory space available the more certain it will become. California leads the pack with concerns about this.

        1. Not sure how tech savy burglars are but you could get a rough estimate of the location from the IP and then use the broadcasted mac address from the router to further pinpoint the location.

          1. Ho, you found an ISP farm. Mabe if you are a good hacker or a 3 letter agency you could find my real physical location. But wait I just refreshed my IP, now it’s 172.164.27.224 but when exactly did it changed? Did I change it more than once? Do you also have access to the logs of the ISP?
            If you have the knowledge and access to all this info you probably have bigger fish than me to tackle.

          2. Annie – if I’ve got control of your router, I’d imagine it’d be fairly easy to find your ISP allocated IP, and/or monitor your network for addresses sent plaintext, or find other wifi addresses locally, or find a device on your network with GPS, etc. Whether it’s simpler than just attacking your neighbour is another question.
            However, if you’re the type of person who’s anonymised their IP via a proxy, then you’ve probably not got default passwords on your devices anyway.

        2. True that today it’s more accurate to say your ISP regularly changing your dynamic IP gives only location down to the general area so then simply drive the area attempting to connect using the wireless SSID and passphrase which YOU DID voluntarily provide to your compromised IoT device that is phoning home this info. This remains true even if you have your router SSID broadcast turned off, and even without regard to knowing the passphrase or not, as connections will be allowed/refused to connect instead of simply failed due to no such network available.

          You may remember for a while Google Maps Satellite View even displayed your SSID at your address if you hovered the mouse over your house. Caused a good bit of stir till they removed this “feature”. Today many devices, (android etc), ask to “better refine your exact location” by scanning the SSIDs in your locality, which they maintain a database of and use to “help better tell you where you are”. Your neighbor’s phone likely already recorded your SSID even if YOU disallowed this “feature” on your phone.

          I’ve been doing a mix of biomedical and network security engineering since about ’82 mostly working alone places where fully paranoid is a good deal short of what they mandated as policy, but it was the kinda places that needed it, and yes am certified. Learned COBOL on punch cards around ’72.

        3. Missing the point – if they have control of device(s) inside your home (including one or more cameras) there’s other ways than just using your IP address.

          And regardless of movie-plot scenarios for internet arguments, it’s a bad situation to be in.

          1. My point was is just to give scale to the risk involved. It isn’t just “my door lock quit working”. 70% of the folks here coulda said it but weren’t.

      1. Various meanings for IoT:
        Internet of Trash (seems appropriate)
        Internet of Trashcans (they get bricked and won’t open anymore, leaving your junk out)
        Internet of Taps (they get bricked and won’t close anymore, turning your home into Spongebob’s home)
        Internet of Tables (they get bricked and will flip every time you try to put something on them)
        Internet of Toasters (they get bricked and will burn your toasts, turning bread into non-edible charcoal)
        Internet of Toys (they get bricked and your children will cry because Hello Barbie does not answer anymore)
        Internet of TVs (they get bricked and you’ll wonder why the remote does not work even if you change its batteries)
        Some of these are unfortunately real, and can be bricked easily. If your TV does not turn on, don’t waste time changing remote batteries.

    1. I dunno if a fork bomb is gonna overheat a CPU. A CPU should be able to run any series of instructions without overheating. Otherwise they’ve designed the system wrong. A fork bomb is more likely to use up all the RAM, and maybe suck up too many clock cycles.

      1. We know already about phone CPUs which get so hot during an update, that the internal solder joints break. Not at the first time but after very few times. So there are devices which can overheat (and get destroyed) by software action.

  4. Let this virus run its course the favour it’s doing the internet is overwhelmingly positive taking down insecure potential spam bots and showing the cheap companies for what they are and educating the uninformed through experience.

    1. I agree. I hope this virus spreads very quickly on new poorly secured devices. Regular Joe will then just take his 2 weeks old TV to the big box store and ask for a refund. Store sends TVs to the crappy manufacurer, who finally secures devices properly.

      1. What would be nice is if the virus would be morphed into a worm that could jump to the app and then brick the iCrap or whatever crApple device was used to access the infected IoT junk.

        1. lol…. AOL. You been around a long time. And ALL AOL show up as Dulles, VA. Thought they were giving up and quitting.

          But your compromised IoT device can scan the neighbors wifi too…. Often the SSID is all one needs to see thanks to cable company SSID choices.

          1. “You been around a long time.” Probably.
            “ALL AOL show up as Dulles, VA.” That’s a good thing.
            “Thought they were giving up and quitting.” I dont think so, they have a good share of the NET.
            “But your compromised IoT device” You wont find that here.
            “can scan the neighbors wifi too” That’s also a good thing.

    2. IOT may be considered a disease by some and the average internet user may be clueless which is why sites like Facebook even exist.
      If they had a clue they wouldn’t touch that site with a 39 and a half foot pole.
      But the authorities are not going to think the perpetrators are some kind of robin hood.

  5. Aside from surfing some skeevy hacking sites and forums, is there a website or two that lists out all the currently known IoT hacks and vulnerabilities, together with a description of the problem or a proof-of-concept test? That sort of list needs to be out there and promoted, so that consumers are warned and manufacturers are embarrassed into making fixes.

    Otherwise, the only way people are going to get educated and the situation will be improved is by users getting burned by attacks like this, or worse.

    1. The software will break if it can’t write to NAND, most of these devices are very shoddily coded at best so although it’s possible to build a Linux device that runs entirely from ROM, none of them do it because it’s too hard and being able to save settings / logs / snapshot pictures etc. is too useful.

      Heck, some NAND filesystems will not work if they can’t write to the device. Guess how I found that out…

      1. You could put that on a separate flash chip, which is write-protected in hardware via the write protect​ pin, sort of like the dual BIOS solution some motherboards do except read only.

  6. First of all, in the first line it should be “virus”. Secondly, in all the other instances, there’s no such word as “virii”. It’s cod-Latin and incorrect. The correct plural is “viruses” if you’re writing in English.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s