BrickerBot Takes Down your IoT Devices Permanently

There is a new class of virii in town, specifically targeting Internet of Things (IoT) devices. BrickerBot and its variants do exactly as their name says, turning your smart devices into bricks. Someone out there has gotten tired of all the IoT security flaws and has undertaken extreme (and illegal) measures to fix the problem. Some of the early reports have come in from a security company called Radware, who isolated two variants of the virii in their honeypots.

In a nutshell, BrickerBot gains access to insecure Linux-based systems by using brute force. It tries to telnet in using common default root username/password pairs. Once inside it uses shell commands (often provided by BusyBox) to write random data to any mounted drives. It’s as easy as

dd if=/dev/urandom of=/dev/sda1

With the secondary storage wiped, the device is effectively useless. There is already a name for this: a Permanent Denial-of-Service (PDoS) attack.

Now any card carrying Hackaday reader will know that a system taken down like this can be recovered by re-flashing through USB, JTAG, SD, other methods. However, we’re not BrickerBot’s intended audience. We’ve all changed our devices default passwords, right? RIGHT?

For more IoT security, check out Elliot’s excellent article about botnets earlier this year, and its follow-up.

Is Your Child A Hacker?

Parents in Liverpool, UK, are being prepared to spot the signs that their children might be hackers. The Liverpool Echo reports on the launch of a “Hackers To Heroes” scheme targeting youngsters at risk of donning a black hat, and has an expert on hand, one [Vince Warrington], to come up with a handy cut-out-and-keep list. Because you never know when you’re going to need one, and he’s helped the Government so should know what he’s talking about.

Of course, they’re talking about “Hacker” (cybercriminal) while for us the word has much more positive connotations. And it’s yet another piece of ill-informed media scaremongering about technology that probably fits like so many others in the “People are having fun. Something Must Be Done About It!” category. But it’s still something that will probably result in hassle for a few youngsters with an interest in technology, and that’s not encouraging.

The full list is reproduced below, if you’re a parent it seems you will need to watch your children if:

  1. They spend most of their free time alone with their computer
  2. They have few real friends, but talk extensively to online friends about computers
  3. Teachers say the child has a keen interest in computers, almost to the exclusion of all other subjects
  4. They’re online so much it affects their sleeping habits
  5. They use the language of hacking, with terms such as ‘DdoS’ (pronounced D-dos), Dossing, pwnd, Doxing, Bots, Botnets, Cracking, Hash (refers to a type of encryption rather than cannabis), Keylogger, Lulz, Phishing, Spoof or Spoofing. Members of the Anonymous Hackivist group refer to their attacks as ‘Ops’
  6. They refer to themselves and their friends as hackers or script kiddies
  7. They have multiple social media profiles on one platform
  8. They have multiple email addresses
  9. They have an odd sounding nickname (famous ones include MafiaBoy and CyberZeist)
  10. Their computer has a web browser called ToR (The Onion Router) which is used to access hacking forums on the dark web
  11. Monitoring tools you’ve put on the computer might suddenly stop working
  12. They can connect to the wifi of nearby houses (especially concerning if they have no legitimate reason to have the password)
  13. They claim to be making money from online computer games (many hackers get started by trying to break computer games in order to exploit flaws in the game. They will then sell these ‘cheats’ online).
  14. They might know more than they should about parents and siblings, not being able to resist hacking your email or social media
  15. Your internet connection slows or goes off, as their hacker rivals try to take them down
  16. Some circumstantial evidence suggests children with Autism and Asperger’s could be more vulnerable to becoming hackers.

Reading the list, we can’t help wondering how many Hackaday readers would recognise as perfectly normal behaviours from their own formative years. And some of them look ripe for misinterpretation, for example your internet connection slowing down does not automatically mean that little [Jimmy] is selling a billion compromised social media accounts on the Dark Web.

Particularly concerning though is the final association of computer crime with children who are autistic or have Asperger’s Syndrome. Picking on a minority as a scapegoat for a public moral panic is reprehensible, and is not responsible journalism.

Still, you have to laugh. They remembered to include a stock photo of a hacker using a keyboard, but they’ve completely missed the telltale sign of a real hacker, which is of course wr1t1n9 11k3 r341 1337 h4xxx0rzzz.

Via The Register.

Liverpool skyline, G-Man (Public domain) via Wikimedia Commons.

My Payphone Runs Linux

For the 20th anniversary of the Movie “Hackers” [Jamie Zawinski], owner of DNA Lounge in San Francisco, threw an epic party – screening the movie, setting up skating ramps and all that jazz. One of the props he put up was an old payphone, but he didn’t have time to bring it alive. The one thing he didn’t want this phone to do was to be able to make calls. A couple of weeks later, he threw another party, this time screening “Tank Girl” instead. For this gathering he had enough time to put a Linux computer inside the old payphone. When the handset is picked up, it “dials” a number which brings up a voice mail system that announces the schedule of events and other interactive stuff. As usual, this project looked simple enough to start with, but turned out way more complicated than he anticipated. Thankfully for us, he broke down his build in to bite sized chunks to make it easy for us to follow what he did.

This build is a thing of beauty, so let’s drill down into what the project involved:

Continue reading “My Payphone Runs Linux”

Security Problems with Gas Station Automated Tank Gauges

[HD Moore] recently posted an article on Rapid 7’s blog about an interesting security problem. They’ve been doing some research into the security of automated tank gauges (ATGs). These devices are used at gas stations and perform various functions including monitoring fuel levels, tracking deliveries, or raising alarms. [Moore] says that ATGs are used at nearly every fueling station in the United States, but they are also used internationally. It turns out these things are often not secured properly.

Many ATG’s have a built-in serial port for programming and monitoring. Some systems also have a TCP/IP card, or even a serial to TCP/IP adapter. These cards allow technicians to monitor the system remotely. The most common TCP port used in these systems is port 10001. Some of these systems have the ability to be password protected, but Rapid 7’s findings indicate that many of them are left wide open.

The vulnerability was initial reported to Rapid 7 by [Jack Chadowitz]. He discovered the problem due to his work within the industry and developed his own web portal to help people test their own systems. [Jack] approached Rapid 7 for assistance in investigating the issue on a much larger scale.

Rapid 7 then scanned every IPv4 address looking for systems with an open port 10001. Each live system discovered was then sent a “Get In-Tank Inventory Report” request. Any system vulnerable to attack would respond with the station name, address, number of tanks, and fuel types. The scan found approximately 5,800 systems online with no password set. Over 5,300 of these stations are in the United States.

Rapid 7 believes that attackers may be able to perform such functions as to reconfigure alarm thresholds, reset the system, or otherwise disrupt operation of the fuel tank. An attacker might be able to simulate false conditions that would shut down the fuel tank, making it unavailable for use. Rapid 7 does not believe this vulnerability is actively being exploited in the wild, but they caution that it would be difficult to tell the difference between an attack and a system failure. They recommend companies hide their systems behind a VPN for an additional layer of security.

[Thanks Ellery]

Dumpster hackers and junkyard makers get their own TV show

junkies_tv_show_science_channel

The Science Channel has a new show premiering tomorrow night that we think you won’t want to miss.

JUNKies takes a look at a group of junkyard engineers led by [Jimmy “The Junk Genius” Ruocco], who also happens to be the junkyard’s owner. From the trailer you can see below, the show looks like it will be pretty entertaining, combining the best parts of Junkyard Wars, Mythbusters, and even Jackass – with hilarious and interesting results.

The show includes crazy stuff that [Jimmy] and his crew piece together, as well as the creations of individuals that come by the shop looking for parts. When the crew is not busy concocting crazy machines, they seem more than happy to help random inventors and makers dig out just the right parts for their projects.

The show airs tomorrow night, 8/18, at 10 PM Eastern, so be sure to check it out and let us know what you think!

[via Make]

A look at Sony’s ongoing war against hackers

phillip_torrone_aibo

[Phillip Torrone] recently wrote an article over at Make regarding Sony and their “War on Makers, Hackers, and Innovators“. In the article, he traces Sony’s history as a well-liked hardware company that once produced innovative products, to its current state as an enemy to all who would dare wield a screwdriver and soldering iron. He took quite a bit of time scouring the Internet to dig up very specific examples of Sony’s perceived assault on the hacking community. That’s not to say he simply lambasts the company and leaves it at that. Rather, he reflects on their past as a staple in nearly every American home, how they have changed since venturing into the content business, as well as what we might be able to do as hackers to change the way Sony treats its customers.

One specific example he mentions is the lawsuits that plagued the Sony Aibo modding scene, a case very near and dear to his heart. This scenario is one where the voice of the people was eventually heard, though too late to make a difference. He laments the loss of interest in the platform by the modding community as a clear cut example of the disastrous nature of Sony’s litigious nature.

You should definitely take a moment to read the article if you have the time. [Phillip] brings up some very good points, giving you plenty to consider the next time you make an electronics purchase, large or small.

We’d love to hear your take on the matter as well.

Interview with Steven Levy about Hackers

[Dale Dougherty] interviews [Steven Levy] about the history of hacking. [Levy]’s book Hackers has been released in a 25th anniversary edition. The interview alone is fascinating and the book is a must read for any hacker.  If they offered a course in hacker culture somewhere, we’re positive that this book would be the textbook. The 25th anniversary edition has been updated to include major figures from the last 25 years including [Bill Gates], [Steve Wozniak] and others that have impacted our lives drastically.

[via MakeZine]