Internet of Things (IoT) devices have long been a security Achilles Heel. That’s because the way they’re designed and managed is fundamentally broken.
Manufacturers create these products – which are essentially internet-connected computers – and unleash them into the world, without any sort of security monitoring or maintenance.
Think about all the times your computer has prompted you to install a security update. And now think about all the times your router has done the same. You get the idea.
The end result is that we’re all less secure. There are now giant botnets consisting entirely of compromised IoT devices, and they’re able to cause staggering amounts of damage.
Remember last year when DNS-provider DYN was DDoS attacked, and most of the Internet was unaccessible for a period of time? That was done with the Mirai botnet, which consists of millions of compromised Internet of Things devices.
In short, insecure IoT devices aren’t just something that affects the owner. It impacts us all in a measurable and tangible way.
Now, there’s a new twist on IoT malware, called BrickerBot.
As you’ve probably guessed from the name, BrickerBot targets vulnerable IoT systems, and bricks them.
There are two known variants, called BrickerBot.1 and BrickerBot.2 respectively. The malware searches for BusyBox-based Linux devices with exposed Telnet ports. It then brute-forces its way into the device and corrupts its storage, in what is called a Permanent Denial of Service (PDoS) Attack.
According to Ars Technica security writer Dan Goodin, the BrickerBot.2 variant uses TOR in order to obfuscate the hosts controlling it.
The response by the security community to BrickerBot has been one of bafflement. Nobody has been able to discern the motives of the person (or persons) behind it.
Could someone literally be doing it for the lulz, getting off on breaking routers, thermostats, and Wi-Fi connected toasters?
Or is there a more profound motive?
Some have speculated that BrickerBot is the work of an activist hacker, who sees the destruction of thousands of IoT devices a small price to pay, in order to limit the potential impact of a future IoT botnet.
Writing in Bleeping Computer, Catalin Cimpanu said: “BrickerBot could also be the work of an Internet vigilante that wants to destroy insecure IoT devices.”
This line of reasoning has support within the security community.
Brickerbots are probably the best thing anyone ever invented. Kill the IoT before it kills us. https://t.co/UHxeN8iGgN
— Matthew Green (@matthew_d_green) April 6, 2017
The brickerbot is a good thing. Damaging the company's image. But the poor buyers. They don't deserve that.
— Sir Datux (@Datux_) April 10, 2017
BrickerBot is doing truly great work. My heart is legit warmed by the people working on & distributing PDoS attacks, pls more like this.
— John Henry (@ckhonson) April 9, 2017
It’s not clear if this is the case. But if it is, I’m not necessarily sure it’s a bad thing.
For starters, it passes the buck for dealing with them from the owners, to the manufacturers.
Yes, it’s the owner’s device that’s getting bricked. But it’s the manufacturer who has to deal with thousands of under-warranty devices flooding back. It’s the manufacturer who has to deal with the reputation damage. It’s the manufacturer who’ll see their Amazon reviews slowly turn into a toxic wasteland of anger.
For the manufacturer, there’s a real dollar-cost to something like BrickerBot.
You can call me an optimist, but perhaps this is what we need. Perhaps this will be the catalyst that forces manufacturers to think realistically about security.
Perhaps it’ll inspire the IoT manufacturers to create a set of industry best practices that pertain to security, kind of like what OWASP (the Open Web App Security Project) did for web developers.
Perhaps it’ll give them a long-term vision for security that thinks about how their devices will be managed and protected 5, 10, even 20 years from now.
And perhaps it’ll help manufacturers reconcile the long-term financial implications of protecting and supporting the devices they sell, with their business and pricing models.
Perhaps. Like I said, you can call me an optimist.