The DHS’s ICS-CERT has issued an alert update about BrickerBot, a nefarious family of malware that is designed to exploit hard-coded passwords in IoT devices and cause permanent denial of service (PDoS).
According to Radware (via the DHS), BrickerBot.1 and BrickerBot.2 exploit hard-coded passwords, exposed SSH and brute force Telnet. The original BrickerBot, which was active from March 20, 2017 to March 25, 2017, targeted devices running BusyBox with an exposed Telnet command window. These devices also had SSH exposed via an older version of Dropbear SSH server. Most these were identified as Ubquiti network devices running outdated firmware, although some were also access points or bridges with beam directivity.
The current BrickerBot.2 targets Linux-based devices which may or may not run BusyBox and which expose a Telnet service protected by default or hard-coded passwords. The source of the attacks is concealed by TOR exit nodes.
“We coined it ‘BrickerBot’ because instead of enslaving IoT devices, like Mirai does, it attempts to destroy or ‘brick’ them,” explained Pascal Geenens, Security Evangelist for EMEA Region for Radware and the researcher that discovered the malware. “Most consumers of such devices might never know they were the victim of malware. Their device would just stop working and the natural inclination is to think its they purchased faulty hardware.”
As Geenens notes, the Radware research team has run real-world tests on IP cameras that met the target specifications of the attack.
“After running the BrickerBot malware onto the device, it stopped working completely,” Geenens confirmed. “Unfortunately, even after performing the factory reset, the camera was not recovered and hence it was effectively bricked.”
To mitigate potential BrickerBot attacks, Radware recommends taking the following precautions:
- Change the device’s factory default credentials.
- Disable Telnet access to the device.
- Use network behavioral analysis to detect anomalies in traffic and combine with automatic signature generation for protection.
- Set intrusion protection systems to block Telnet default credentials or reset telnet connections. Use a signature to detect the provided command sequences.
The rise of the BrickerBot family of malware illustrates the real-world risks associated with deploying unsecured IoT devices. Indeed, nearly every device is a potential target for cyber criminals with malicious intent. Therefore, it is important to understand that reducing the IoT attack surface starts with adequately protecting both services and endpoints. To be sure, an attacker cannot compromise an endpoint without first establishing an unauthorized communication channel.
An IoT security solution should therefore only allow legitimate, verified cloud services to ‘talk’ with each device by detecting and thwarting unauthorized communication attempts. In addition, IoT devices should be uniquely and cryptographically verified to determine if they are authorized to connect, thereby reducing the attack surface of the service by preventing remote attacker access directly or via malicious or compromised endpoints.
Perhaps most importantly, IoT security solutions should be ready out of the box: simple, affordable and easy to use. One effective method of simplifying security and reducing costs is to deploy IoT devices with tamper-proof pre-provisioning keys and identifiers. This model will allow service providers to bolster security for a wide range of connected ’things.’