Lucian Constantin of IDG News Service confirms that attackers have begun adding data-wiping routines to malware targeting Internet of Things (IoT) devices. One such example is Amnesia, which infects digital video recorders by exploiting a well-known vulnerability.
“Amnesia is a variation of an older IoT botnet client called Tsunami, but what makes it interesting is that it attempts to detect whether it’s running inside a virtualized environment,” Constantin explained.
“The malware performs some checks to determine whether the Linux environment it’s running in is actually a virtual machine based on VirtualBox, VMware, or QEMU. Such environments are used by security researchers to build analysis sandboxes or honeypots. If Amnesia detects the presence of a virtual machine, it will attempt to wipe critical directories from the file system using the Linux “rm -rf” shell command.”
Another example of malware targeting IoT devices for data wipes is BrickerBot, which launches from compromised routers and wireless access points against other Linux-based embedded devices.
“The malware attempts to authenticate with common username and password combinations on devices that have the Telnet service running and are exposed to the internet,” he stated. “If successful, it launches a series of destructive commands intended to overwrite data from the device’s mounted partitions. It also attempts to kill the internet connection and render the device unusable.”
According to Constantin, most users are unlikely to ever know if their routers, IP cameras, or network-attached storage systems are infected with malware and are being used in DDoS attacks, because the impact on their performance might be unnoticeable.
“However, they will immediately know that something is wrong if they’re hit by BrickerBot because their devices will stop working and many of them will likely require manual intervention to fix,” he added.
As we’ve previously discussed on Rambus Press, nearly every device is a potential target for cyber criminals. Reducing the IoT attack surface starts with adequately protecting both services and endpoints, because an attacker cannot compromise an endpoint without first establishing an unauthorized communication channel.
An IoT security solution should therefore only allow legitimate, verified cloud services to ‘talk’ with each device by detecting and thwarting unauthorized communication attempts. In addition, IoT devices should be uniquely and cryptographically verified to determine if they are authorized to connect, thereby reducing the attack surface of the service by preventing remote attacker access directly or via malicious or compromised endpoints.
Perhaps most importantly, IoT security solutions should be ready out of the box: simple, affordable and easy to use. One effective method of simplifying security and reducing costs is to deploy IoT devices with tamper-proof pre-provisioning keys and identifiers. This model will allow service providers to bolster security for a wide range of connected ’things.’