DOS ?
Sounds like a denial-of-botting, rather than denial of service. A vigilante for insecure Things.
A new form of attack code has come to town and it uses techniques similar to Mirai to permanently scramble Internet of Things devices. On March 20 researchers at security shop Radware spotted the malware, dubbed Brickerbot, cropping up in honeypots it sets up across the web to lure interesting samples. In the space of four …
just a little bit. It's an extreme, harsh and utterly illegal way to encourage vendors to deal with their security issues, but perhaps a shedload of support calls and returned 'faulty' items might get their attention.
...then again pigs might fly past satan skiing to work first!
"a shedload of support calls and returned 'faulty' items might get their attention."
As Charles 9 keeps telling us, a lot of this stuff is bought on the grey markets which might make support and returns more difficult. However, it will affect reputations and make buyers a lot more careful in future when they come to replace the bricked items. That, more than anything, will grab vendors' attention.
And the oft touted argument of price competition between vendors really doesn't come into it. There's no point in being a penny or two cheaper than the competition if nobody's buying your product because it's known to get bricked.
"And the oft touted argument of price competition between vendors really doesn't come into it. There's no point in being a penny or two cheaper than the competition if nobody's buying your product because it's known to get bricked."
Unless, of course, THEY'RE getting bricked, too, meaning you're damned if you do and damned if you don't.
"Unless, of course, THEY'RE getting bricked, too, meaning you're damned if you do and damned if you don't."
That's the point. This is going to brick insecure devices in general. If you're making one of them you'll find both you and your equally insecure competitors are having your products bricked. In any case you're almost certainly just relabelling the same product as your competitors. If you don't tighten up your operation you're toast. And if they don't your competitors are also toast. Those of you who get wise have taken on some extra costs but you're still alive but, because you've all had to take on extra costs (either by your upstream vendor improving the product or changing to another vendor's product) you're all moving in step. It remains the same competitive market but at a slightly higher price until the extra cost has been absorbed.
The alternative is that the generic Chinese approach gets such a bad reputation so quickly that only well-known brands are able to sell by getting a non-bricking reputation. This could even be an operation by someone with a better product aiming to wipe out the competition.
At the moment it seems to be working on a thing by thing basis from C & C servers. If it gets turned into a worm it will propagate a lot faster.
The problem is that many of these IoT devices are white label, and many companies will buy them wholesale and brand them. So you buy a device from CompanyOne, and it gets bricked and say "I'm never buying from CompanyOne ever again!" and buy CompanyTwo's product, which turn out to be wholesaled from the same white label firm.
If the white label firm sees a drop in business from relabelers like CompanyOne and CompanyTwo, no matter, they probably operate under multiple names so they can "shut down" the tainted name and move on to the next without having to actually fix the issue. Because that would cost money, especially if they wanted to truly secure them rather than just fixing issues that are currently being exploited.
The only real solution is to buy from a reputable company you know stands behind their products, but of course then you are paying a lot more so that's a step most won't take.
"and many companies will buy them wholesale and brand them.
I am in the process of hacking my cheap IP camera and it seems that there are many "brands" that just take what I think is a Wancam and push in their own front end with branding - I've pretty much done that myself by changing the rubbish web UI to give me a 2K page instead of 160K with loads of pointless scripting such as ~90K of JQuery...
I wonder if the rebrand companies even have access to the source code, or is it a matter of patching in a few company specific details?
I dream that one day companies will be more open with regards the firmware (cough, isn't it basically hacked about bits of Linux with an even more hacked version of GoAhead baked in?, cough) but sadly I think that day will be a long time coming... so acceptable (if not outstanding) hardware will continue to be let down by half assed software that is barely touched beyond "it works enough to make an actual product".
I hear what you're saying, and can't really disagree, but most of the people that buy these devices are just techy enough to get them to (mostly) work. While it might eliminate some completely insecure devices that could be used in other exploits, mostly it's just adding another headache in the lives of poor bastards that just want to automate their homes, and of course for everyone in customer service that will have to get an earful from every person with a bricked device.
"mostly it's just adding another headache in the lives of poor bastards that just want to automate their homes"
And the poor bastards who, by trying to automate their homes (in itself a solution looking for a problem) are becoming a headache to vast swathes of the internet. Look on it as overall optimisation.
As a lot of the targets of botnet herders and of this attack seem to be security DVRs it's likely that at least some of them will have been installed by "professionals". If someone prompting themselves as a security professional installs an IoT device without securing then their customer care operation deserves all the grief it gets.
but most of the people that buy these devices are just techy enough to get themselves in trouble.
FTFY. I've come across more than few who think they "understand" tech but really haven't a clue. And usually don't care as they can pick up the phone and call someone who knows a bit more. Not much... but enough to either create another problem or end up trashing the whole thing.
No.
In fact it looks like a sort of "inoculation" for stupid developers.
It keeps infecting stuff till they take the (fairly) elementary precautions against it or the customers acquire the knowledge to stop it infecting them.
It appears to be applying ecological pressure to the IoT eco system.
It's evolving smarter devs and smarter users.
It's pretty ruthless behavior from whoever developed it but basically they seem to want IoT to evolve or die. Otherwise the malware does not seem to actually do anything which is just weird.
I wonder if we'll find the developer is called Ajax.
Any of this stuff that's sold in the EU presumably has a CE declaration (from manufacturer or importer) and therefore presumably product liability legislation applies?
"the malware does not seem to actually do anything which is just weird."
Kodi doesn't do particularly much either, and what it does do is generally legit, but based on the press coverage it's getting at the moment, maybe someone should tell the FACT/FIFA people that future generations of carp IoTware are just another option for depriving the Rights Owners of their rightfully earned revenues (they're clearly not worried about technicalities or law)
That'd get them off the market in double quick time, surely?
We've seen this movie before somewhere...
The difference that i can see here is that PCs were never set and forget concepts. They had service packs, antivirus definitions and the like. But who, when purchasing their next light bulb, is thinking "how do I apply security patches? Whilst i don't condone vigilante hacking, it's hard to feel sympathy for an industry that has produced so much crap security with bad practices even at a 101 level (hard coded passwords, missing even basic user permissions, running unnecessary daemons with root access, the list goes on). Maybe some bricked returns will score some pretty rubbish eBay/Amazon reviews and will ward off bricks and mortar retailers from stocking such products. The iot industry (and I include car manufacturers here) need to understand that software isn't an engineer and forget enterprise, and if they can't learn the lessons of that industry then pull back and sell regular light bulbs/door locks/cameras/cars/whatever until they do learn those lessons.
I'm not hopeful though. Best security practice starts with collect as little data as you need to function, run as few services as is needed to accomplish that task, and run those services with as few rights as possible. This is the very antithesis of iot.
"Unlikely as it would probably cost less to do a fly-by-night and reappear a few weeks later under a new name."
Rinse and repeat every few weeks until the market learns that no cheap devices survives for long? Fine if you want to keep driving round in a Robin Reliant van.
Build a brand that earns a good reputation and that brand is actually of value. That's where the big money is in the long term.
Then why don't you hear about Kirby and Electrolux vacuum cleaners anymore, despite them being among the most reliable vacuum cleaner brands in history? Reputation can have some meaning, but it can only go so far.
The consequences would have to be more severe for most bling customers to take the step up. And that's assuming the more-expensive brands don't get hit, too, staining the entire industry.
"Then why don't you hear about Kirby and Electrolux vacuum cleaners anymore"
Never heard of Kirby. But we have a Bosch branded vacuum cleaner, a Hotpoint branded washing machine, both bought fairly recently replacing Vax & Zanussi. Dishwasher is AEG. Freezer is Zanussi. I'm not sure how familiar these are in the US but they're all well known brands here.
One of the possible fates of good brands is that they can get asset stripped. Some firm of beancounters the brand and, not having any idea themselves of how to build an electric kettle* or whatever cuts corners to bring the price down and eventually ruins it. However the original owners who put in the work had a valuable brand and got paid for it.
*You may recognise recent experience speaking here. So far Amazon Basics looks like they've got their kettles built by someone who knows how to do the job better than the well-known brand. But then Amazon now have a brand to look after.
Brands aren't even consistent any more. Some of the better named white good manufacturers don't make their lower end models, but farm them out to cheaper companies. It might allow them to cover more market segments, but if those models don't have the same quality and reliability, it's going to bring down the entire brand. See exploding tumble dryers for example.
Is environmentally imposed quality assurance
make the operating conditions hostile to insecure devices and they will fail to thrive.
In the darwinist 'survival of the fittest' meme, this malware eliminates those 'unfit to live'
I think its a good thing, and there should be more of it, the only drawback is its dependency on central C&C.
"I think its a good thing, and there should be more of it, the only drawback is its dependency on central C&C."
Looking at the attacks they interrogate various aspects of the system although it's not immediately obvious what they were doing with it. The second one in particular collects quite a lot of detail. This puzzled me until I realised it wasn't a script running on the device, it was running on the C & C server which will be collecting intelligence on the devices being attacked. It seems quite possible that this is in part an analysis phase to design a worm which will brick devices a whole lot faster.
I can't help thinking that with more development effort, this sort of malware will be able to brick every gas or electric smart meter on the planet. Darwin this, Darwin that. On the frostiest night of the year, naturally. Deployed by a kid wearing short trousers, football boots, and a Motörhead T-shirt inherited from his grandpa.
What is telnet more or less than a simple raw connection to an address and port accessible to a console? Heck, you can connect to a web server's port 80 and, knowing the right sequences, pretend to be a simple web browser. Telnet will never go away because it's essentially the building block for any other socket-based protocol.
"you can connect to a web server's port 80 and, knowing the right sequences, pretend to be a simple web browser."
Back around turn of the millennium, I used to use telnet to log into my pop3 server to check mail. A few simple commands, and it was often quicker than starting up the email software.
Now? Thwarted by encrypted connections and no longer necessary since mobile phones and tablets can do mail checking as a background task.
Perhaps connecting a telnet client to port 80 is a fun and educational exercise. However this device runs a telnet *server*. Telnet sends (typically) arbitrary shell commands over a plaintext connection, so anybody who can send packages to the telnet port can 0wn the device.
Unfortunately BusyBox contains a built-in telnet server and no ssh server, so any security-unaware IOT engineer (please excuse the tautology) will choose the path of least resistance and use telnetd instead of sshd.
"WONTFIX. They say to install dropbear instead."
Which in turn has had its problems, e.g. https://www.theregister.co.uk/2015/02/20/250000_routers_have_duplicate_ssh_keys/
If someone is serious about bricking mass deployments of vulnerable kit upatched versions of that could be near the top of the list.
"Anybody that deploys any Unix computer with telnet installed and answering is a moron and should consider a career change."
The people deploying these don't know they're deploying a Unix computer. They think they're installing a gadget they bought in a box that says video camera, video recorder, thermostat or whatever.
In a previous job, we had a fat client app which would only use telnet to connect to the server (limitation in the app, can't recall if an upgrade would have fixed it, but there probably wasn't budget for an upgrade anyway), so had to have telnet enabled (which was a gripe with the app support team...). We eventually got some Heath Robinson solution working with stunnel and limited telnet to localhost only which removed the worst of the problems, but there are configurations out there that require telnet due to crap applications.