A new kind of attack is targeting unsecured Internet of Things devices by scrambling their code and rendering them useless.
Security firm Radware first spotted the newly found "BrickerBot" malware last month after it started hitting its own honeypots, logging hundreds of infection attempts over a few days. When the malware connects to a device with their default usernames and passwords -- often easily found on the internet -- the malware corrupts the device's storage, leading to a state of permanent denial-of-service (PDoS) attack, also known as "bricking."
In other words, this attack "damages a system so badly that it requires replacement or reinstallation of hardware," said Radware.
It's a novel take on an ongoing security problem with Internet of Things devices: Botnets controlled by hackers, like the Mirai malware, typically infect unsecured devices that are enlisted as part of wider bandwidth-stealing attacks to bring down websites and services by overwhelming them with internet traffic.
Like the Mirai botnet, most famous for bringing down wide swathes of the US internet last year in a massive distributed denial-of-service (DDoS) attack, the BrickerBot also uses "the same exploit vector" by brute-forcing telnet accounts with lists of available usernames and passwords.
Radware doesn't have a list of internet-connected devices, like webcams, toys, and even smart bulbs, at risk of being attacked, but it pointed to several kinds of Linux-based devices that run the BusyBox toolkit that have their telnet port open and are exposed publicly on the internet. Read more...
Internet of [insecure] Things devices, which exist because the maunufacturer doesn't give a rats arse about security, just so long as they can manufacture the thing as cheaply as possible. Which is obvious because they don't even attempt the simplest of security tactics of disabling the Telnet port. They then make no effort to ensure the owner can change the default root (administrator) password, let alone the standard user password , nor do they even make it known that this is a minimal necessary security strategy.
From a user point of view these devices simply aren't worth the money, they are poorly designed, and badly implemented, and really unnecessary in the general scheme of things.