A new threat is targeting insecure IoT devices, but rather than hijack them for use in distributed denial of service (DDoS) attacks, Brickerbot instead threatens to disable – or ‘brick’ – these devices, so that they are left completely inoperable.
So-called ‘permanent denial of service’ (or PDoS) attack bots scour the Internet for vulnerable targets – typically Linux-based routers, bridges or similar Internet-connected devices that require only factory default passwords to grant remote admin access.
Once a suitable target is identified, the bots unleash wave after wave of destructive commands that wipe files stored on the device, corrupt its storage and cut off its Internet connection. In most cases, repairing the device would not be worth the cost and effort involved.
“Also known loosely as ‘phlashing’ in some circles, PDoS is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. By exploiting security flaws of misconfigurations, PDoS can destroy the firmware and/or basic functions of a system,” write security researchers from IT security company Radware, in a threat advisory report published last week.
Setting a honeypot to catch a bug
In order to observe Brickerbot ‘in the wild’, Radware’s security research team set up a number of ‘honeypots’ designed to lure interesting PDoS specimens.
These were successful: over a four-day period in March, the Radware team observed around 2,230 PDoS attempts on devices made available via these honeypots. One honeypot logged 1,895 infection attempts by Brickerbot, with the majority coming from Argentina, and a second logged 333 attempts of untraceable origin, as they came from a Tor node that anonymises web traffic.
The Brickerbot attack used a technique (Telnet brute force) very similar to that used by Mirai to breach devices, according to Radware’s researchers.
“Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently ‘root’/’vizxv’,” they write.
Looking at the evidence
From the available evidence – the use of a ‘busybox’ command and the types of componentry targeted – it’s clear that the attack is targeted specifically at Linux/Busybox-based IoT devices which have their Telnet port open and exposed publicly on the Internet.
“These are matching the devices targeted by Mirai or related IoT botnets,” the Radware team points out.
That said, there’s no clear answer to the question of why these devices are being attacked in this way. Since Bricker effectively kills a device before it can be used as part of a botnet army to extort money from a targeted company, it’s clear that the motivation is different from that driving DDoS attacks.
As Radware researcher Pascal Geenens puts it, in conversation with Ars Technica: “What motivates people to randomly destroy things? Anger, maybe? A troll, maybe?”
But while this may be malicious, it’s also a possibility, as Ars Technica suggests, that the rash of PDoS attacks is being carried out “by one or more vigilantes who want to take out these devices before they can be conscripted into a powerful DoS army that poses a serious threat to the Internet as we know it.”