SoylentNews is people
SoylentNews
Researchers have uncovered a rash of ongoing attacks designed to damage routers and other Internet-connected appliances so badly that they become effectively inoperable.
PDoS attack bots (short for "permanent denial-of-service") scan the Internet for Linux-based routers, bridges, or similar Internet-connected devices that require only factory-default passwords to grant remote administrator access. Once the bots find a vulnerable target, they run a series of highly debilitating commands that wipe all the files stored on the device, corrupt the device's storage, and sever its Internet connection. Given the cost and time required to repair the damage, the device is effectively destroyed, or bricked, from the perspective of the typical consumer.
Over a four-day span last month, researchers from security firm Radware detected roughly 2,250 PDoS attempts on devices they made available in a specially constructed honeypot. The attacks came from two separate botnets—dubbed BrickerBot.1 and BrickerBot.2—with nodes for the first located all around the world. BrickerBot.1 eventually went silent, but even now the more destructive BrickerBot.2 attempts a log-on to one of the Radware-operated honeypot devices roughly once every two hours. The bots brick real-world devices that have the telnet protocol enabled and are protected by default passwords, with no clear sign to the owner of what happened or why.
See also this related blog post inspired by this article.
(Score: 2) by Snotnose on Tuesday April 11 2017, @12:15AM (12 children)
When I buy a new device first thing I do it change it's default password. That said, the first post guy had it right when he said he'd like the chance to change the password before it gets disabled. But I put that on the vendor. FFS, give the device a serial number, a default password based on that password, print a label with the password, and slap that sucker onto the device.
People who don't care will eventually get their IoT device bricked. Those of us who care are fat, dumb, and happy.
When the dust settled America realized it was saved by a porn star.
(Score: 1, Insightful) by Anonymous Coward on Tuesday April 11 2017, @12:28AM (1 child)
The problem is a lot of these devices have their login credentials set at the base layer and are immutable to user changes, even if they have a "user level" login that can be changed. This means the devices are fundamentally vulnerable and the only repair is either a firmware upgrade from the vendor... or trashing the device and hope the next guy you buy from was less stupid/lazy. But I wouldn't be optimistic, the IoT is fucked top-to-bottom currently.
(Score: 2) by Snotnose on Tuesday April 11 2017, @01:04AM
The problem is that this is a problem. 2 solutions:
a) as I said before, each device gets a serial number and the default password is unique
b) let me fire up the device before connecting to a network and let me change the default password.
c) Do neither, let my IoT doohicky join a DDoS, and I can join a class action lawsuit to put the vendor out of business
whoops, that's 3. So make a class action.
When the dust settled America realized it was saved by a porn star.
(Score: 2) by coolgopher on Tuesday April 11 2017, @02:02AM (9 children)
Having to do either device-individualisation at factory end-of-line testing/provisioning or custom software to do dynamic password creation based on a hardware ID both would add several cents to the cost of the device. Not to mention complicating the user setup and needing more manuals printed. Bean counters Do Not Approve of any such things. And large businesses seem completely run by their bean counters these days. Gone are the days of 10-20 year plans and brand protection, now it's all about shuffling the worst piece of junk out the door as quickly and with as high margin as possible.
(Score: 2) by Snotnose on Tuesday April 11 2017, @02:33AM
Got it. But the days of not reading the manual to your TV and making it work are behind us. If you buy a device that can connect to the internet it's on the vendor to give you a fighting chance, and on you to take that chance.
Actually, it's on the vendor. Period. Give every device a unique password and slap a label on the device. Otherwise class action that stupid vendor into obscurity.
When the dust settled America realized it was saved by a porn star.
(Score: 3, Funny) by kaszz on Tuesday April 11 2017, @02:33AM (5 children)
Then the problem is bean counters and that's where the fix energy should be applied. Denial-of-business tend to be effective. Ie all devices stop working when they are plugged in. Hmm.. sounds familiar..
(Score: 2) by Snotnose on Tuesday April 11 2017, @02:49AM (4 children)
Then the problem is bean counters not understanding internet attacks, and not understanding spending an extra $0.03 cents per device keeps your company from being sued into oblivion.
When the dust settled America realized it was saved by a porn star.
(Score: 2) by MostCynical on Tuesday April 11 2017, @03:42AM (1 child)
The hard part will then be *finding* the rigt company to sue.
Shelf company one manages shelf company two, parts manufactured under comtract at company three, all registered in different countries (if registered at all)
And the devices are packed, shipped, and sold by three or more additional companies.
Sue who?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by kaszz on Tuesday April 11 2017, @04:23AM
It's enough to target the company that puts the product on the market. It will make it disappear. Of course another one can sell it but then they also gets taken out. Eventually the cost piles up.
(Score: 3, Insightful) by kaszz on Tuesday April 11 2017, @04:30AM
It's like the Darwin awards for corporations. They don't need to understand, they get wiped out anyway :p
(Score: 1) by nnet on Tuesday April 11 2017, @02:46PM
Are bean counters responsible for risk analysis too?
(Score: 2) by pendorbound on Tuesday April 11 2017, @02:31PM (1 child)
Flashing an individualized default password and printing it on the existing label on the bottom of the device adds nothing to the manufacturing cost or complexity.
Nobody's burning EPROM's in batches & sticking them in sockets these days. There's already an individualization process to burn in serial numbers, MAC addresses, etc. The flash containing the device's default image is burned in-circuit via ICP / JTAG pins on the board. They have to power up, burn, and (hopefully) test each board before it's sent out the door.
The default password doesn't have to be randomized. Basing it on the serial number with a well-known algorithm is fine, as long as nothing accessible without creds will reveal the device's serial number over the network. They already have to match board image with stickers to affix the serial number / MAC address labels.
(Score: 2) by coolgopher on Wednesday April 12 2017, @10:50AM
My point was that it's extra work, deemed unnecessary work. I didn't say it was hard, just that there hasn't been any real incentive so far to do said work, and every ($$$) incentive to *not* do it.