SoylentNews is people
SoylentNews
Researchers have uncovered a rash of ongoing attacks designed to damage routers and other Internet-connected appliances so badly that they become effectively inoperable.
PDoS attack bots (short for "permanent denial-of-service") scan the Internet for Linux-based routers, bridges, or similar Internet-connected devices that require only factory-default passwords to grant remote administrator access. Once the bots find a vulnerable target, they run a series of highly debilitating commands that wipe all the files stored on the device, corrupt the device's storage, and sever its Internet connection. Given the cost and time required to repair the damage, the device is effectively destroyed, or bricked, from the perspective of the typical consumer.
Over a four-day span last month, researchers from security firm Radware detected roughly 2,250 PDoS attempts on devices they made available in a specially constructed honeypot. The attacks came from two separate botnets—dubbed BrickerBot.1 and BrickerBot.2—with nodes for the first located all around the world. BrickerBot.1 eventually went silent, but even now the more destructive BrickerBot.2 attempts a log-on to one of the Radware-operated honeypot devices roughly once every two hours. The bots brick real-world devices that have the telnet protocol enabled and are protected by default passwords, with no clear sign to the owner of what happened or why.
See also this related blog post inspired by this article.
(Score: 2) by pendorbound on Tuesday April 11 2017, @02:31PM (1 child)
Flashing an individualized default password and printing it on the existing label on the bottom of the device adds nothing to the manufacturing cost or complexity.
Nobody's burning EPROM's in batches & sticking them in sockets these days. There's already an individualization process to burn in serial numbers, MAC addresses, etc. The flash containing the device's default image is burned in-circuit via ICP / JTAG pins on the board. They have to power up, burn, and (hopefully) test each board before it's sent out the door.
The default password doesn't have to be randomized. Basing it on the serial number with a well-known algorithm is fine, as long as nothing accessible without creds will reveal the device's serial number over the network. They already have to match board image with stickers to affix the serial number / MAC address labels.
(Score: 2) by coolgopher on Wednesday April 12 2017, @10:50AM
My point was that it's extra work, deemed unnecessary work. I didn't say it was hard, just that there hasn't been any real incentive so far to do said work, and every ($$$) incentive to *not* do it.