BrickerBotEarlier this month, security researcher Pascal Geenens documented a new type of threat ravaging the Internet of things (IoT). Dubbed BrickerBot, this malware “bricks” or destroys the devices it infects and utilizes the same vulnerabilities used by Mirai in last year’s massive Internet DDoS attack. Although BrickerBot hasn’t reached the status of Mirai, it has gone through several transformations and is becoming more aggressive, attracting the attention of both security researchers and Homeland Security. Continue reading as we discuss BrickerBot and the broader issue of security within the Internet of things ecosystem.

What exactly is BrickerBot?

BrickerBot, like Mirai, is a botnet malware designed to infect a collection of devices. A botnet (made up of the words “robot” and “network”) is a network of infected devices whose processing power is being used by hackers to take over as many devices as possible to create more botnets, which can then be used to send out spam, commit DDoS and phishing attacks, among other things. In rare instances, botnet-like malware might actually be used by good or self-identified white hat hackers to fortify systems by adding protections and forcing security updates. Cases like the latter aren’t necessarily done out of charity — most people familiar with cybersecurity know that the Internet can only be secure if the devices accessing it are secure — as these individuals are essentially activists taking matters into their own hands.

BrickerBot is strange in that its behavior doesn’t match that of most botnets, given that it destroys or “bricks” devices. Generally speaking, the purpose of most botnets is to keep infected devices around for as long as possible to harness their power. Also, like most malware, botnet malware is mostly designed to be as inconspicuous as possible so that the device’s owner suspects nothing. Bricking, which is tech lingo for rendering a device inoperable (in other words, making it about as useful as a brick), is as far away as possible from both objectives. This is partly why security experts suspect that whoever is responsible for BrickerBot is likely a grey hat or vigilante hacker. While grey hats often violate laws and ethical standards, they don’t do so for personal gain like so-called black hats or malicious hackers, but instead out of their own sense of justice.

BleepingComputer, which was one of the first outlets to report on BrickerBot, later made contact with a hacker named Janit0r who claims responsibility for the botnet malware. Janit0r told BleepingComputer that BrickerBot was made to remove insecure devices from the Internet as well as to force developers to release more secure devices going forward (or security patches to make the devices more secure). According to Janit0r, BrickerBot’s first course of action is not to brick devices, but to secure them. If it can’t do so, the device is then bricked so that malware like Mirai can’t infect it.

Why are IoT devices so insecure?

BrickerBot and Mirai are far from the only IoT malware that exists. Others like Hajime (Japanese for “beginning”) seem to counter-infect vulnerable devices against threats like Mirai by blocking off the entry-points to the device. While this might come from good intentions, it could potentially introduce new weaknesses into devices because the foreign code could one day be transformed into something malicious. You should know that there are other instances of overtly malicious malware like Mirai that operate on a smaller scale.

All of these IoT malware outbreaks highlight significant weaknesses in IoT systems. Many explanations have been offered as reasons for the inherent weakness of these devices, but perhaps two of the biggest are the fact that IoT devices use weak passwords and these devices are networked in a way where their system settings can be accessed remotely through a Wi-Fi network or Bluetooth connection.

An IoT search engine called Shodan (Sentient Hyper-Optimised Data Access Network) illustrates both issues well. Shodan, which is known as the Google of IoT systems, is designed to search for devices that are openly accessible from the Internet due to their poor security settings. Shodan has found many devices from traffic lights, CCTVs, power plants, IoT cameras, home automation systems and, in one case, a particle accelerator connected to the Internet in a way that leaked metadata. Worse yet, some of these systems lacked passwords, meaning once they were identified, they could simply be activated from anywhere by anyone.

In other instances, Shodan has also identified systems and devices that are secured, but only with default passwords. These are the passwords that are automatically written into devices when you first turn them on, meaning that anyone who buys the device will know the password. Some security experts have partly put the onus of addressing default passwords on consumers, but for a number of IoT devices, default passwords are hard-coded – they can’t be changed because the manufacturer didn’t intend for them to be changed. However, even when the passwords are modifiable, sometimes it isn’t readily apparent to consumers that devices, like toasters and air fresheners, even need password protection.

What should you do to protect yourself from BrickerBot?

It’s not clear how many devices have been infected with BrickerBot, but Janit0r claims that BrickerBot has targeted over 1 million devices. If you have an IoT device, here’s what you should consider doing:

1. If possible, change your password(s). If you have a smart device, you should consider changing the login information for the device. BrickerBot is equipped with a dictionary that contains only default user names and passwords, meaning that changing your passwords will make it much harder for your device to be infected. Furthermore, if the grey hat motivations that security researchers are ascribing to BrickerBot’s author are true, it’s likely BrickerBot hasn’t infected devices with changed passwords.

2. Limit your device’s Internet connectivity. While many smart devices might need to be “always on” in order for you to get the most out of them, not all do. You should consider limiting your device’s Internet connectivity, especially if you’re not using your device. Simply leaving IoT devices on gives black hats and even grey hats all the more time to take over your device which, regardless of their intentions, isn’t ideal.

3. Install updates often. This is advice we give all the time because it is a tried and true security precaution. Good developers are constantly monitoring their products for threats and sending out consistent updates to fight against known or emerging issues, which means you benefit when you update your software.

What lessons can we take away from BrickerBot?

As with many IoT issues, a lot of the takeaways would probably benefit manufacturers more so than consumers, as practices like hard-coded passwords are not something consumers could or should be responsible for addressing. At the same time, these situations do highlight some things consumers should keep in mind going down the line:

  • Anything smart or online needs a password. Every device with Internet connectivity should, at the very least, have a password to prevent unauthorized access. Before buying a device, you should verify that it does not have a hard-coded password (one you can’t change). If you are researching or have already purchased a product that does not mention or specific modifying its password, you should consider tossing it. Keep in mind, this not only goes for IoT devices — your home router, for example, is, in most cases, set to its default password unless you or your Internet provider changed it. Since so much of our lives are online, you’ll want to make sure you take the time to identify Internet-connected devices in your home, even if you don’t have any smart or IoT devices, so that you can verify that you’re not using default passwords on any of them.
  • Don’t rely on manufacturers (or the occasional vigilante hacker) for default security. As BrickerBot and Mirai reveal, security doesn’t necessarily come from manufacturers; it’s something that you have to take into your own hands. If you’re going to opt into IoT technologies, make sure you have some knowledge of the security protocols of manufacturers you’re interested in purchasing from. For example, do they let you set passwords and do they send out updates often? Simply looking at products based on price point or features alone is not sufficient if you’re purchasing an Internet-connected device because usually these devices aren’t secure by default.

Keep reading our technology blog to learn about the latest privacy and security threats.