In November, a new package of malicious code started sweeping around the internet, mercilessly destroying, or “bricking,” unsecured Internet of Things devices. Researchers named it “BrickerBot,” as the virus’s only effect seemed to be to completely wipe and rewrite the flash storage of IoT-capable devices, rendering them useless and dead to the world — but also useless and dead to potential hackers. And the program’s alleged creator says that was the whole point, because you should really, really change your damn passwords.
The latest versions, BrickerBot 3 and 4, surfaced last week. ArsTechnica reports that the malicious program attacked over 1,400 unsecured devices in less than 24 hours. A hacker, using the fitting pseudonym “Janit0r,” claimed responsibility for the attack to Bleeping Computer last week, and said that they have killed over two million IoT-equipped devices so far.
Like many exploits, BrickerBot hijacks devices on certain networks that still have the default security settings installed — like an admin: admin username/ password combination. This kind of lax security is common on IoT devices, which can be attributed to the manufacturers not giving a shit about security, government regulators who don’t force manufacturers to up their security, and the legions of users that buy an IoT device and then don’t bother to secure it.
Hackers use this mass of juicy, unsecured internet-boxes to create massive botnets of linked devices that can be used to launch massive Denial of Service attacks like the one that brought down Spotify, Netflix, and dozens of major websites in October. It’s a huge problem, and the Janit0r’s solution is ruthless, chaotic, and yeah, pretty effective. Here’s what they told Bleeding Computer:
Like so many others I was dismayed by the indiscriminate DDoS attacks by IoT botnets in 2016. I thought for sure that the large attacks would force the industry to finally get its act together, but after a few months of record-breaking attacks it became obvious that in spite of all the sincere efforts the problem couldn’t be solved quickly enough by conventional means.
>The IoT security mess is a result of companies with insufficient security knowledge developing powerful Internet-connected devices for users with no security knowledge. Most of the consumer-oriented IoT devices that I’ve found on the net appear to have been deployed almost exactly as they left the factory.
If you’re part of that group of negligent consumers, here’s how you lock your shit up: First, make sure you know every device in your house or business that has a connection to the internet. Second, make sure all of those devices are using a customized, strong password that you created and have access to. Depending on the device, setup should be similar to setting up a new wireless network and changing from the default passwords, but googling your specific device or looking in the owner’s manual should help with the specifics. Third, don’t ignore the updates. Hacks often target out of date devices, and companies often address bugs and exploits in firmware updates. As Lifehacker notes, you should also consider setting up more advanced options, like fine-tuning your in-home firewall or even making sure all of your connections are going through a virtual private network.
The Janit0r said that nine out of ten devices of a certain type of internet-equipped camera were still using factory settings, which they likened to a car model whose safety features failed ninety percent of the time. While their exploit is certainly going to cause a headache for thousands, if not millions, of consumers that will have to replace or hard-reset their devices, Janit0r thinks desperate times call for desperate measures.