
A Teenager's IoT worm is bricking thousands of devices - bifrost
https://www.zdnet.com/article/new-silex-malware-is-bricking-iot-devices-has-scary-plans/
======
Nokinside
If you have seen electric wiring inside houses from 1920's, that's the state
of IoT and internet connected devices today. Bad things must happen first for
standardization and regulation to happen.

Consumer devices and gadgets are not my main concern. Internet connected
building automation is in similar sorry state. Someone will do large scale
apartment automation systems attack, maybe just single manufacturer is
targeted and as a result 5-15% of apartments go nuts at once. Just messing
with the air conditioning can kill old and sick people until things get fixed.

~~~
tgsovlerkhgsel
Messing with the air conditioning can affect a lot more than just the people
who have the vulnerable IoT air conditioner, if it manages to bring the grid
down.

The grid is able to cope with fluctuations in demand, but that's a totally
different ballgame than switching massive loads on and off, synchronized to
within something like 20 milliseconds (a single 50 Hz cycle), in a controlled,
intentional and malicious way - and potentially worse, the attacker could
observe the grid and react to the countermeasures (e.g. to detect how quickly
the grid reacts, and trigger oscillations in some system never designed to
deal with something like that).

~~~
gowld
Can a thermostat do that? It takes a time scale of ~seconds for my air
conditioner to click on and off.

~~~
spiorf
If your air conditioner clicks on after 3 seconds, you push the button 3
seconds earlier.

------
jeroenhd
I personally see Brickerbot as the IoT version of Shodan. Port scanning and
probing is considered illegal and immoral in many countries around the world
yet Shodan has made the Internet more secure, by opening access to port
scanning and making it impossible for companies to just "hide" new tools.

I'd prefer to see ISPs/governments taking action against dangerous IoT devices
in their network (sending probes to vulnerable devices and blocking Internet
access until the owners of the devices have secured their shit or provide
proof of running a honeypot). We can't really expect such measures from
companies right now, but a tool like Brickerbot might kickstart a movement.

I'd prefer the bot to just change the password and disable vulnerable services
though (which still might brick devices if their web servers are vulnerable).
Still, I do believe that why device fallen to Brickerbot would have fallen to
any other botnet within days anyway, so the botnet is not inherently bad in my
opinion.

This problem should stary disappearing as soon as legislation is introduced by
governments to make the parties producing software or hardware responsible for
the stuff they dump on the open market. Until then, steps have to be taken to
stop DDoS attacks as they are getting worse and worse.

~~~
autoexec
> Port scanning and probing is considered illegal and immoral in many
> countries

Do you know of a country where this is true? I know there are some broadly
worded laws in England against the use of "hacking tools" but there are so
many legitimate uses of port scanning that it'd be hard to explain why a port
scanner is any more of a hacker tool than traceroute is.

~~~
fyfy18
In the UK it's not illegal per se, but if you go by the letter of the law you
could be convicted under the Computer Misuse Act for it. But at the same time
you could be convicted for sending a HTTP GET request to a server you don't
have permission to access - this law is rather broad.

I'm not sure if there's even been a case to test it though, and as the general
population becomes more tech savvy it seems unlikely such a conviction would
be made for port scanning on it's own.

------
devoply
If they can be bricked, perhaps they should be bricked. Maybe this is
something we should encourage going forward to encourage security for IoT?
Maybe we should hold a Brickcon where security researchers try to develop ways
to brick any insecure devices before they become a threat.

~~~
avian
No vigilante justice required. Just make the companies liable for the damage
they cause when their products turn into a botnet.

Why can't products have a "declaration of security", like they have for EMI
compatibility, safety standards and other such things? Declare that the
manufacturer has taken reasonable steps to make the device secure and is
liable for damage if that turns out to be untrue.

~~~
jon-wood
We're moving in that direction in the UK. There's no legislation around it
yet, but the government recently published the snappily named Code of Practice
for Consumer IoT Security[1], which if rumours I've heard are correct they've
basically published saying manufacturers can either voluntarily comply, or
they can deal with it become legislation in the future.

When I first heard about it I was pretty dubious given government's track
record on regulating technology, but its actually a really solid document,
covering 13 guidelines which are specific enough to be useful, while not going
deep into technical detail which will go out of date:

1\. No default passwords

2\. Implement a vulnerability disclosure policy

3\. Keep software updated

4\. Securely store credentials and security-sensitive data

5\. Communicate securely

6\. Minimise exposed attack surfaces

7\. Ensure software integrity (this is probably my least favourite guideline,
as it basically says you should check signatures on all firmware, by extension
shutting down people's ability to control their own hardware with custom
firmware)

8\. Ensure that personal data is protected

9\. Make systems resilient to outages

10\. Monitor system telemetry data

11\. Make it easy for consumers to delete personal data

12\. Make installation and maintenance of devices easy

13\. Validate input data

[1] (PDF)
[https://assets.publishing.service.gov.uk/government/uploads/...](https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/773867/Code_of_Practice_for_Consumer_IoT_Security_October_2018.pdf)

~~~
TeMPOraL
Oh yes. I'd push back hard on 7. Otherwise, it's a really solid list of
guidelines and I love it.

WRT. 7, forcing secure boot is an overkill and pretty anticonsumer, IMO. There
_really_ needs to be a provision allowing for user-initiated software changes.
If you're from UK, please let them know via e-mail to:
securebydesign@culture.gov.uk.

I was worried about 10 (I don't really like the vendor collecting _any_
telemetry on my IoT devices), but the actual document is more reasonable than
the headline makes it sound - it's " _if_ you're collecting telemetry - and
keep in mind point 8 - then monitor it for security anomalies".

~~~
pessimizer
I'm going to be very cynical and say that 7 is the only reason this
legislation is being pushed, and that's the reason it's in the middle,
surrounded by boringly reasonable stuff.

More cynicism says that it will require IoT devices to be closed source in
order to get a signature, and require government access and audit on running
devices (to confirm integrity.) That may secretly be the backdoor clause. I'm
probably wrong, but the UK government is fully committed to total
surveillance, and the opposition either has no position or tacitly supports
it.

~~~
rightbyte
How many firmwares on consumer non-PC products have you ever custom flashed?
Zero for me atleast, unless we count a Xbox.

If manufacturers would like to add some signature checking chip they can
allready do that.

I wouldn't be too cynical, unless they make it illegal to modify the firmware.

------
jcims
The original title would be good enough for this story imho.

Worked in a bug bounty program for a spell, there are some young folks out
there with borderline scary levels of talent and tenacity. Making this about
the age of the person doesn't really add anything. (This is coming from a
relative dinosaur, so maybe I'm just age-sensitive haha)

~~~
notyourwork
In high school and middle school you also have a lot more flexibility to
devote a substantial amount of time to this type of stuff. You are right, it
can result in really technically literate individuals.

------
rimliu
One of my favorite tidbits found on the HN was this:

    
    
       The 'S" in 'IoT' stands for 'Security'
    

Alas, I do not remember whose comment was that.

~~~
0xfffafaCrash
I think this may have originated with Oleg Šelajev's tweet[0]

[0]
[https://twitter.com/shelajev/status/796685986365325312](https://twitter.com/shelajev/status/796685986365325312)

~~~
rimliu
I think you are right!

------
prewett
I'm going to suggest that maybe this is a good thing. If the worm is really
good at its job, it can take out all those zombie IoT devices that are being
used for botnets. And it maybe it will act as a wake up call to consumers,
regulators, and, perhaps, companies.

Not that I condone destroying people's property to accomplish that, but at
least there is a potential upside.

------
wjnc
.. But is it a parthenogenetic worm?

I recently read the Shockwave Rider [1] in which the word 'worm' was first
coined, thanks to the discussion on HN [2] on Stand on Zanzibar. Can recommend
both books for those into SciFi and would like to thank the community.

[1]
[https://en.wikipedia.org/wiki/The_Shockwave_Rider](https://en.wikipedia.org/wiki/The_Shockwave_Rider)
[2]
[https://news.ycombinator.com/item?id=19879830](https://news.ycombinator.com/item?id=19879830)

------
BorRagnarok
Great article, but for the Iran smearing. Come on zdnet, you know better. Out
of the thousands of ip addresses related to this attack, including a command
and control center etc, whilst knowing that an attack from a VPN in Iran does
in no way prove that the attacker is indeed from Iran or even Iranian, still
you managed to insert a whole paragraph titled "Attacks carried out from
Iranian server" in there, even though the researcher says the ip only
"appears" to be from Iran, and he describes one (1!) attack from that ip. This
wasn't even the command-and-control server.

And that 14-year old is living in Europe, not Iran.

Please leave the propaganda out of your tech news, zdnet.

~~~
campuscodi
Hey,

I'm the ZDNet reporter who wrote the story.

What in God's green earth are you talking about?

The article says the hacker's server is rented from an Iranian company. And
yes, despite your ignorant claims, the IP address is the C2 server.

What imagined propaganda are you talking about?

~~~
woah
Regardless of the importance of the Iranian IP to the operation, it is of very
little significance to the story. Mentioning it only really serves to act as
clickbait for people who don’t understand that it’s possible to stand up a
server anywhere in a few minutes, and who are predisposed to think that an
Iranian IP makes everything extra ominous.

~~~
bifrost
The Iranian IP is important because it means its unlikely that we'll ever get
any data from the server. If it was in the US or EU, its much more likely we
could subpoena it and figure out more about whats going on.

I read the article a few times and I don't think there is any anti-Iran
sentiment in it at all.

------
kuon
I did a few stupid things when I was around this age, but Internet was nearly
non existent so it was mostly within LANs.

I agree that IoT is a real problem, and I fear people will realize too late,
with an accident or something, but this kid should have known better,
depending in how it unfolds he could be in trouble.

------
dvfjsdhgfv
That's excellent. People still don't realize what the consequences of the so
called "IoT" are - and the sooner they do, the better.

~~~
SubiculumCode
That's harsh, but probably spot on. Better to have the fear instilled while it
is more of a PTA than a national catastrophe

------
chrismatheson
I’d love to read this article, but it’s so covered with ads and shit I can’t.
Reader mode is usually my saviour in this situation, but it’s not working in
this site.

------
reshie
"It's using known default credentials for IoT devices to log in and kill the
system"

basically its like knowing a computers root password with remote access
apparently from anywhere. it looks pretty simple but effective and many iot
devices are known for their lack of or lacking in security measures.

------
b_tterc_p
I do wonder... manufacturers aren’t liable if you allow your device to be
bricked by third parties. But if such attacks were so extremely normative and
carried out in such a way that they informed the user why they are possible...
could the manufacturers become liable to address it?

------
noonespecial
Would be way better if the worm reported back which devices were vulnerable
(for naming and shaming) as it found them instead of ruining peoples' stuff
just to make a point (or worse, plain lulz)

~~~
iforgotpassword
So what would that look like? You found some vulnerable webcam, great now you
can add its IP address to your public shaming list. That'll teach that random
farmer somewhere in Iowa. Listing the device name and count wouldn't do
anything; the vulnerability is already known otherwise the worm wouldn't
exist... And either the manufacturer doesn't care, or there's an update and
nobody cares.

If otoh you brick the device in a way that requires flashing via jtag and
suddenly have hundreds of people all over the country return their broken
webcam to WalMart you make a little more impact. The thing is, it would have
to keep happening for stores to start noticing a pattern and start caring. If
it was a one time thing it might be cheaper for then to just throw them in the
trash and hand out new ones or refund.

------
blue_devil
>It's expected that some owners will most likely throw devices away, thinking
they've had a hardware failure without knowing that they've been hit by
malware.

And... more trash. Ugh

~~~
SmellyGeekBoy
Hopefully a lot of these devices are still under warranty and will be
returned, but yeah...

~~~
OJFord
That's surely just adding miles to the journey, I doubt a returned bricked
device is getting repaired or salvaged for parts by the OEM.

~~~
icebraining
According to the article, it just needs a firmware reflash, so I don't see why
a manufacturer couldn't repair it and return it to the customer.

~~~
cameronbrown
Money - not to mention these devices will just get re-bricked. They have to
fix the fundamental problem first.

------
PhilDunphy23
I always asked myself this question: does this kind of attacks try to
authenticate to every single IP address (for loop, excluding ranges from
Google, Microsoft, Apple...) or does it penetrate the victim network first by
executing some random file from the internet that the victim downloaded?

------
oytis
> Who's behind the Silex malware?

Maybe people who set the same password on the whole fleet and don't make the
user override it?

Come on, you can't take the responsibility from well-paid incompetent
professionals and put it on a teenager from a third-world country.

------
bcheung
Which IoT devices does this affect? Is it just devices that run Linux and have
an exposed SSH? Wondering if things like the Particle.io / Obniz / ESP8266 are
affected.

~~~
ViViDboarder
The article says the kid wants to add SSH later and suggests that it uses
telnet today.

------
wjp3
VLAN your devices, and deny and outside route, if you can.

------
deanclatworthy
Interesting that this “worm” just bricks the devices instead of repurposing
them to attack targets autonomously.

------
cs02rm0
What are the devices? Are all my lights going to turn off?

~~~
wattengard
If your light is exposed to the internet and use default security, maybe...

~~~
cs02rm0
I was joking, but it's sort of my point - who's exposing IoT devices to the
internet?

~~~
martin__
All IoT devices are exposed to the internet by design. That's what the "I"
stands for, Internet.

~~~
henryfjordan
But are the addressable?

My IoT devices are on my network but you would need to get yourself inside my
network to talk to them. I'm not exposing ports for my lights...

------
Groxx
A quote from not the current worm's author, but the author of the worm that
may be the inspiration for the current one:

> _The BrickerBot author argued that it would be better if the devices were
> destroyed, rather than sit around as cannon fodder for DDoS botnets, and
> haunting the internet for years._

... yea, broadly I'd agree. IoT vendors are causing a tragedy of the commons,
inflicting quite a lot of damage without feeling any of the pain because it
hits others.

It's the sort of thing that should be addressed by legislation of some kind,
but absent that (which includes nearly all international cases)... what else
can you do to stop the worst offenders?

~~~
mcv
What would be really nice is if a worm like this patched the crappy security
of those IoT devices, but I guess that's too hard. With the question being
either bricking them or allowing them to become part of a botnet, I guess the
world might indeed be better off with vulnerable IoT devices getting bricked.
But boy, it's really a marginally lesser evil.

Let's hope this forces manufacturers to improve their security. That's the
main good that needs to come out of this.

~~~
icebraining
Patching is just a subsidy for the manufacturer. This malware just soft-bricks
(the device can be restored by reinstalling the firmware), so it inflicts a
cost without generating extra garbage. Sounds great to me.

~~~
mcv
With the risk that the owner just throws it out and buys a new one. Possibly
even from the same manufacturer.

~~~
zwily
From that perspective, would the vendors even be motivated to fix it? Hmmm...

~~~
deadbunny
When the 2nd device bricks within a week then yeah, the online shitstorm would
engulf them.

------
dang
Url changed from [https://boingboing.net/2019/06/25/teenaged-
kicks.html](https://boingboing.net/2019/06/25/teenaged-kicks.html), which
points to this.

~~~
bifrost
TBH I trust Boingboing's integrity more than zdnet but I truly appreciate the
transparency!

~~~
tomhoward
I think it's more that the original source is preferred, out of respect to the
producer of that content, rather than a "reblog" that doesn't add much
substantive new info. BoingBoing is great, and plays an important role, but
that role seems mostly to surface stories from elsewhere, highlight the key
points and add its own editorial take, rather than generating original
content.

------
kahlonel
Funny how they believe that he is actually a teenager. Like the creator will
reveal his real age.

------
eleitl
He's doing $deity's work. The Internet of shit needs to be culled, before it
can wreck more damage.

~~~
Glyptodon
wreak?

