Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT Technology

New Silex Malware is Bricking IoT Devices, Has Scary Plans 136

A new strain of malware is wiping the firmware of IoT devices in attacks reminiscent of the old BrickerBot malware that destroyed millions of devices back in 2017. From a report: Named Silex, this malware began operating earlier today, about three-four hours before this article's publication. The malware had bricked around 350 devices when this reporter began investigating its operations, and the number quickly spiked to 2,000 wiped devices by the time we published, an hour later. Attacks are still ongoing, and according to an interview with the malware's creator, they are about to intensify in the coming days. According to Akamai researcher Larry Cashdollar, who first spotted the malware earlier today, Silex works by trashing an IoT device's storage, dropping firewall rules, removing the network configuration, and then halting the device. It's as destructive as it can get without actually frying the IoT device's circuits. To recover, victims must manually reinstall the device's firmware, a task too complicated for the majority of device owners.
This discussion has been archived. No new comments can be posted.

New Silex Malware is Bricking IoT Devices, Has Scary Plans

Comments Filter:
  • by mark_reh ( 2015546 ) on Tuesday June 25, 2019 @03:47PM (#58823572) Journal

    "To recover, victims must manually reinstall the device's firmware, a task too complicated for the majority of device owners."

    Now if someone could gather all the devices that are going to get trashed and reload their firmware, he might make a few $.

    • Comment removed based on user account deletion
      • by gweihir ( 88907 )

        If the author was smart, he'd hijack all the IOT devices and have them mine Bitcoin.

        You mean if the author was a self-absorbed egotistical asshole. Not everybody is like you...

    • by gweihir ( 88907 )

      As this probably involves opening the device, the cost of doing this as a service will likely be higher than buying a new piece of IoT trash. I would do it for my own device (if I had any IoT crap), but I count the time spent learning things as an additional benefit.

      • Yes. The last sentence of the summary should read "victims must manually reinstall the device's firmware, a task the manufacturers make too complicated for the majority of device owners."
  • YAY!!!!!!!! Die IoT die.
  • by Gravis Zero ( 934156 ) on Tuesday June 25, 2019 @03:50PM (#58823600)

    BrickerBot took down millions of devices and I don't think anyone here was even affected. Get back to us when it breaks 500K.

  • by ZorinLynx ( 31751 ) on Tuesday June 25, 2019 @03:52PM (#58823610) Homepage

    Bricking devices that might otherwise get compromised and be used as members of a botnet is probably doing us all a favor in the end.

    Who the heck puts IoT devices directly on the Internet with a public IP address anyway? Seems that'd be asking for trouble.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Came here to post something similar, but you beat me to it.

      It sounds like this malware is doing the world a service. It isn't acting as spyware or ransomware. It's just knocking devices offline that shouldn't have been online to begin with.

    • Re: (Score:2, Insightful)

      by DRJlaw ( 946416 )

      Bricking devices that might otherwise get compromised and be used as members of a botnet is probably doing us all a favor in the end.

      So does beating the people who spout this idiocy into pulp, but it'd still get one arrested because the ends do not justify the means, moron.

      • So does beating the people who spout this idiocy into pulp, but it'd still get one arrested because the ends do not justify the means

        Normally I'd be the first to agree, but in this case I'll allow it.

    • Bricking devices that might otherwise get compromised and be used as members of a botnet is probably doing us all a favor in the end.

      Who the heck puts IoT devices directly on the Internet with a public IP address anyway? Seems that'd be asking for trouble.

      My thoughts exactly. How are these devices getting a public IP? I'd imagine that the vast majority of them are on home networks, using NAT behind a single IPv4 address. Although, maybe if they're using UPnP to open up public facing ports to the internet, that may be the attack vector?

      • by jrumney ( 197329 )
        Or perhaps they are attacking through a manufacturer's portal. Are all 2000 of the affected devices from the same manufacturer (even if the brands are different, they may all trace back to the same IoT module supplier in China).
    • by Zocalo ( 252965 ) on Tuesday June 25, 2019 @05:05PM (#58824004) Homepage
      Realistically, given the amount of IoT scanning/exploiting going on and that Silex is currently only targetting Telnet (not sure if that's just port 23, or other IoT obfuscation favourites like 2323), any devices that are vulnerable to Silex at present are probably *already* part of a Mirai/Satori/whatever family botnet. In that light, the odds are pretty high that Silex isn't just removing vulnerable devices from the Internet, it's actually removing *compromised* devices from the Internet.
    • by gweihir ( 88907 )

      Well, it is a nice synergy between absolutely incompetent manufacturers and absolutely incompetent customers. Usually takes two major faults for things this bad to happen. Oh, and it may well be an utterly dumb and demented idea like UPnP in the mix as well. After all most, people have a router and most routers do not forwards connections from the outside to anything on the inside by default. That makes three major screw-ups.

    • The author of this benevolent software has done the world a favor. Perhaps Congress will award him a medal.

  • by bjwest ( 14070 )
    How's that internet connected light bulb now? Kinda leaving you in the dark, huh?
  • by Gravis Zero ( 934156 ) on Tuesday June 25, 2019 @03:54PM (#58823626)

    If you really want to permanently brick devices then all you have to do is endlessly write to the FLASH memory to actually wear out the chip. After a month or so of running, the FLASH memory will be unable to hold data permanently and reflashing the device will not help.

    • You don't need to capitalise it.

      • Version 2 incoming

        • Version 2 will come along when IPv6 becomes common.

          Right now, most of these cheap and terrible Internet of Things (IoT) devices are in peoples' homes, and these are in the main going to be on domestic broadband. This typically has one IPv4 address set by DHCP, with a NAT router supplied by the broadband supplier; this router is typically set to hide all NAT addresses from the public Internet. This means that the vast majority of these insecure rubbish IoT devices are hidden from the malware.

          IPv6 has vastly

    • Sure, but these folks aren't trying to destroy hardware, they're jus trying to solve a problem of misconfigured software. The owner doesn't configure it, and it's a problem for everyone. I wouldn't do it, but I'm pleased to see someone else do it.

    • No they are permanently bricked. We're talking about toys in a throwaway society. They will all be landfilled. When they can't boot.

  • by duke_cheetah2003 ( 862933 ) on Tuesday June 25, 2019 @03:57PM (#58823654) Homepage

    Malware wrecks insecure devices. The internet is made a better place.

    Thank you!

  • What devices? (Score:5, Insightful)

    by SuperKendall ( 25149 ) on Tuesday June 25, 2019 @04:15PM (#58823752)

    I skimmed the actual article, and still don't understand what devices are actually at risk - I mean, it seems like by now there are quite a lot of IOT devices. Is it lightbulbs? Toasters? Garage door controllers? What the heck is at risk here?

    Thankfully I have a cloud of TWI (ThingsWtihoutInternet) so I'm not really sweating over this, but I'm still curious...

    • Re:What devices? (Score:5, Informative)

      by dissy ( 172727 ) on Tuesday June 25, 2019 @04:40PM (#58823874)

      I skimmed the actual article, and still don't understand what devices are actually at risk

      Anything running telnet that gives a bash shell using root passwords in the DPL for various IOT devices on the market.

      From the article:

      "It's using known default credentials for IoT devices to log in and kill the system
      It's doing this by writing random data from /dev/random to any mounted storage it finds.
      I see in the binary it's calling fdisk -l which will list all disk partitions, It then writes random data from /dev/random to any partitions it discovers.

      It's then deleting network configurations, [...] also, it's [running] rm -rf / which will delete anything it has missed.

      It also flushes all iptables entries adding one that DROPS all connections. Then halting or rebooting the device

      It's targeting any Unix-like system with default login credentials
      The binary I captured targets ARM devices. I noticed it also had a Bash shell version available to download which would target any architecture running a Unix like OS.

      This also means Silex will trash Linux servers if they have Telnet ports open and if they're secured with poor or widely-used credentials."

      • Comment removed based on user account deletion
      • by Anonymous Coward

        If it's using /dev/random then that is going to be one incredibly slow overwrite. /dev/random is slow even on a "big" machine. On an IoT device there is practically no entropy at all. Be lucky to write 32 bytes an hour.

        • by dissy ( 172727 )

          Yea, no idea why they don't just use /dev/zero
          These things use nand flash for storage. It isn't like someone is going to pay tens to hundreds of thousands of dollars for data recovery services on a sub-$100 device

    • by Zocalo ( 252965 )
      The criteria are pretty broad. Anything exposed on a public IP that has a *NIX like CLI shell on a port that Silex is scanning for and configured with a set of (probably mostly default) login credentials that Silex is configured to try when it finds a responding IP/port combination. If a resulting shell accepts enough of the commands Silex feeds it, then we're looking at reboots or hard resets/firmware updates to recover, or potentially the device being permanently bricked.

      Like BrickerBot, we can probab
    • "IoT devices" 99% means "NVRs, DVRs, and IP cameras." Yep. Security devices are the source of insecurity.
  • by Anonymous Coward

    This is not BRICKING a device.
    Bricking is when it is ruined and as useful as a brick. It is unrecoverable to a working state.

    This is simply wiping the storage and rebooting.

    • by jrumney ( 197329 )

      This is simply wiping the storage and rebooting.

      For all intents and purposes, this is exactly what bricking is. Sure, if you have a soldering iron and 3.3V TTL serial adapter handy you can reflash the firmware, but that is the case for most bricks (unless they use SecureBoot, then the barrier to unbrick becomes much higher).

    • from TFA, it's effectively the same: "It's as destructive as it can get without actually frying the IoT device's circuits. To recover, victims must manually reinstall the device's firmware, a task too complicated for the majority of device owners. It's expected that some owners will most likely throw devices away, thinking they've had a hardware failure without knowing that they've been hit by malware."
  • Telnet with default credentials? It doesn't even log in via SSH. Who cares? Who has boxes like that?
    • by ahodgson ( 74077 )

      Pretty much everyone with "smart" lightbulbs, power outlets, security cameras, and thousands of other crapware things that should never be connected to a public network ever.

      • by jrumney ( 197329 )
        Smart lightbulbs and power outlets mostly do not have default telnet ports open, and they are definitely not running a Unix like operating system with iptables and bash scripting available for this attack. Security cameras maybe, along with TVs and smart speakers and IoT hub devices are more likely targets..
    • by Zocalo ( 252965 )
      A surprisingly large number of people who have IoT devices. You're presumably familiar with the meme about what the "S" is IoT stands for, right?
      • by Anonymous Coward

        "what the "S" is IoT stands for, right?"

        Yeah it stands for "secure" and as you can see, it isn't there.

        But be aware, if you explain things to an average person like this they will immediately know you are fucking with them. Then they will go out and buy every IoT device they can get their hands on just to spite you.

  • Makes me remember when I was doing a project on the then new IBM PC back in late 1981 or early 1982. Things were new and undocumented and there were three OS's for it that were available but none had anything beyond simple terminal support and we needed to interact with the hardware to do what we wanted. We spent a lot of time disassembling the BIOS and probing with a logic analyser to find what was where and how to use it. At the time only the green text display was available and mass storage was limited t
    • At the launch of the IBM PC the Technical Reference Manual was available for sale. It not only had schematics of the whole machine, including the Tandon Floppy Drive, it also had a printout of the commented source code for the BIOS and all BIOD extensions on addin cards. What, pray tell, were you reverse engineering? The BASIC roms? Those were closed source from Microsoft, but certainly not the BIOS. Or are you just being nostalgic? I know for a fact that the AT&T 6300 also had a similar techref manual

  • Iffy reporting. (Score:5, Interesting)

    by SuricouRaven ( 1897204 ) on Tuesday June 25, 2019 @04:29PM (#58823828)

    1. Reporter discovers new attack when it's barely even begun, with under a thousand devices compromised.
    2. Article does not list any details of affected devices, other than saying that it's a default credential attack.
    3. Reporter, in no time at all, is able to track the author, establish contact, confirm identity and carry out an interview.

    The malware doesn't appear to even be self-replicating. It's nothing but a script that searches for vulnerable devices, logs in, and runs some bash commands intended to trash everything.

    • Yeah.

      Sounds like grandstanding to me.

      Where are all the blokes who would get in line to verify this?

    • by ebvwfbw ( 864834 )

      And yet it still managed to make it onto /.

      Didn't say it overwrote the firmware. Just diabled the FW and removed the networking.
      Just turn it off and on, should come right back with default config... though they don't seem to know that. Maybe this is being mistaken for the firmware? I have ICT (Internet Connected Technology) and I don't have FW to those devices. They're Cameras, They're sensors in the yard for rain, etc.

      Sounds like BS

      • It overwrites all block device partitions, according to the article. That may or may not overwrite the firmware, depending on how the device is designed. IoT stuff is made to be cheap and mass-produced, which often means e-mmc, which would be overwritten by such a crude method. A flash chip is actually cheaper than an EEPROM, and sticking a full-blown linux on a camera means you can hire cheap developers and use existing software, saving the cost of hiring expensive embedded software engineers.

  • Devices that aren't at high risk of theft or "I got temporary physical access so I'm going to reset it so I can hack it" should have a factory-reset button.

    For everything else - thing phones and laptops - you might consider erase-and-bricking a feature - if a bad guy can remote-perma-brick it, so can you, which is a strong theft deterrent for a lot of things.

    Even these devices should have a part that can be removed and replaced by the factory if the device is expensive. For example, I might not want a rese

    • by 93 Escort Wagon ( 326346 ) on Tuesday June 25, 2019 @05:18PM (#58824090)

      Devices that aren't at high risk of theft or "I got temporary physical access so I'm going to reset it so I can hack it" should have a factory-reset button.

      Definitely - such as the factory reset for "C by GE" light bulbs [youtube.com].

      Important note: No matter how ludicrous you think it is, that video is not intended as a joke.

      • by davidwr ( 791652 )

        Okay, which would you rather have if you are buying a fancy network-connected light bulb that probably cost you more than $15 just for the bulb?

        * One that if it were remotely bricked or otherwise hacked, you would probably throw away as useless or possibly worse
        * One that you could reset, even it it was using a cumbersome procedure like the one in the YouTube video

        • How about a third option?

          * One you can intentionally reset in a straightforward and simple manner, without having to worry about accidental resets

          For example, a recessed reset switch you can access with the end of a paper clip. It’s a design that’s been around for many years and used on many devices - and it works well.

      • by gweihir ( 88907 )

        Incredible. Obviously somewhat intelligent engineers with no wisdom at all. Alternatively, this was forced on them by "management". Probably the second.

  • This one is actually Linux malware, bois. How, you may ask, can some bot crack Linux? Answer: default login credentials. Ah, a hole in Linux indeed! Tunnels straight through the idiot manufacturer's brain damaged skull. Come on guys, let's have a proper login setup on install or initial boot, including the usual password strength metrics, like any halfway responsible distribution should do.

    Anybody using IOT: we didn't say told ya so, not in so many words, not precisely exactly that. Now be good and go check

    • by gweihir ( 88907 )

      I especially like the version where you can change the password in the GUI, but the telnet port still allows you to log in with the default credentials.
      These people are not engineers. They are not even technicians. They are some random incompetent fuckups.

  • >"The malware had bricked around 350 devices ..."
    > "It's as destructive as it can get without actually frying the IoT device's circuits. To recover, victims must manually reinstall the device's firmware"

    By definition, that is not "bricking" a device. A "bricked" device is one for which the owner/user cannot resurrect the device, not that it is just difficult or obscure to recover. Otherwise, it is just "disabling" or "wiping" the device.

    Anyway, not sure how I feel about it. On the one hand, it is a

    • Comment removed based on user account deletion
      • by gweihir ( 88907 )

        Well, the law is not about right or wrong, it is about keeping the population under control, the rich and powerful in power and keeping society somewhat functioning. It also has a marketing/propaganda component, where some laws are passed to keep up the appearance that the law serves the people, not the other way sound as the set-up actually is.

        So, illegal? Yes. The right thing to do and these people should be given a medal? Very much so.

    • If you wipe the firmware, it's bricked. There are ways to maybe fix that, but it's a lot deeper than even most technical experts can do - you've got to reverse-engineer the device, locate the flash chip, attach specialised electronics to the appropriate pins - if you're lucky there will a a header, otherwise you'll be soldering to pins on a SMD chip - and write a new image. An image which won't be available in the appropriate format from the manufacturer, and so will have to be read from an intact device th

    • If you have to do it from the JTAG, it is as good as bricked.

      • >"If you have to do it from the JTAG, it is as good as bricked."

        I agree, but the summary says "To recover, victims must manually reinstall the device's firmware" and then says "Silex works by trashing an IoT device's storage, dropping firewall rules, removing the network configuration, and then halting the device." Which actually says nothing about trashing or corrupting the firmware, just the stored settings. This strongly implies just a reset or firmware reinstallation, not disassembly and using spec

    • by gweihir ( 88907 )

      This is about the "user + device" hybrid system. If the typical user is incapable of unbricking the device (and the very existence of the term "unbricking" already nicely shows the error in your reasoning), then it is considered bricked in standard use of the term.

      Incidentally, by your definition, bricking would be pretty much impossible, as there are always people that can unbrick almost anything. For example, I cannot only solder-in serial connectors (if headers or pins on the chip are present), I can re-

      • >"This is about the "user + device" hybrid system. If the typical user is incapable of unbricking the device, then it is considered bricked in standard use of the term."

        Then we could "brick" most consumers devices by just unplugging the cables to them :)

        Perhaps we are all too stuck on semantics at this point.

        • For any device with no mouse, keyboard, and monitor attached, if power cycling does not fix, it is bricked. An iPad can be bricked. A PC can't.
  • The less IoT devices the better.

  • IoT on a good day is about data collection, on every other day it's data collection, DDoS botnets, and spam endpoints.
  • When ROM was read only...

  • don't need an internet of most things, useless toymaking.

  • How does this Silex malware get onto the devices in the first place, without user action or using the default factory set password.
    • by gweihir ( 88907 )

      They are internet reachable (first mistake), and they have generic vulnerabilities that never get fixed (second mistake). Some also use default-credentials (third mistake). According to to the referenced article, it is default credentials this time. It may well be some others, as the "designers" of IoT software are the bottom of the barrel. One wonders how these people manage to switch on a PC.

      Basically, they get infected because every rule of IT security gets ignored or implemented incompetently.

  • Honestly, as much as I would hate to be a victim of this, I think in the end it will end up taking a lot of the insecure devices off the internet and force people and manufacturers pay more attention to security of these sorts of appliances.
    • by gweihir ( 88907 )

      Actually, should I ever be a victim of this, the next thing is that I will check is where I screwed up in my firewall configuration.

  • With the extreme incapability and incompetence of the IoT industry, the trash they have been pushing to consumers has become a severe threat. The law-makers have proven similarly incompetent and incapable. That somebody has now decided to do something about this is actually something to be welcome. I do hope they get most of those time-bombs and I do hope these people never get caught. And personally, I would give them a medal and immunity.

    Of course, anybody that secured their IoT devices properly (for exam

  • "To recover, victims must manually reinstall the device's firmware, a task too complicated for the majority of device owners."

    I hope a new, better firmware will be installed, why else do it? To do it again the day after?

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...