New Silex Malware is Bricking IoT Devices, Has Scary Plans 136
A new strain of malware is wiping the firmware of IoT devices in attacks reminiscent of the old BrickerBot malware that destroyed millions of devices back in 2017. From a report: Named Silex, this malware began operating earlier today, about three-four hours before this article's publication. The malware had bricked around 350 devices when this reporter began investigating its operations, and the number quickly spiked to 2,000 wiped devices by the time we published, an hour later. Attacks are still ongoing, and according to an interview with the malware's creator, they are about to intensify in the coming days. According to Akamai researcher Larry Cashdollar, who first spotted the malware earlier today, Silex works by trashing an IoT device's storage, dropping firewall rules, removing the network configuration, and then halting the device. It's as destructive as it can get without actually frying the IoT device's circuits. To recover, victims must manually reinstall the device's firmware, a task too complicated for the majority of device owners.
I smell opportunity (Score:3)
"To recover, victims must manually reinstall the device's firmware, a task too complicated for the majority of device owners."
Now if someone could gather all the devices that are going to get trashed and reload their firmware, he might make a few $.
Re: (Score:2)
Made in china
Re: (Score:2)
Re: (Score:2)
If the author was smart, he'd hijack all the IOT devices and have them mine Bitcoin.
You mean if the author was a self-absorbed egotistical asshole. Not everybody is like you...
Re: (Score:2)
As this probably involves opening the device, the cost of doing this as a service will likely be higher than buying a new piece of IoT trash. I would do it for my own device (if I had any IoT crap), but I count the time spent learning things as an additional benefit.
Re: (Score:2)
Re: (Score:2)
Or it was simply the easiest or cheapest option. I do have VMs in other countries. It is easy to rent them. Alternatively, that thing was easiest to hack.
Somehow I do not see the Iranian government doing the world a huge favor like this.
Re: (Score:2)
Well, maybe they want to score brownie points with IT professionals the world over, they sure could need some in the coming months and years.
Let me be the first to say (Score:2, Insightful)
Really? 2k and you're scared? (Score:3)
BrickerBot took down millions of devices and I don't think anyone here was even affected. Get back to us when it breaks 500K.
I suppose this is doing the Internet a favor (Score:5, Insightful)
Bricking devices that might otherwise get compromised and be used as members of a botnet is probably doing us all a favor in the end.
Who the heck puts IoT devices directly on the Internet with a public IP address anyway? Seems that'd be asking for trouble.
Re: (Score:2, Insightful)
Came here to post something similar, but you beat me to it.
It sounds like this malware is doing the world a service. It isn't acting as spyware or ransomware. It's just knocking devices offline that shouldn't have been online to begin with.
Re: (Score:2, Insightful)
So does beating the people who spout this idiocy into pulp, but it'd still get one arrested because the ends do not justify the means, moron.
Re: (Score:2)
So does beating the people who spout this idiocy into pulp, but it'd still get one arrested because the ends do not justify the means
Normally I'd be the first to agree, but in this case I'll allow it.
Re: (Score:3)
Bricking devices that might otherwise get compromised and be used as members of a botnet is probably doing us all a favor in the end.
Who the heck puts IoT devices directly on the Internet with a public IP address anyway? Seems that'd be asking for trouble.
My thoughts exactly. How are these devices getting a public IP? I'd imagine that the vast majority of them are on home networks, using NAT behind a single IPv4 address. Although, maybe if they're using UPnP to open up public facing ports to the internet, that may be the attack vector?
Re: (Score:2)
Re: (Score:1)
Re:I suppose this is doing the Internet a favor (Score:5, Insightful)
Re: (Score:2)
Well, it is a nice synergy between absolutely incompetent manufacturers and absolutely incompetent customers. Usually takes two major faults for things this bad to happen. Oh, and it may well be an utterly dumb and demented idea like UPnP in the mix as well. After all most, people have a router and most routers do not forwards connections from the outside to anything on the inside by default. That makes three major screw-ups.
Re: I suppose this is doing the Internet a favor (Score:2)
The author of this benevolent software has done the world a favor. Perhaps Congress will award him a medal.
So. (Score:1)
Possible to destroy devices. (Score:4, Informative)
If you really want to permanently brick devices then all you have to do is endlessly write to the FLASH memory to actually wear out the chip. After a month or so of running, the FLASH memory will be unable to hold data permanently and reflashing the device will not help.
Re: (Score:2)
You don't need to capitalise it.
Re: (Score:2)
Version 2 incoming
Re: (Score:2)
Version 2 will come along when IPv6 becomes common.
Right now, most of these cheap and terrible Internet of Things (IoT) devices are in peoples' homes, and these are in the main going to be on domestic broadband. This typically has one IPv4 address set by DHCP, with a NAT router supplied by the broadband supplier; this router is typically set to hide all NAT addresses from the public Internet. This means that the vast majority of these insecure rubbish IoT devices are hidden from the malware.
IPv6 has vastly
Re: (Score:2)
Sure, but these folks aren't trying to destroy hardware, they're jus trying to solve a problem of misconfigured software. The owner doesn't configure it, and it's a problem for everyone. I wouldn't do it, but I'm pleased to see someone else do it.
Re: (Score:2)
No they are permanently bricked. We're talking about toys in a throwaway society. They will all be landfilled. When they can't boot.
Excellent (Score:3)
Malware wrecks insecure devices. The internet is made a better place.
Thank you!
What devices? (Score:5, Insightful)
I skimmed the actual article, and still don't understand what devices are actually at risk - I mean, it seems like by now there are quite a lot of IOT devices. Is it lightbulbs? Toasters? Garage door controllers? What the heck is at risk here?
Thankfully I have a cloud of TWI (ThingsWtihoutInternet) so I'm not really sweating over this, but I'm still curious...
Re:What devices? (Score:5, Informative)
I skimmed the actual article, and still don't understand what devices are actually at risk
Anything running telnet that gives a bash shell using root passwords in the DPL for various IOT devices on the market.
From the article:
"It's using known default credentials for IoT devices to log in and kill the system /dev/random to any mounted storage it finds. /dev/random to any partitions it discovers.
It's doing this by writing random data from
I see in the binary it's calling fdisk -l which will list all disk partitions, It then writes random data from
It's then deleting network configurations, [...] also, it's [running] rm -rf / which will delete anything it has missed.
It also flushes all iptables entries adding one that DROPS all connections. Then halting or rebooting the device
It's targeting any Unix-like system with default login credentials
The binary I captured targets ARM devices. I noticed it also had a Bash shell version available to download which would target any architecture running a Unix like OS.
This also means Silex will trash Linux servers if they have Telnet ports open and if they're secured with poor or widely-used credentials."
Re: (Score:2)
Re: (Score:1)
If it's using /dev/random then that is going to be one incredibly slow overwrite. /dev/random is slow even on a "big" machine. On an IoT device there is practically no entropy at all. Be lucky to write 32 bytes an hour.
Re: (Score:2)
Yea, no idea why they don't just use /dev/zero
These things use nand flash for storage. It isn't like someone is going to pay tens to hundreds of thousands of dollars for data recovery services on a sub-$100 device
Re: (Score:2)
I was just as surprised.
I'd think most devices would be behind NAT and unreachable, but you make a good point. The article didn't mention anything about infecting another device on the LAN first in order to reach these things, but that would be a perfectly fitting situation.
I was thinking some upnp garbage going on, but even to me that sounds unexpected.
I thought most "cloud controlled" IoT things made outbound connections to the companies control servers, specifically to work with NAT, so would have no re
Re: (Score:2)
Like BrickerBot, we can probab
Re: (Score:1)
NOT bricking - (Score:1)
This is not BRICKING a device.
Bricking is when it is ruined and as useful as a brick. It is unrecoverable to a working state.
This is simply wiping the storage and rebooting.
Re: (Score:3)
This is simply wiping the storage and rebooting.
For all intents and purposes, this is exactly what bricking is. Sure, if you have a soldering iron and 3.3V TTL serial adapter handy you can reflash the firmware, but that is the case for most bricks (unless they use SecureBoot, then the barrier to unbrick becomes much higher).
Re: (Score:2)
Pretty close to a true bricking. (Score:3)
Anyone with very modest technical skills can reinstall firmware.
Not if the OS has been trashed to the point that you can't run the firmware update tools. This thing (if successful) scribbles random junk all over the flash and reboots THAT.
Then you need to open the box and attach a flashing tool. by a possibly vendor-specific connector or probing pads. You need an appropriate COMPLETE image, not just the app part. If the flash is not internal to the MCU you need to know how that manufacturer connected it.
Re: (Score:1)
These people weren't even technical enough to change their passwords. These devices will end up in the trash.
Bricked may not be technically correct but the end result is exactly the same.
Telnet with default credentials? (Score:2)
Re: (Score:2)
Pretty much everyone with "smart" lightbulbs, power outlets, security cameras, and thousands of other crapware things that should never be connected to a public network ever.
Re: (Score:2)
Re: (Score:2)
Re: Telnet with default credentials? (Score:1)
"what the "S" is IoT stands for, right?"
Yeah it stands for "secure" and as you can see, it isn't there.
But be aware, if you explain things to an average person like this they will immediately know you are fucking with them. Then they will go out and buy every IoT device they can get their hands on just to spite you.
Speaking of ... (Score:2)
Re: Speaking of ... (Score:2)
At the launch of the IBM PC the Technical Reference Manual was available for sale. It not only had schematics of the whole machine, including the Tandon Floppy Drive, it also had a printout of the commented source code for the BIOS and all BIOD extensions on addin cards. What, pray tell, were you reverse engineering? The BASIC roms? Those were closed source from Microsoft, but certainly not the BIOS. Or are you just being nostalgic? I know for a fact that the AT&T 6300 also had a similar techref manual
Iffy reporting. (Score:5, Interesting)
1. Reporter discovers new attack when it's barely even begun, with under a thousand devices compromised.
2. Article does not list any details of affected devices, other than saying that it's a default credential attack.
3. Reporter, in no time at all, is able to track the author, establish contact, confirm identity and carry out an interview.
The malware doesn't appear to even be self-replicating. It's nothing but a script that searches for vulnerable devices, logs in, and runs some bash commands intended to trash everything.
Re: (Score:2)
Yeah.
Sounds like grandstanding to me.
Where are all the blokes who would get in line to verify this?
Re: (Score:1)
And yet it still managed to make it onto /.
Didn't say it overwrote the firmware. Just diabled the FW and removed the networking.
Just turn it off and on, should come right back with default config... though they don't seem to know that. Maybe this is being mistaken for the firmware? I have ICT (Internet Connected Technology) and I don't have FW to those devices. They're Cameras, They're sensors in the yard for rain, etc.
Sounds like BS
Re: (Score:2)
It overwrites all block device partitions, according to the article. That may or may not overwrite the firmware, depending on how the device is designed. IoT stuff is made to be cheap and mass-produced, which often means e-mmc, which would be overwritten by such a crude method. A flash chip is actually cheaper than an EEPROM, and sticking a full-blown linux on a camera means you can hire cheap developers and use existing software, saving the cost of hiring expensive embedded software engineers.
Re: (Score:2)
Re: Report the terrorist (Score:1)
Factory reset button, people (Score:1)
Devices that aren't at high risk of theft or "I got temporary physical access so I'm going to reset it so I can hack it" should have a factory-reset button.
For everything else - thing phones and laptops - you might consider erase-and-bricking a feature - if a bad guy can remote-perma-brick it, so can you, which is a strong theft deterrent for a lot of things.
Even these devices should have a part that can be removed and replaced by the factory if the device is expensive. For example, I might not want a rese
Re:Factory reset button, people (Score:5, Funny)
Devices that aren't at high risk of theft or "I got temporary physical access so I'm going to reset it so I can hack it" should have a factory-reset button.
Definitely - such as the factory reset for "C by GE" light bulbs [youtube.com].
Important note: No matter how ludicrous you think it is, that video is not intended as a joke.
Re: (Score:1)
Okay, which would you rather have if you are buying a fancy network-connected light bulb that probably cost you more than $15 just for the bulb?
* One that if it were remotely bricked or otherwise hacked, you would probably throw away as useless or possibly worse
* One that you could reset, even it it was using a cumbersome procedure like the one in the YouTube video
Re: (Score:3)
How about a third option?
* One you can intentionally reset in a straightforward and simple manner, without having to worry about accidental resets
For example, a recessed reset switch you can access with the end of a paper clip. It’s a design that’s been around for many years and used on many devices - and it works well.
Re: (Score:2)
Incredible. Obviously somewhat intelligent engineers with no wisdom at all. Alternatively, this was forced on them by "management". Probably the second.
It's actually Linux malware (Score:2)
This one is actually Linux malware, bois. How, you may ask, can some bot crack Linux? Answer: default login credentials. Ah, a hole in Linux indeed! Tunnels straight through the idiot manufacturer's brain damaged skull. Come on guys, let's have a proper login setup on install or initial boot, including the usual password strength metrics, like any halfway responsible distribution should do.
Anybody using IOT: we didn't say told ya so, not in so many words, not precisely exactly that. Now be good and go check
Re: (Score:3)
I especially like the version where you can change the password in the GUI, but the telnet port still allows you to log in with the default credentials.
These people are not engineers. They are not even technicians. They are some random incompetent fuckups.
Disabled, not "bricked" (Score:2)
>"The malware had bricked around 350 devices ..."
> "It's as destructive as it can get without actually frying the IoT device's circuits. To recover, victims must manually reinstall the device's firmware"
By definition, that is not "bricking" a device. A "bricked" device is one for which the owner/user cannot resurrect the device, not that it is just difficult or obscure to recover. Otherwise, it is just "disabling" or "wiping" the device.
Anyway, not sure how I feel about it. On the one hand, it is a
Re: (Score:2)
Re: (Score:2)
Well, the law is not about right or wrong, it is about keeping the population under control, the rich and powerful in power and keeping society somewhat functioning. It also has a marketing/propaganda component, where some laws are passed to keep up the appearance that the law serves the people, not the other way sound as the set-up actually is.
So, illegal? Yes. The right thing to do and these people should be given a medal? Very much so.
Re: (Score:3)
If you wipe the firmware, it's bricked. There are ways to maybe fix that, but it's a lot deeper than even most technical experts can do - you've got to reverse-engineer the device, locate the flash chip, attach specialised electronics to the appropriate pins - if you're lucky there will a a header, otherwise you'll be soldering to pins on a SMD chip - and write a new image. An image which won't be available in the appropriate format from the manufacturer, and so will have to be read from an intact device th
Re: (Score:2)
If you wipe the firmware, it's bricked.
"Bricked" means "good for nothing but use as a brick." The easiest way to do this is to let the magic smoke out.
Re: (Score:3)
Language is fortunately much more flexible than your mind.
Re: Disabled, not "bricked" (Score:2)
Re: (Score:2)
If you have to do it from the JTAG, it is as good as bricked.
Re: (Score:2)
>"If you have to do it from the JTAG, it is as good as bricked."
I agree, but the summary says "To recover, victims must manually reinstall the device's firmware" and then says "Silex works by trashing an IoT device's storage, dropping firewall rules, removing the network configuration, and then halting the device." Which actually says nothing about trashing or corrupting the firmware, just the stored settings. This strongly implies just a reset or firmware reinstallation, not disassembly and using spec
Re: (Score:2)
This is about the "user + device" hybrid system. If the typical user is incapable of unbricking the device (and the very existence of the term "unbricking" already nicely shows the error in your reasoning), then it is considered bricked in standard use of the term.
Incidentally, by your definition, bricking would be pretty much impossible, as there are always people that can unbrick almost anything. For example, I cannot only solder-in serial connectors (if headers or pins on the chip are present), I can re-
Re: (Score:2)
>"This is about the "user + device" hybrid system. If the typical user is incapable of unbricking the device, then it is considered bricked in standard use of the term."
Then we could "brick" most consumers devices by just unplugging the cables to them :)
Perhaps we are all too stuck on semantics at this point.
Re: (Score:1)
Good (Score:2)
The less IoT devices the better.
Good (Score:2)
Oh, how I pine for the old days (Score:1)
When ROM was read only...
that's good (Score:2)
don't need an internet of most things, useless toymaking.
Re: (Score:2)
Since when is toymaking useless?
Re: (Score:2)
making toys out of tools interferes with getting things done makes it more than ten times as likely the tool can fail when needed.
Silex malware bricked IoT devices (Score:2)
Re: (Score:2)
They are internet reachable (first mistake), and they have generic vulnerabilities that never get fixed (second mistake). Some also use default-credentials (third mistake). According to to the referenced article, it is default credentials this time. It may well be some others, as the "designers" of IoT software are the bottom of the barrel. One wonders how these people manage to switch on a PC.
Basically, they get infected because every rule of IT security gets ignored or implemented incompetently.
Good... (Score:2)
Re: (Score:2)
Actually, should I ever be a victim of this, the next thing is that I will check is where I screwed up in my firewall configuration.
I find myself incapable of seeing this as bad (Score:2)
With the extreme incapability and incompetence of the IoT industry, the trash they have been pushing to consumers has become a severe threat. The law-makers have proven similarly incompetent and incapable. That somebody has now decided to do something about this is actually something to be welcome. I do hope they get most of those time-bombs and I do hope these people never get caught. And personally, I would give them a medal and immunity.
Of course, anybody that secured their IoT devices properly (for exam
THE firmware? (Score:2)
"To recover, victims must manually reinstall the device's firmware, a task too complicated for the majority of device owners."
I hope a new, better firmware will be installed, why else do it? To do it again the day after?