Beyond the chaos caused by the Mirai botnet attack in 2016, that turned networked devices (running out of date versions of Linux) into remotely controlled “bots” to create large-scale network DDoS attacks, a new botnet – the BrickerBot (using the same exploit vector as Mirai) is targeting IoT devices beyond those in the consumer world.
Within seconds, instead of creating a new Bot within a live device, this attack permanently disables a device, turning it into a “brick”. This kind of attack is called Permanent Denial of Service (PDoS), and it’s becoming increasingly more popular by the day.
PDoS bots roam the Internet looking for easy targets including Linux-based routers, bridges or connected devices that operate with unchanged factory default passwords, using the password to obtain botnet admin access. Once found, these botnets exploit security flaws of poor configurations, and can destroy the firmware and/or basic functions of a system. This is a contrast to its well-known cousin, the DDoS attack, which overloads systems with requests meant to saturate resources through unintended usage.
Uncovered by Radware, whose honeypot recorded nearly 2,000 PDoS attempts over four days, the BrickerBot attacks came from a variety of locations around the world, compromising IoT devices and corrupting their data storage and software with a flood of destructive commands that wipe files cut off its Internet connection.
According to Radware’s security researcher in a report published shortly after the company identified the threat, “Also known loosely as ‘phlashing’ in some circles, PDoS is an attack that damages a system so badly that it requires replacement or reinstallation of hardware.”
More technically speaking, BrickerBot malware targets Linux-based IoT devices running the BusyBox toolkit, and seems to have a certain attraction for Ubiquiti network devices, which have their own security issues. Once inside the operating system, the code starts to scramble the onboard memory using rm -rf /* and disabling TCP timestamps, as well as limiting the max number of kernel threads to one. The BrickerBot then flushes all IP tables, firewall and NAT rules before adding a rule to drop all outgoing packets. As if that wasn’t enough, it then wipes all code on the affected devices, destroying them permanently.
Three Ways to Protect Your Devices from BrickerBots
The first two are applicable to existing systems:
- Change the factory default credentials
- Disable Telnet access at the device
The third is to improve the system, hardening the IoT connectivity services and moving to a solution like NetFoundry’s Software Defined Network, which isolates devices from Public Internet access even though they are connected via the Internet.
Standard network services expose public Internet addresses which are “easy targets” for DDoS, PDoS and other remote attacks. Why? Because service access control/security is limited to ID and password. Internet-based attackers are connected to the public internet endpoint and can continue to attack until they figure out how to compromise the device, whether through password determination, DOS overloads, or exploiting operating systems and other system vulnerabilities.
NetFoundry uses the public internet for access and reach, but ISOLATES the endpoints from the Internet.
Keep Your IoT Network in the Dark: Attackers Cannot Attack What They Cannot Find
NetFoundry’s Service Connection Network technology requires both endpoints to be authenticated and connection to a specified service to be authorized to before any packets can be processed. Following our Authenticate-Before-Connect and Least-Privilege-Access process, NetFoundry’s software authenticates endpoint connection access before the endpoints are authorized to exchange packets. Unauthorized packets from anywhere else on the Internet are thrown away. The NetFoundry endpoints are not discoverable or attackable from the general Internet.
This is the opposite architecture of traditional Internet-based networks, which first give public access from the network and then authenticate the service connection. This makes assets inherently discoverable and attackable from bots and other malicious agents anywhere on the Internet.
This authenticate-before-connect security paradigm is becoming a best practice for secure-by-design networking, with advocates including the Cloud Security Alliance (“Software Defined Perimeter” or “SDP”), US Defense Information Systems Agency (“black cloud”) and Google (“BeyondCorp”). NetFoundry is both a leader and a follower in SDP, using the most powerful concepts of SDP architectures and developing continual improvements.
Beyond Isolation: Obfuscation and Resiliency
The Cloud Security Alliance SDP architecture recommends a secure mutually authenticated encrypted tunnel to provide data-in-motion security between the authorized endpoints.
A NetFoundry Network connection goes farther, splitting each end to end session across multiple individually encrypted tunnels, and routing the split tunnels to and through physically dispersed Transfer Nodes that assure diverse network paths.
This provides obfuscation and security even in the face of sophisticated network-based session monitoring and resilience in the event that network paths may become impaired.
- Split encrypted tunnels provide immunity from monitoring any end to end session to determine an application signature or to attempt an unauthorized decryption.
- The end to end connection is fully masked. Each endpoint is only involved in IP connections to the transfer nodes, so no packet on the internet contains end-to-end source and destination IP addresses.
NetFoundry Transfer Nodes create no vulnerability themselves. They store no session data, have no knowledge of the end to end encryption keys of the data fragment payloads which they transport, only exchange packets with key-authorized endpoints, and have no awareness of the other tunnel splits across other Transfer Nodes.
Split tunnels across NetFoundry Transfer Nodes provide connection resiliency. Transfer Nodes are highly distributed, built out across diverse IP backbones in a resilient architecture which makes each node disposable and replaceable, providing robust end to end connections even in the case of unexpected network or system impairments—whether the cause is malicious or accidental.
Maximum Security across the Public Internet
NetFoundry Service Connection Networks provide multiple layers of granular security to protect your devices and services, even if admin passwords can be cracked.
- Endpoints are strongly isolated from the Internet to provide immunity from attacks via the public internet
- Sessions are transported via individually encrypted split tunnels across multiple dispersed Transfer Nodes End to provide
- Full obfuscation of source/destination address pairs
- Immunity from application signature detection or other analysis
- Resilience in the event of malicious or accidental backbone network and system impairments
In a future post, we’ll share more detail about our Authenticate-Before-Connect and Least-Privilege-Access. This is the opposite architecture of most Internet-based networks, which first gives endpoints access to the network, and then authenticates them, making network assets inherently discoverable and attackable.
It’s exciting to be part of the entire technology industry’s pushing the boundaries of how securely we connect, all the way to the edge of the network, and to every IoT device.