Security experts and researchers have recently observed certain malware attacks targeting IoT devices that lead to the wiping of data from the infected systems/devices.
Based on a couple of attacks that happened recently, it’s inferred that hackers are adding data-wiping routines to certain malware designed to infect IoT and embedded devices.
Amnesia, a malware which is basically a variation of an older IoT botnet client named Tsunami, has been found to infect digital video recorders making use of a year-old vulnerability. Amnesia is a malware that tries to detect if it’s running inside virtualized environment. Built basically for Linux-based environments, Amnesia performs checks to determine if the environment it’s running in is actually a virtualized one. It will then attempt to wipe critical directories from the file system, which it does by using the Linux “rm -rf” shell command.
The other such malware, again targeting Linux-based IoT devices, is named BrickerBot and is launched from compromised routers and wireless access points. BrickerBot seeks to authenticate with common username and password combinations those devices that have the Telnet service running and which are exposed to the internet. Once the authentication is successfully done, the malware launches a series of destructive commands which intend to overwrite data from the IoT device’s mounted partitions. Moreover, BrickerBot also tries to kill the internet connection itself and thereby render the device itself unusable. Though devices with read-only partitions may survive the BrickerBot attack, most devices won’t and would consequently need a firmware reflash. Configurations would be lost; for routers with USB ports or network-attached storage devices, the data from external hard drives stand the chance of being wiped out. A notable aspect of BrickerBot malware is that it attacks not just embedded and IoT devices, but any Linux-based device or system which has weak credentials that can be cracked and which is accessible over Telnet.
It’s to be noted that many big DDoS (Distributed Denial-of-Service) attacks are now executed using botnets made up of hacked IoT devices. Users, who rest assured that their malware protection program is keeping them totally secure, don’t even know if their IoT devices, their IP cameras, routers, internet-attached storage systems etc, are infected; the impact on the performance of the devices wouldn’t even be noticeable. There are of course malware like BrickBot that make the devices stop working and thus users understand that there is an issue, but when it’s a malware like Amnesia, vulnerabilities in the IoT devices may continue to exist for years without getting patched. The number of devices, digital video recorders, that have been affected by Amnesia is not ignorable and such infected devices are spread through countries like the US, India, Turkey, Israel and Taiwan.
Users buying IoT devices- cameras, routers, NAS systems etc- should always do a check of the manufacturer’s security track history. They should also check if the company has a dedicated point of contact in case security issues happen. It has to be checked as to how the company handles vulnerabilities and also if it regularly releases security patches and supports its products for a reasonably long period of time. Whether or not the IoT products have automatic update features is also to be checked. All these are important, in addition to using a trusted virus removal application and a malware protection program.
The other such malware, again targeting Linux-based IoT devices, is named BrickerBot and is launched from compromised routers and wireless access points. BrickerBot seeks to authenticate with common username and password combinations those devices that have the Telnet service running and which are exposed to the internet.