Reports surfaced on the 12th of April of a botnet that attacks IoT running BusyBox and other Linux-based devices. The bot, which is believed to be active since the 20th of March 2017, exploits hard-coded passwords of devices with published SSH or telnet, as well as attempting to brute-force passwords of devices with non-default credentials. As the name suggest, BrickerBot bricks the devices and leaves them completely useless. This is done by executing a set of commands to delete storage, corrupt routing and others.
A quick search on Zoomeye for published devices in New Zealand running BusyBox returns more than 650 devices (mostly routers) and almost all of them are running telnet. The value of the services supported by these devices may vary. However, I am sure that each of these devices has some value to its owner.
The botnet also targets other devices such as Ubiquiti Networks devices. A Shodan search for Ubiquiti Networks in New Zealand results in more than 20,000 devices (no surprise for a common brand of network devices) with different firmware versions. It is safe to assume that several of these are outdated. It is also notable that a lot of these devices disclose loads of useful information such as detailed address and full name of a point-of-contact.
The rise of Mirai botnet last year demonstrated the scale of damage insecure IoT devices can cause to the internet infrastructure. The impact of a fast-growing botnet that incapacitates devices leading to massive disconnection of users and/or services from the Internet can be overwhelming. It is critical to change default device credentials, publish only secure services as required and disable insecure ones (e.g. telnet), and update devices’ firmware regularly to keep your devices yours.