From BrickerBot to Phlashing, Predictions for Next-Level IoT Attacks.
When BrickerBot was discovered, it was the first time we’ve seen a botnet that would destroy an IoT device, making it unusable. We’ve had cameras in the lab for our research on the Mirai botnet, so one was volunteered to be the guinea pig. Watching our beloved research lab’s IP-enabled camera turn into a useless paperweight was somewhat bittersweet. We knew BrickerBot v1 aimed to destroy insecure IoT gear, and this was validation. We had to either take it apart and solder a serial connection to it to re-flash it, or just spend the $60 on a new one to continue our IoT botnet research.
In considering what could become a trend of re-writing a device permanently, or “Phlashing,” we see the potential for this trend to move into many realms of reality. We know that State Sponsored Malware like Stuxnet has been around for years, but what are some of the other areas we may want to take a look at?
Tizen OS is a Linux-based OS developed in partnership with Intel and Samsung. It was developed to work with TVs, smartphones, watches and other smart devices. Tizen is an Open Source platform, which makes building your own custom builds fairly easy. Recent security research from Israeli security researcher Amihai Neiderman found over 40 zero day critical vulnerabilities. How hard would it be for a BrickerBot-style attack to start destroying TVs and smart devices? What if the vulnerability loaded on a new, custom, weaponized Tizen OS? A proof of concept using radio waves has already been talked about.
Imagine that you Phlash a smart TV so that it looks and feels the same as the normal TV, but you can NEVER upgrade or replace the firmware again. Next, it can become a bugging device and possible network sniffer for passwords. What if it then logs into the Wi-Fi router and does a brute force for default credentials or a dictionary attack on the local router? Once in, it could then potentially send back the data to the Command and Control server so a custom router firmware can be loaded onto the router. Open WRT is another open source platform, so possibly taking over the Wi-Fi router for the house would be easy.
The router usually serves up DNS for the household, so intercepting the DNS for any other IoT devices with the Command and Control network could be the next way to intercept any other IoT devices. Would an IoT device know if an SSL certificate was invalid if it was phoning home? Would any baby monitors or Zigbee Bridges know if their cloud server SSL certificate is valid? My guess is probably not.
What if people’s homes become more and more permanently infected because of Phlashing attacks? We predict that this would be the next natural progression for botnets such as BrickerBot. What if the country you lived in became a cyber-target for a potential world government? With the recent dump of NSA tools by the Shadow Brokers, we know this is the norm for certain spy agencies around the world. How do you know if you aren’t already back-doored?
The vulnerability with home users is that most of the home users out there do not run next gen firewalls or APT-based malware detection. Even with these systems, we’ve seen a lot of malware bypass and evade the most advanced systems. The industry has not yet built a consumer version of crowdsourced intelligence and monitoring. Our prediction is that this is going to continue to evolve through 2017 to levels we’ve only imagined so far.
First Prediction: Copycat authors to BrickerBot will expand the range of devices that can get bricked.
Second Prediction: Smart TVs will start being joined to botnets in much larger numbers in 2017.
Third Prediction: We will start seeing Software Defined Radio based attacks that may start getting into more than just consumer products, and we may begin to see some SCADA based attacks from it.