Following the advent of the Mirai virus that dragooned over 100K web-connected security cameras and NVRs to form an attack botnet, a hacker wrote a bit of malware dubbed BrickerBot that also targeted insecure devices like the ones vulnerable to the Mirai malware. Unlike Mirai, the botnet formed by the BrickerBot malware was used to actually disable their targets before they could be drafted into Mirai’s botnet. Unfortunately for the owners of these devices, BrickerBot disables the device by “bricking” it, rendering it permanently unusable by wiping or scrambling the devices firmware. The hacker behind this gray-hat sabotage is claiming more than 2M devices have been taken out of the fight, which is continuing to escalate with new variants of BrickerBot, now up to version 4.
What this means for you
Among the many things that the internet has wrought, globally accessible markets and supply-chains have produced a cornucopia of powerful technology devices that are relatively easy purchase, install, and use. But as with all markets driven by a mad race to the bottom in production costs, quality suffers, and with it, security. The above-mentioned devices are vulnerable not because of what they are, but how they were programmed, assembled, or configured. While the general consensus is that the vulnerabilities are largely due to sloppy coding or ignorance, there is also the concern that because of where the parts were manufactured, there might be purposeful intent to include back doors and data-snooping to aid state-funded espionage. Your take-away’s from this should be:
- Just because it’s cheap doesn’t make it insecure, but there is a higher likelihood that it might be.
- Just because it’s expensive doesn’t make it secure. Never assume high-price equals bullet-proof.
- Never use the default passwords on any device, regardless of whether it’s internet connected or not.
When considering a DIY security system that includes internet-connected devices, at minimum make sure you check the reviews on a product to ensure there aren’t known vulnerabilities. Despite the above attacks that occurred last year, some of the devices known to be vulnerable to Mirai are still being sold! If you have any concern at all or can’t spend the time to investigate security system hardware, you should always consult with an industry professional. Just because you can buy legal document templates online or view a video on how to install a toilet does not make you a lawyer or plumber. The same goes for security systems, video cameras and network video recorders.
Awesome info!