This content is part of the Essential Guide: How the Mirai botnet changed IoT security and DDoS defense

How does BrickerBot threaten enterprise IoT devices?

BrickerBot is similar to other IoT malware like Mirai, Hajime and others. Expert Judith Myerson explains what makes BrickerBot different, and what can be done to defend against it.

My company's network integrates with internet of things (IoT) devices. I heard about BrickerBot permanently damaging some IoT devices after a denial-of-service attack. What can be done to avoid BrickerBot?

Like Mirai, Hajime and other IoT malware, BrickerBot uses a list of known default factory credentials to access Linux-based IoT devices that may run BusyBox, which is a free tool set of Unix utilities for Linux. If device owners forget to change default credentials, BrickerBot logs in and performs destructive attacks against the infected IoT devices.

Radware's Emergency Response Team discovered BrickerBot when the malware began pinging a Radware honeypot. The team members found the malware is similar to Mirai, but with a difference. BrickerBot doesn't actively scan the internet for new victims, like Mirai does. Instead, it looks for devices that have been infected. The objective of the vigilante malware is to permanently disable IoT devices infected with Mirai so that the devices can't be used as part of a botnet.

BrickerBot listens for open port 23 (telnet) and port 7457 for scans from IoT devices infected by other IoT malware. The Telnet port exposes the factory default username and password. These ports enable BrickerBot to launch a permanent denial-of-service attack against the infected devices. The malware uses a series of Linux commands to corrupt the storage, followed by commands to disrupt internet connectivity.

The administrator is prevented from using the ports to send patches. Ports to the affected devices are blocked, and a factory reset doesn't salvage the damaged devices. Rebooting also fails to revive the devices, so the devices are bricked. They are rendered useless and need to be replaced and reinstalled.

The four versions of BrickerBot operate independently of one another without a need for command-and-control servers. The sequence of commands in each version is slightly different in performing their destructive act.

The best way of avoiding BrickerBot is to change default credentials and disable the Telnet port. Organizations should also take the damaged device offline, replace or reinstall hardware, update devices with the latest firmware, and back up files for restoration on new hardware.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to secure internet-connected devices against IoT malware

Discover the lessons enterprises should learn from Mirai

Check out the IoT botnet attacks that plagued 2016

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing