Bricked IoT Devices Are Casualties Of Lax Semiconductor Security

How Silex malware gains entry into devices, and what it does after that.

popularity

Earlier this summer, a new strain of destructive malware known as Silex began to spread and effectively brick unprotected IoT devices. Although victims of Silex theoretically can resurrect their IoT devices by manually reinstalling factory firmware, most remain wary of an installation process that is often time consuming and complicated. Moreover, many victims assume their device has suffered an irreversible hardware failure rather than a malware-induced attack.

This is because Silex is programmed to destroy an IoT device’s stored data and remove the network configuration. Silex accomplishes this by deliberately exploiting known default credentials, logging in and killing the system. More specifically, the destructive malware strain writes random data from /dev/random to any mounted storage it can identify. Silex subsequently deletes network configurations, runs rm -rf / to erase data and flushes iptables entries. Lastly, the malware writes an entry to terminate all active connections.

It is important to note that Silex is only one of many malware strains that actively targets devices with default or weak login credentials such as “admin” usernames and “1234” passwords. Put simply, malware like Silex continues to propagate because it is so successful at bricking a wide range of IoT devices by attacking unprotected system functions. Fortunately, a hardware-based root of trust can help protect against malware like Silex by ensuring robust remote access authentication and monitoring of anomalous system operation.

Indeed, a hardware-based root of trust can be provided by an independent security co-processor that is integrated into IoT devices. A security co-processor ensures secure execution of security applications, provides tamper detection and protection, as well as securely storing and handling keys and other sensitive assets. From Rambus’ perspective, an independent hardware security co-processor offers chipmakers and device manufacturers a siloed and comprehensive approach to security.

Partitioning general-purpose processing from secure application processing is provided by integrating a secure co-processor core such as the Rambus CryptoManager Root of Trust into an SoC designed for IoT devices. The CryptoManager Root of Trust is purpose built for security with state-of-the-art anti-tamper techniques including resistance to side-channel and fault-injection attacks. It uses layered security which assures that critical keys and other secure assets are accessed only through hardware with no access by software. Malware like Silex is stopped in its tracks without the ability to access secure system data.

In conclusion, IoT devices bricked by Silex and other malware strains are unfortunate casualties of lax semiconductor security. A hardware-based root of trust that silos secure processing from general-purpose processing can prevent these kind of attacks and ensure that consumer IoT devices are protected from nefarious malware strains like Silex.



2 comments

Steve DiBartolomeo says:

upon reading this I immediately get the impression that this malware was intended specifically to remove insecure IoT devices from the internet and possibly to punish manufacturers who produce such devices. The perpetrators may believe that by doing this, the Internet will be a safer place (no other bot or malware can utilize a bricked device) and manufacturers of the insecure devices will be forced to release products with much improved security or eventually go out of business when their devices continue to fail in the field.

Consider that there is no obvious gain to the Silex malware spreaders – no ransom, no specific targets, no skimming of data.

Jerry McGoveran says:

This is certainly possible, however if that were the case, I would expect to be made aware of a statement to that effect by the perps.

More likely though, this is just another attack by sociopaths.

Leave a Reply


(Note: This name will be displayed publicly)