In the last week of June 2019, a new type of malware emerged, dubbed “Silex.” Reminiscent of the BrickerBot malware of 2017, Silex went after IoT devices, and killed the operating systems of thousands of devices in a matter of hours. Silex was able to infect any system running a Linux distribution, and chiefly damaged smart thermostats, lights, and sensors.
How is Silex able to wreak such havoc? Quite easily. It attempts to log in to a device using that device’s default (ie. factory-set) credentials; this hack often works, because many people don’t change the login credentials on their IoT devices. Once it gains access, Silex enumerates all mounted disks and writes to them from /dev/random until the disks are full. After this, Silux deletes the devices' firewall rules, removes its network config, and initiates a restart. This erases a device, causing it to freeze and fail until its firmware is reinstalled and the device rebooted. Silex will also trash Linux servers if they have Telnet ports open and are secured with poor or widely-used credentials.
Attacks like Silex are worrying because Linux is the most widely-used operating system for IoT systems, with distributions like Raspbian, Ubuntu and Debian accounting for almost three quarters of all devices. IoT vulnerabilities should become less frequent and less threatening as manufacturers improve the security of their devices. However, with Linux seemingly established as the OS for IoT systems moving forward, it is up to you to ensure that your Linux kernel is as secure as possible.
As with any other Linux kernel, those residing in an IoT device need to be patched as quickly and as efficiently as possible. This is the only way to give IoT devices the best chance of avoiding or resisting Silex-style attacks.
Every year, hundreds of Linux vulnerabilities emerge, and vendors issue hundreds of patches to combat them. But right now, 99% of organisations patch the same way: By initiating a Linux reboot. Because rebooting is a headache for sysadmins – it takes time, it needs scheduling, it creates downtime – rebooting is often delayed. This gap between patch issue and patch application presents a major security risk, and leaves you more vulnerable to malware like Silex. (It also probably makes you noncompliant.)
To be kept as secure as possible, IoT devices need to be treated like any other Linux-based system, and patched as soon as possible. The solution? Live kernel patching. At KernelCare, when a vulnerability affecting supported kernels is announced, we prepare a patch as soon as technically possible. This patch is automatically downloaded and applied to the running kernel, without any reboot required. With this process, kernel updates are applied as quickly as possible, minimising the window in which IoT devices are vulnerable to bad actors.