Developer of BrickerBot Malware Claims He Destroyed Over Two Million Devices (bleepingcomputer.com) 88
An anonymous reader writes: In an interview today, the author of BrickerBot, a malware that bricks IoT and networking devices, claimed he destroyed over 2 million devices, but he never intended to do so in the first place. His intentions were to fight the rising number of IoT botnets that were used to launch DDoS attacks last year, such as Gafgyt and Mirai. He says he created BrickerBot with 84 routines that try to secure devices so they can't be taken over by Mirai and other malware. Nevertheless, he realized that some devices are so badly designed that he could never protect them. He says that for these, he created a "Plan B," which meant deleting the device's storage, effectively bricking the device. His identity was revealed after a reporter received an anonymous tip about a HackForum users claiming he was destroying IoT devices since last November, just after BrickerBot appeared. When contacted, BrickerBot's author revealed that the malware is a personal project which he calls "Internet Chemotherapy" and he's "the doctor" who will kill all the cancerous unsecured IoT devices.
Re: (Score:3)
People do not learn from history. Most do not even learn from personal experience.
Re: Welchia (Score:1)
It's ok, mr hacker idiot will have enough time to reflect on that in prison
Re: (Score:2)
Since prison or the threat of prison (or even harsher penalties) never did anything to curb crime, I highly doubt that.
Mighty Fine (Score:5, Insightful)
Doing some righteous work.
Re:He'll get 27 years in jail (Score:4, Interesting)
Definitely righteous work:
1) Protecting individuals and society from the harms of shoddy IOT devices. Would you rather have your cheap IOT device fail and realize something is wrong with it or have it become an entry point for stealing critical data from your network or infecting your important devices with ransomware? At least if your device breaks, you realize something is wrong with it and can complain to the manufacturer for a refund instead of it spying on you and/or serving as a node in a criminal's botnet. The greater good is served in any case by society as a whole being protected from weaponized IOT devices.
2) Creating economic imperatives for the companies producing them to design in security. The immediate impact of brickerbot would hopefully be that companies face immediate PR blowback that kills sales when they release shoddy devices that are vulnerable. And over time such products that suffer widespread vulnerabilites to brickage will be tarnished by consumers on the marketplace, and the manufacturers will learn that to make any money they need to pay attention to implementing security precautions.
If he gets busted... (Score:5, Funny)
Re: (Score:2)
It is unfortunate that retribution type attacks are not considered "appropriate". Maybe it is time to fight fire with fire.
Re: If he gets busted... (Score:4, Insightful)
But is this retribution? The problem is that manufacturers don't secure the IoT devices they produce, and that's who your ire should be directed at. However, this punishes the users who purchased those devices, usually out of ignorance. If users have their devices bricked, they may simply buy another vulnerable IoT device to replace it, perhaps from the same manufacturer. It's possible that this may actually drive sales for manufacturers who produce poorly secured IoT devices. That's the opposite of retribution, if you're actually helping them to increase revenue and profits. Instead, there needs to be consequences for the manufacturers that are serious enough that they are significantly more expensive than the cost of making secure devices.
Re: (Score:1, Insightful)
they may simply buy another vulnerable IoT device to replace it, perhaps from the same manufacturer. It's possible that this may actually drive sales for manufacturers who produce poorly secured IoT devices.
People are ignorant about security because they don't care. If their device gets bricked because it's insecure, they'll start caring.
Re: (Score:3)
People buy such devices because they're cheap, if the device gets bricked they won't know how or why it got bricked just that it stopped working... They will either get it replaced under warranty (if there is one), or just write it off and buy a replacement (cheap devices being unreliable is no surprise to anyone).
Re: (Score:1)
They won't know why it got bricked except for one thing, that "It was cheap". When the consumer find that the reliability is no longer worth the cheap cost investment they've added, they will start to look for other more reliable IoT, which in this case it would be more secured IoT that doesn't brick.
This happens a lot in Mainland China. One example is when they found out the cheap baby formula were poisonous. It caused a rushed in to buy high cost and high quality baby formulas while dropping cheap baby fo
Re: (Score:2)
Some might. Some will simply shift the blame because they refuse to accept that they are in any way responsible for the situation. I had such a thing happen with a neighbour whose internet had been cut off because his machine had been infected and was spewing spam.
He was irate that the ISP didn't protect him from this and felt he was being unfairly penalized, and wouldn't budge no matter how much I tried to explain to him that the computer was his property and he was responsible for maintenance and securi
Re: If he gets busted... (Score:5, Insightful)
If users have their devices bricked, they may simply buy another vulnerable IoT device to replace it, perhaps from the same manufacturer.
Are you suggesting there are people who will keep buying the same type of e.g. WiFi lightbulbs that work for a couple hours and then stop working, without returning them?
A return usually costs more than the profit on a device; it's an economically valid feedback mechanism assuming that kind of person isn't actually common. It seems unlikely to me that it is the typical behavior pattern.
Re: (Score:1, Insightful)
The problem is that manufacturers don't secure the IoT devices they produce, and that's who your ire should be directed at. However, this punishes the users who purchased those devices, usually out of ignorance.
As those users should be.
The reason that insecure (or otherwise unreliable) devices are the norm these days, is that a) hardware & software vendors get away with it. And b) most users don't care. Or at least not seem to care enough to change things.
If a device can be bricked simply by hooking it up to a network, but buyer is too lazy or ignorant to check before buying, then buyer deserves what he gets. If buyer does his/her homework (and finds device is vulnerable), but buys the product anyway, the
Re: (Score:2)
The reason that insecure (or otherwise unreliable) devices are the norm these days, is that a) hardware & software vendors get away with it. And b) most users don't care. Or at least not seem to care enough to change things.
No, most users don't know enough to care.
Re: (Score:2)
Intent is often taken into account, for instance carrying a knife isn't illegal unless you intended to use it for illegal purposes - you might be intending to use it for cooking etc.
You could argue that by bricking these insecure devices, you were attempting to prevent other more serious crimes from taking place.
Re: If he gets busted... (Score:1)
So by that logic, if you buy a home that has a construction defect that causes a collapse that injures a family member, it's your fault right. Same thing you are arguing. People have different knowledge bases. One day you may realize that it is not the fault nor the responsibility of the buyer to have the level of knowledge you assume.
Re: (Score:3)
If a device can be bricked simply by hooking it up to a network, but buyer is too lazy or ignorant to check before buying, then buyer deserves what he gets. If buyer does his/her homework (and finds device is vulnerable), but buys the product anyway, then buyer deserves what he gets.
If a hacker causes massive damage, and is too lazy or ignorant to check that he or she might be jailed for causing that damage, then the hacker deserves what he gets. If the hacker does his/her homework (and finds there's the risk of jail time) and causes the damage anyway, then the hacker deserves what he gets.
Re: (Score:2)
One way we could look at this is as a cost function on the devices. For a market-based system to work, things have to have costs that ideally reflect their total cost. Cheap IOT devices that are a huge threat to the system don't have an adequate cost assigned to them unless something like this steps in. Perhaps this just evens it up a bit. Carbon tax for IOT?
Re: (Score:2)
If the cost were put on the manufacturer, yes. This is just shifting negative externalities around and hoping that helps, without knowing if it will or not.
Re: (Score:2)
I think it's ridiculous that wifi routers have only one password that can be bandied around. Even worse that the default passwords are listed on websites. I think every device that connects should have its own personal password. Does that give me the right to whack out wi-fi routers on these lists?
Has anyone seen the configuration menus for the firewall tables on these devices? Microsoft puts everything into one giant spreadsheet table; applications vs. user groups and accounts and types of service. Other c
Re: (Score:2)
I think every device that connects should have its own personal password.
The problem with that is if you forget the password and have lost your documentation, your device is now inaccessible to you. After that happens once, the vast majority of customers will permanently avoid that brand and go with someone who has a default username and password. Your suggestion would be market suicide.
Re: (Score:2)
Put a sticker on it.
I helped a friend set up his new router recently. Common brand, I forget which. The serial number sticker also had a password on it. If you went through the hardware reset process, the default password was the one on the sticker. In most cases, this would require paying an extra couple of cents for a serialized flash chip and a few minutes to add a routine to the reset code to generate the password based on the flash chip's serial number.
Re: If he gets busted... (Score:2)
Yeah that works if it's labeled on the device. Maybe that will catch on.
Re: (Score:2)
They might buy a second to replace the first, but will they buy a third? IOT manufacturers might see short-term profits, but they won't last when users finally get wary of buying IOT devices, or at least take security into consideration before they do.
It'll take time, but it'll happen.
Re: (Score:3)
It is unfortunate that retribution type attacks are not considered "appropriate".
Self-defense is not retribution. Third-party defense is always considered valid when a threat is imminent.
All the data we have shows that devices that are vulnerable to Mirai, et. al. will become Mirai bots in a short amount of time, and will begin attacking third-party Internet infrastructure.
If somebody can show the above claim to be false, please do so, showing reason and evidence.
Re: (Score:3)
That does not excuse the attack on someone else property (even if they are stupid) due to an inherent flaw in it's design. This has already been somewhat questioned.
The law forbids hacking, even in self-defense. The report mentioned the Computer Misuse Act in the UK and the Computer Fraud and Abuse Act in the US as examples of legal roadblocks preventing private hackback operations.
Reference here [cybersecuritylaw.us]
While I would not be adverse to removing said devices from the bot pool permanently, but there may be legalities involved.
Re: (Score:2)
That may well be true, except there's one critical problem
Individuals who do not do their due diligence, who do not take the necessary steps to secure their property so that it doesn't cause harm to others, are *not* in any way liable for the damage they cause. Because they arn't liable, they don't give a shit, and won't make attempts to rectify the situation. The manufacturers are not liable for putting out insecure crap. Because they arn't liable, they don't give a shit, and won't make attempts to rect
Re: (Score:2)
But in many jurisdictions there can be limits to what you can claim as self-defense. For example, shooting a burglar running
Re: (Score:1)
The thing is, we've all done this.
I will admit that when WiFi was a new thing, I'd type in the default password to the routers and upgrade the firmware and then secure the admin panel. This was well over 12 years ago, so it's likely those devices have been replaced twice since then, and mostly by ISP-issued routers that have been secured properly.
So I'd actually encourage more "Brickerbot" type of hacking as long as:
1. The goal is to secure the device, not destroy it
2. Destroying the device is the solution
Re: (Score:2)
A lot of these things are broken by design and can't be fixed.
Companies have been dumping IP cameras here for bargain prices right after the vulnerabilities made the news, instead of trying to fix them.
So now you have a â140 camera you paid â30 for, which has telnet open to the world and announces its local IP to 4 different chinese dyndns servers and neither of these "features" can be disabled...
Re: If he gets busted... (Score:2)
Yes they can be fixed. Just drop them in a vlan of their own and deny they access to the internet. Plenty of cheap switches these days have vlan support. I got a 16 port gigabit switch for 70gbp from a major switch vendor last year.
Re: If he gets busted... (Score:2)
Or they use something like WizNet's serial/SPI/I2C-to-UDP boards, whose 'security' can be bruteforced by anyone within a few hours.
Re: (Score:2)
If you upgraded the firmware on a Cisco router, you would find that you could only configure it through the cloud.
Re: If he gets busted... (Score:2)
Golf clap! (Score:1)
Nicely done sir or madam, intentionally or not.
And it was broadcast live on ChinaPorn. (Score:2)
You just gave it away for free! :)
There is a time for everything. (Score:2, Interesting)
I guess it is time. [slashdot.org]
"Destroyed" is such a harsh term... (Score:1)
Re: (Score:1)
Re: (Score:2)
In my experience "bricked" refers fairly exclusively to a non-recoverable state - at least through "normal" means. E.g. you've borked the firmware badly enough that you can no longer install the updates that would repair it. Hence things like "unbrickable" motherboards that have a second back-up BIOS in case something goes wrong when updating the primary one.
Granted, often times there's internal diagnostic pins that can be accessed by sufficiently knowledgeable individuals with the right equipment in orde
Re: "Destroyed" is such a harsh term... (Score:2)
plus, "JTAG" is very implementation-dependent. AFAIK, for example, you can't use an Atmel JTAG-Ice200 to reflash anything besides specific Atmel MCUs. Want to reflash a PIC? You need to buy yet another proprietary JTAG programmer. And so on, for every common microcontroller family. And if some third-party (Keil?) DOES make a multi-platform JTAG, it will be (a) mind-blowingly expensive (like almost every 'pro-grade' tool for non-hobby embedded development), (b) suck, or (c) both.
Not a permanent solution. (Score:5, Insightful)
The problem with this solution is that the companies are not getting the negative finacial feedback (punishment) that they need to correct their behavior.
I've said it before [slashdot.org] but it's worth repeating.
IoT vendors will only secure their devices after it starts costing them money or are legally required to do so.
The best option is to high jack the IoT devices to DDoS their makers because it creates a direct feedback loop. The more insecure devices they sell, the more it will cost them to host their company's website(s). For extra points, only target their parent company. ;)
Re: Not a permanent solution. (Score:1, Insightful)
You know there is a thing called warranty (at least in EU) that last at least 2 years. If it doesn't work anymore you bring it back to the manufacturer/seller and they have to deal with it.
Re: (Score:3)
The company is responsible for the device working. Obviously they are not responsible for ie. resetting passwords the customer forgot.
And who is to tell why the device doesn't boot up anymore? They are, and investigating is likely going to mean having an engineer spend time with the device. And that costs money.
And if the device is cleaned wipe, there is really no proof that the client had done anything bad regarding its securing. It's not going to be an easy situation for a company to handle a sudden surge
Doing the Lord's work (Score:1)
I appreciate his kind, selfless effort to save people from their insecure devices by bricking them.
I have undertaken the same effort in the physical security realm. I go to the front door of people's houses, and if I can easily pick the lock, I steal everything in their house, because otherwise a real thief would take it all. I am doing the owners a favor.
Re: Doing the Lord's work (Score:2)
And the idiots on /. Will cheer you on as you go
Re: (Score:2)
A more accurate analogy would be trying to "pick the lock" in a bad neighborhood by rattling the door knob a few times, and if that opened it you then lock it again and fill it with epoxy, so that the insecure entry point is now permanently sealed against further intrusion.
I see hard prison time in his future (Score:3, Insightful)
Sorry dude, I agree that IoT is a bad idea as currently implemented, but crime isn't the way to bring about the change you want.
You are now seen as a threat to national security.
You will go to prison for millions of counts of whatever they feel like charging you with, especially now that you've admitted it.
And no, they're not going to give you a million concurrent 5-year sentences. You're going to get life without parole. Sucks to be you.
Good feedback! (Score:2)
Bricking insecure devices has a nice upshot - the cost of a returned device isn't just the profit - because all of the handling and
coping has to be done (so far) by a human, the actual _cost_ to the distributor or manufacturer of a failed device is often the
loss of profit on the whole minimum order quantity to the distributor - the whole crate.
That's why if you get a DOA item from Amazon, they often don't even want it back, they send you another on your word of
honor- not because they're so nice, but because
Re: (Score:2)
Which may effectively doom IoT for consumers.
I suspect that's the idea. If you have something that's cheap and "weaponizable", then society often ends up restricting them in one fashion or another. What's different about the Internet is that the damage one can do isn't geographically restricted, making control a lot harder.
At least in the mind of its creator, something like "BrickerBot" may be the only way to raise the cost of ownership high enough to prevent destruction of the Internet.
I'm constantly am
Re: (Score:2)
Which may effectively doom IoT for consumers.
You say that as if it's a bad idea.
It's one thing to empower the average person with technology. It's another thing if you simply vomit fancy gizmos on a public that isn't skilled or responsible enough to use them properly.
I mean, we have people who still refuse to accept evolution exists. Or think that vaccines cause autism because some celebrity told them so. Or hell, actually think the world is flat. These people by definition do not have the knowledge and critical thinking skills necessary to use ad
It's a good thing (Score:2)
because it shifts the burden from the user who says "i do not care about dDoSing somebody else" to the producer, who says "i cannot afford angry customers".