Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
BLACK FRIDAY DEAL: Trust the World's Fastest VPN with Your Internet Security & Freedom--A Lifetime Subscription of PureVPN at $48 with coupon code "BFRIDAY20" ×
Botnet Security Privacy Software Hardware

Developer of BrickerBot Malware Claims He Destroyed Over Two Million Devices (bleepingcomputer.com) 88

An anonymous reader writes: In an interview today, the author of BrickerBot, a malware that bricks IoT and networking devices, claimed he destroyed over 2 million devices, but he never intended to do so in the first place. His intentions were to fight the rising number of IoT botnets that were used to launch DDoS attacks last year, such as Gafgyt and Mirai. He says he created BrickerBot with 84 routines that try to secure devices so they can't be taken over by Mirai and other malware. Nevertheless, he realized that some devices are so badly designed that he could never protect them. He says that for these, he created a "Plan B," which meant deleting the device's storage, effectively bricking the device. His identity was revealed after a reporter received an anonymous tip about a HackForum users claiming he was destroying IoT devices since last November, just after BrickerBot appeared. When contacted, BrickerBot's author revealed that the malware is a personal project which he calls "Internet Chemotherapy" and he's "the doctor" who will kill all the cancerous unsecured IoT devices.
This discussion has been archived. No new comments can be posted.

Developer of BrickerBot Malware Claims He Destroyed Over Two Million Devices

Comments Filter:
  • Mighty Fine (Score:5, Insightful)

    by Anonymous Coward on Friday April 21, 2017 @08:28PM (#54280495)

    Doing some righteous work.

  • by Type44Q ( 1233630 ) on Friday April 21, 2017 @08:33PM (#54280509)
    If he gets busted, I'm good for a $20 towards his legal costs... but if he's willing to target all IoT devices, I'll make it a hundred. ;)
    • It is unfortunate that retribution type attacks are not considered "appropriate". Maybe it is time to fight fire with fire.

      • by Anonymous Coward on Friday April 21, 2017 @09:13PM (#54280663)

        But is this retribution? The problem is that manufacturers don't secure the IoT devices they produce, and that's who your ire should be directed at. However, this punishes the users who purchased those devices, usually out of ignorance. If users have their devices bricked, they may simply buy another vulnerable IoT device to replace it, perhaps from the same manufacturer. It's possible that this may actually drive sales for manufacturers who produce poorly secured IoT devices. That's the opposite of retribution, if you're actually helping them to increase revenue and profits. Instead, there needs to be consequences for the manufacturers that are serious enough that they are significantly more expensive than the cost of making secure devices.

        • Re: (Score:1, Insightful)

          by Anonymous Coward

          they may simply buy another vulnerable IoT device to replace it, perhaps from the same manufacturer. It's possible that this may actually drive sales for manufacturers who produce poorly secured IoT devices.

          People are ignorant about security because they don't care. If their device gets bricked because it's insecure, they'll start caring.

          • by Bert64 ( 520050 )

            People buy such devices because they're cheap, if the device gets bricked they won't know how or why it got bricked just that it stopped working... They will either get it replaced under warranty (if there is one), or just write it off and buy a replacement (cheap devices being unreliable is no surprise to anyone).

            • They won't know why it got bricked except for one thing, that "It was cheap". When the consumer find that the reliability is no longer worth the cheap cost investment they've added, they will start to look for other more reliable IoT, which in this case it would be more secured IoT that doesn't brick.

              This happens a lot in Mainland China. One example is when they found out the cheap baby formula were poisonous. It caused a rushed in to buy high cost and high quality baby formulas while dropping cheap baby fo

          • Some might. Some will simply shift the blame because they refuse to accept that they are in any way responsible for the situation. I had such a thing happen with a neighbour whose internet had been cut off because his machine had been infected and was spewing spam.

            He was irate that the ISP didn't protect him from this and felt he was being unfairly penalized, and wouldn't budge no matter how much I tried to explain to him that the computer was his property and he was responsible for maintenance and securi

        • by bill_mcgonigle ( 4333 ) * on Friday April 21, 2017 @09:49PM (#54280801) Homepage Journal

          If users have their devices bricked, they may simply buy another vulnerable IoT device to replace it, perhaps from the same manufacturer.

          Are you suggesting there are people who will keep buying the same type of e.g. WiFi lightbulbs that work for a couple hours and then stop working, without returning them?

          A return usually costs more than the profit on a device; it's an economically valid feedback mechanism assuming that kind of person isn't actually common. It seems unlikely to me that it is the typical behavior pattern.

        • Re: (Score:1, Insightful)

          The problem is that manufacturers don't secure the IoT devices they produce, and that's who your ire should be directed at. However, this punishes the users who purchased those devices, usually out of ignorance.

          As those users should be.

          The reason that insecure (or otherwise unreliable) devices are the norm these days, is that a) hardware & software vendors get away with it. And b) most users don't care. Or at least not seem to care enough to change things.

          If a device can be bricked simply by hooking it up to a network, but buyer is too lazy or ignorant to check before buying, then buyer deserves what he gets. If buyer does his/her homework (and finds device is vulnerable), but buys the product anyway, the

          • by sconeu ( 64226 )

            The reason that insecure (or otherwise unreliable) devices are the norm these days, is that a) hardware & software vendors get away with it. And b) most users don't care. Or at least not seem to care enough to change things.

            No, most users don't know enough to care.

          • by Anonymous Coward

            So by that logic, if you buy a home that has a construction defect that causes a collapse that injures a family member, it's your fault right. Same thing you are arguing. People have different knowledge bases. One day you may realize that it is not the fault nor the responsibility of the buyer to have the level of knowledge you assume.

          • If a device can be bricked simply by hooking it up to a network, but buyer is too lazy or ignorant to check before buying, then buyer deserves what he gets. If buyer does his/her homework (and finds device is vulnerable), but buys the product anyway, then buyer deserves what he gets.

            If a hacker causes massive damage, and is too lazy or ignorant to check that he or she might be jailed for causing that damage, then the hacker deserves what he gets. If the hacker does his/her homework (and finds there's the risk of jail time) and causes the damage anyway, then the hacker deserves what he gets.

        • by anegg ( 1390659 )

          One way we could look at this is as a cost function on the devices. For a market-based system to work, things have to have costs that ideally reflect their total cost. Cheap IOT devices that are a huge threat to the system don't have an adequate cost assigned to them unless something like this steps in. Perhaps this just evens it up a bit. Carbon tax for IOT?

          • by nasch ( 598556 )

            If the cost were put on the manufacturer, yes. This is just shifting negative externalities around and hoping that helps, without knowing if it will or not.

        • by mikael ( 484 )

          I think it's ridiculous that wifi routers have only one password that can be bandied around. Even worse that the default passwords are listed on websites. I think every device that connects should have its own personal password. Does that give me the right to whack out wi-fi routers on these lists?

          Has anyone seen the configuration menus for the firewall tables on these devices? Microsoft puts everything into one giant spreadsheet table; applications vs. user groups and accounts and types of service. Other c

          • by nasch ( 598556 )

            I think every device that connects should have its own personal password.

            The problem with that is if you forget the password and have lost your documentation, your device is now inaccessible to you. After that happens once, the vast majority of customers will permanently avoid that brand and go with someone who has a default username and password. Your suggestion would be market suicide.

            • Put a sticker on it.

              I helped a friend set up his new router recently. Common brand, I forget which. The serial number sticker also had a password on it. If you went through the hardware reset process, the default password was the one on the sticker. In most cases, this would require paying an extra couple of cents for a serialized flash chip and a few minutes to add a routine to the reset code to generate the password based on the flash chip's serial number.

        • They might buy a second to replace the first, but will they buy a third? IOT manufacturers might see short-term profits, but they won't last when users finally get wary of buying IOT devices, or at least take security into consideration before they do.

          It'll take time, but it'll happen.

      • It is unfortunate that retribution type attacks are not considered "appropriate".

        Self-defense is not retribution. Third-party defense is always considered valid when a threat is imminent.

        All the data we have shows that devices that are vulnerable to Mirai, et. al. will become Mirai bots in a short amount of time, and will begin attacking third-party Internet infrastructure.

        If somebody can show the above claim to be false, please do so, showing reason and evidence.

        • That does not excuse the attack on someone else property (even if they are stupid) due to an inherent flaw in it's design. This has already been somewhat questioned.

          The law forbids hacking, even in self-defense. The report mentioned the Computer Misuse Act in the UK and the Computer Fraud and Abuse Act in the US as examples of legal roadblocks preventing private hackback operations.

          Reference here [cybersecuritylaw.us]

          While I would not be adverse to removing said devices from the bot pool permanently, but there may be legalities involved.

          • That may well be true, except there's one critical problem

            Individuals who do not do their due diligence, who do not take the necessary steps to secure their property so that it doesn't cause harm to others, are *not* in any way liable for the damage they cause. Because they arn't liable, they don't give a shit, and won't make attempts to rectify the situation. The manufacturers are not liable for putting out insecure crap. Because they arn't liable, they don't give a shit, and won't make attempts to rect

        • by tlhIngan ( 30335 )

          Self-defense is not retribution. Third-party defense is always considered valid when a threat is imminent.

          All the data we have shows that devices that are vulnerable to Mirai, et. al. will become Mirai bots in a short amount of time, and will begin attacking third-party Internet infrastructure.

          If somebody can show the above claim to be false, please do so, showing reason and evidence.

          But in many jurisdictions there can be limits to what you can claim as self-defense. For example, shooting a burglar running

    • by Anonymous Coward

      The thing is, we've all done this.

      I will admit that when WiFi was a new thing, I'd type in the default password to the routers and upgrade the firmware and then secure the admin panel. This was well over 12 years ago, so it's likely those devices have been replaced twice since then, and mostly by ISP-issued routers that have been secured properly.

      So I'd actually encourage more "Brickerbot" type of hacking as long as:

      1. The goal is to secure the device, not destroy it
      2. Destroying the device is the solution

      • by suss ( 158993 )

        A lot of these things are broken by design and can't be fixed.
        Companies have been dumping IP cameras here for bargain prices right after the vulnerabilities made the news, instead of trying to fix them.
        So now you have a â140 camera you paid â30 for, which has telnet open to the world and announces its local IP to 4 different chinese dyndns servers and neither of these "features" can be disabled...

        • Yes they can be fixed. Just drop them in a vlan of their own and deny they access to the internet. Plenty of cheap switches these days have vlan support. I got a 16 port gigabit switch for 70gbp from a major switch vendor last year.

        • Or they use something like WizNet's serial/SPI/I2C-to-UDP boards, whose 'security' can be bruteforced by anyone within a few hours.

      • by mikael ( 484 )

        If you upgraded the firmware on a Cisco router, you would find that you could only configure it through the cloud.

    • I work for a prominent IoT company and I agree with this. Additional in-house security via ZWave, etc, is good. Having every damn thing you own directly accessible from the internet is just plain stupid. M.
  • by Anonymous Coward

    Nicely done sir or madam, intentionally or not.

  • I guess it is time. [slashdot.org]

  • ... Why, I bet one firmware replacement and they're good as new. Getting one on the other hand... I marked this "slow news day".
  • by Gravis Zero ( 934156 ) on Friday April 21, 2017 @10:25PM (#54280955)

    The problem with this solution is that the companies are not getting the negative finacial feedback (punishment) that they need to correct their behavior.

    I've said it before [slashdot.org] but it's worth repeating.

    IoT vendors will only secure their devices after it starts costing them money or are legally required to do so.

    The best option is to high jack the IoT devices to DDoS their makers because it creates a direct feedback loop. The more insecure devices they sell, the more it will cost them to host their company's website(s). For extra points, only target their parent company. ;)

  • by Anonymous Coward

    I appreciate his kind, selfless effort to save people from their insecure devices by bricking them.
    I have undertaken the same effort in the physical security realm. I go to the front door of people's houses, and if I can easily pick the lock, I steal everything in their house, because otherwise a real thief would take it all. I am doing the owners a favor.

    • And the idiots on /. Will cheer you on as you go

    • A more accurate analogy would be trying to "pick the lock" in a bad neighborhood by rattling the door knob a few times, and if that opened it you then lock it again and fill it with epoxy, so that the insecure entry point is now permanently sealed against further intrusion.

  • by Anonymous Coward on Saturday April 22, 2017 @12:17AM (#54281293)

    Sorry dude, I agree that IoT is a bad idea as currently implemented, but crime isn't the way to bring about the change you want.
    You are now seen as a threat to national security.

    You will go to prison for millions of counts of whatever they feel like charging you with, especially now that you've admitted it.
    And no, they're not going to give you a million concurrent 5-year sentences. You're going to get life without parole. Sucks to be you.

  • Bricking insecure devices has a nice upshot - the cost of a returned device isn't just the profit - because all of the handling and
    coping has to be done (so far) by a human, the actual _cost_ to the distributor or manufacturer of a failed device is often the
    loss of profit on the whole minimum order quantity to the distributor - the whole crate.

    That's why if you get a DOA item from Amazon, they often don't even want it back, they send you another on your word of
    honor- not because they're so nice, but because

    • by west ( 39918 )

      Which may effectively doom IoT for consumers.

      I suspect that's the idea. If you have something that's cheap and "weaponizable", then society often ends up restricting them in one fashion or another. What's different about the Internet is that the damage one can do isn't geographically restricted, making control a lot harder.

      At least in the mind of its creator, something like "BrickerBot" may be the only way to raise the cost of ownership high enough to prevent destruction of the Internet.

      I'm constantly am

    • Which may effectively doom IoT for consumers.

      You say that as if it's a bad idea.

      It's one thing to empower the average person with technology. It's another thing if you simply vomit fancy gizmos on a public that isn't skilled or responsible enough to use them properly.

      I mean, we have people who still refuse to accept evolution exists. Or think that vaccines cause autism because some celebrity told them so. Or hell, actually think the world is flat. These people by definition do not have the knowledge and critical thinking skills necessary to use ad

  • because it shifts the burden from the user who says "i do not care about dDoSing somebody else" to the producer, who says "i cannot afford angry customers".

Pound for pound, the amoeba is the most vicious animal on earth.

Working...