A Sophisticated Grey Hat Vigilante Protects Insecure IoT Devices

Ars Technica reports on Hajime, a sophisticated "vigilante botnet that infects IoT devices before blackhats can hijack them." Once Hajime infects an Internet-connected camera, DVR, and other Internet-of-things device, the malware blocks access to four ports known to be the most widely used vectors for infecting IoT devices. It also displays a cryptographically signed message on infected device terminals that describes its creator as "just a white hat, securing some systems." But unlike the bare-bones functionality found in Mirai, Hajime is a full-featured package that gives the botnet reliability, stealth, and reliance that's largely unparalleled in the IoT landscape...

Hajime doesn't rashly cycle through a preset list of the most commonly used user name-password combinations when trying to hijack a vulnerable device. Instead, it parses information displayed on the login screen to identify the device manufacturer and then tries combinations the manufacturer uses by default... Also, in stark contrast to Mirai and its blackhat botnet competitors, Hajime goes to great lengths to maintain resiliency. It uses a BitTorrent-based peer-to-peer network to issue commands and updates. It also encrypts node-to-node communications. The encryption and decentralized design make Hajime more resistant to takedowns by ISPs and Internet backbone providers.
Pascal Geenens, a researcher at security firm Radware, watched the botnet attempt 14,348 hijacks from 12,000 unique IP addresses around the world, and says "If Hajime is a glimpse into what the future of IoT botnets looks like, I certainly hope the IoT industry gets its act together and starts seriously considering securing existing and new products. If not, our connected hopes and futures might depend on...grey hat vigilantes to purge the threat the hard way."

And long-time Slashdot reader The_Other_Kelly asks a good question. "While those with the ability and time can roll their own solutions, what off-the-shelf home security products are there, for non-technical people to use to protect their home/IoT networks?"

The Tao of IoT Security

[Anonymous Coward]

While those with the ability and time can roll their own solutions, what off-the-shelf home security products are there, for non-technical people to use to protect their home/IoT networks?

A hammer.

Re:

[phantomfive]

And thus the original poster was enlightened.

Re:

[K. S. Kyosuke]

Or hammered.

Turn off UPnP to start

[raymorris]

Both "non-technical people" amd "home networks" combined make that a tough one. A business full of non-technical people, or just people who don't specialize in security, can use a "experts included" solutions from companies like Alert Logic, but that's probably not reasonable for a home network.

A typical home network can be made noticeably more secure from these kinds of attacks by simply turning off UPnP on the router, though. Without UPnP, by default devices on the network can't be accessed from outside, from the internet. The standard router configuration using overloaded NAT (aka PAT) has the side effect of acting like a strict firewall. It's not an enterprise-grade firewall, just a simple packet filter, but it does prevent incoming connections / attacks, except for any port-forwards that are manually configured.

Other than disabling UPnP, the other main thing I can think of is keeping software and firmware up to date, at least for security patches. Devices running old versions are the low-hanging fruit for bad guys. The new software might have new security holes that nobody knows about, but the old version definitely has security holes that everybody knows about, and the bad guy and just run a script to automatically exploit those vulnerabilities.

Sorry I don't have better answers right now. The lack of good answers is why Australia is looking at having the ISP take care of some protection. The ISP can see trends across the whole network, and more importantly they can spend a few thousand dollars per month to contract with companies like Cisco TALOS and Alert Logic to deploy and monitor sophisticated, modern security systems. Yeah that brings up privacy issues, so there is no great solution that I can see.

Re:

[XparXnoiaX]

Sorry I don't have better answers right now.

Easy. Companies should be liable for gross negligence. Things like default passwords haven't been best-practice for a decade now.

Leaving the telnet port open has been a bad idea for a long time.

Already liable, but for how much & to who?

[raymorris]

If they are grossly negligent, they already ARE liable.

The question is, who was hurt and by how much? They are liable *to somebody* for *some* amount of money. That's the hard part.

Re:

[TWX]

Hit 'em via their business liability insurance. When their insurance rates skyrocket then maybe they'll start paying attention to things like information security.

Yes, this will mean that products will cost more. Nothing is free though, either you have to pay for it, take on risk by not having it, or you have to do it yourself. Right now far too many operate with that middle choice.

Agreed, but missing a step, ascertaining liability

[raymorris]

Agreed, insurance companies are really good at analyzing and mitigating risk. Insurance companies created the fire code and Underwriters Laboratories to reduce fire risk. If you don't meet fire code and UL your insurance rates are much higher, so businesses make and buy UL approved stuff. That hints at general approaches which may work well for information security, and specifically at *enforcement* - insurance companies look at a property before they underwrite a multi-million dollar policy, and require re

Re:

[TWX]

Insurance companies also created the IIHS, Insurance Institute for Highway Safety. In twenty years they've compelled the automakers to go from cars that have a high likelihood of killing their occupants in moderate-speed collisions and cars that are extremely expensive to repair in 5mph collisions to cars that will do a much better job of protecting their occupants in even fairly high-speed collisions and are generally reasonable to fix if involved in 5mph collisions. It took a combination of embarrassing

Re:

[Obfuscant]

Things like default passwords haven't been best-practice for a decade now. Leaving the telnet port open has been a bad idea for a long time.

Be careful what you wish for. Attaching anything to the net without a firewall to protect it has been a bad idea for a long time, too. If you don't have a firewall blocking open telnet ports, who is liable?

Re:

[Archangel Michael]

Technically, if courts worked correctly, we wouldn't need a law, a class action lawsuit or two, suing the vendor, the manufacturer and the seller into oblivion would suffice.

The problem is, courts aren't made for you and I, they are made for lawyers and crooks.

Re:

[AmiMoJo]

A simple, open source app would do. Have a blacklist of known crap, and some simple port scans. If an defective device is found, prompt the user to ask the vendor for a repair or their money back.

Re:

[TWX]

I don't know how all you zombies do it, but I configured my home equipment to only allow outbound NAT/PAT to a specific list of ports, and I've blacklisted IP ranges that there's no business connecting to, in addition to all of the normal unsolicited incoming blocking.

Most end users only need perhaps a half-dozen destination network ports to work these days. 53, 80, 443, possibly 20/21 for FTP and possibly a few others for business VPN and VOIP. If you're still using your local ISP for e-mail then 25 or 4

Re:

[godel_56]

While those with the ability and time can roll their own solutions, what off-the-shelf home security products are there, for non-technical people to use to protect their home/IoT networks?

A hammer.

Simply forcing the user to change the default login and password would be a good start, and preventing the user from using passwords like "passw0rd" or "123456" would also help.

That's neither white nor grey.

[Anonymous Coward]

Hajime prevents these devices from being taken down. Instead it adds them to a botnet under the control of someone we don't know. Just because they say they're whitehat doesn't mean they are, and none of their behavior actually supports that claim. They attack other people's systems, instate defenses to maintain the ill-gotten control and use the devices to attack more devices, all without a public mandate. That's black hat.

Re:

[Highdude702]

does the executable have ddos capabilitys? or just spreading abilitys? Chances are the person really is whitehat or he would be trying to hide the bot a little better.

Re:

[Doke]

The bot currently only spreads and protects the device it's on. It's quite open about doing that; not using any stealth to hide. That is obviously a white-hat approach. The concern is that this is now a huge botnet, and potentially could be taken over by a black-hat.

As we've tried to tell the politicians a thousand times, nothing is so secure the bad guys can't take it over for misuse.

Goddamit I got mod points ...

[CaptainDork]

... but the comments, so far, are not of value to those who want some red meat.

"While those with the ability and time can roll their own solutions, what off-the-shelf home security products are there, for non-technical people to use to protect their home/IoT networks?"

I gotta think of everything?

Hire this genius to make blister-pak retail-ready solutions available to everyone.

Inject the goddam thing by remote to protect it.

There's gold in them thar hills, I tell yun.

Re:

[John.Banister]

What about hiring this person to build the attack into a router. The router routinely attacks devices on its local network, and doesn't let those devices susceptible to attack communicate with the rest of the internet. Non-technical people would get an off-the-shelf router that protects them from needing to research their (and their kids) IOT device purchases. The router vendor gets to advertise "locks out most possible IOT vulnerabilities on your network," and the susceptible devices are not part of some r

Re:

[CaptainDork]

Works for me.

Also, the first IoT corporation that sells "Certified Secure" devices wins.

Re:

[Doke]

However, such regulation is unlikely to happen. It is cheaper for these companies to quickly churn out 10,000,000 insecure IoT devices with minimal testing, and then use some of the profit to buy a politician. There is too much profit in being first to market.

He's not protecting devices

[Anonymous Coward]

He's not protecting devices. He's compromising them.

He's exploiting a machine, to make it do what he wants it to do. Maybe most of us agree with why (stupid unsecured devices) but he's still exploiting it.

He's not a "greyhat" he's a blackhat (or a script kiddy, depending on how you look at it). He's making peoples computers do things they never agreed was acceptable to them.

Vigilante justice. Lets not celebrate this person.

Re:He's not protecting devices

[Highdude702]

Script Kiddie refers to somebody using somebody elses malicious code because they can not write their own. Which is not what this guy has done.

ajime doesn't rashly cycle through a preset list of the most commonly used user name-password combinations when trying to hijack a vulnerable device. Instead, it parses information displayed on the login screen to identify the device manufacturer and then tries combinations the manufacturer uses by default... Also, in stark contrast to Mirai and its blackhat botnet competitors, Hajime goes to great lengths to maintain resiliency.

This guy obviously is NOT a script kiddie. As long as he doesnt have ddos capability and doesnt turn to nefarious purposes hes doing everybody a favor, and hes not even bricking the devices. which you guys were bitching about last week. so what, you people just want to LEAVE the exploitable low hanging fruit for the ddos script kiddies to get? are you stupid?

Re:He's not protecting devices

[moeinvt]

" As long as he doesnt(sic) have ddos capability and doesnt turn to nefarious purposes hes doing everybody a favor,"

Max Butler [wikipedia.org] thought he was doing everyone a favor when he created a worm to patch a security flaw in BIND. No nefarious intent or purposes. Doing something which merely accesses a system, especially a government system, is considered a criminal act however. The Feds don't accept the argument: "Just a white hat, securing some systems." They came down hard on him and he ended up in prison.
The person or people who did this better remain anonymous, especially if the botnet touched any government hardware.

Re:

[Highdude702]

I didn't say our shitty justice system wasn't going to bother him. I'm stating that way he's doing is morally right. And anybody that says otherwise is scum, because the fact that he's not bricking them, which I thought was a plenty good idea in the first place. He is actually protecting consumers from being exploited for harm and also protecting what would be the resulting ddos victims. We all know the justice system in America is flawed. That was never in question.

Re:

[Anonymous Coward]

He's not protecting devices. He's compromising them.

He's exploiting a machine, to make it do what he wants it to do. Maybe most of us agree with why (stupid unsecured devices) but he's still exploiting it.

He's not a "greyhat" he's a blackhat (or a script kiddy, depending on how you look at it). He's making peoples computers do things they never agreed was acceptable to them.

Vigilante justice. Lets not celebrate this person.

That's pretty much what a "grey hat" is though. Somone who does black hat things for white hat reasons.

Re:

[Highdude702]

Had I not commented i would mod this +1 Something or another

Begun, the IoT Wars Have

[mentil]

I suppose this might be a better solution than brickerbot, if people just replace their bricked IoT gadget with another insecure IoT gadget.

Re:

[Gilgaron]

The manufacturer would just put a button on it that reflashes the memory from an onboard ROM.

Re:

[Doke]

Buttons and roms cost money. Returns cost even more. Brickerbot will cost the manufacturers a significant amount of money. That will influence the only thing they care about, their financial bottom line.

Re: Begun, the IoT Wars Have

[Brockmire]

Wow! These bots check warranty periods and leave alone expired warranty devices? Cool! This reminds me when NDS/Directv would do ecm's on satellite pirates. They thought it was hurting the pirate dealers economically, but it just enriched them because they'd charge for the fix. Saying this will cause financial damage to mfg's and cause change shows how little you know. This is just time and cost to the end users.

Not a permanent solution.

[Gravis Zero]

The problem with this solution is that the companies are not getting the negative financial feedback (punishment) that they need to correct their behavior.

I've said it before [slashdot.org] but it's worth repeating.

IoT vendors will only secure their devices after it starts costing them money or are legally required to do so.

The best option is to hijack the IoT devices to DDoS their makers because it creates a direct feedback loop. The more insecure devices they sell, the more it will cost them to host their company's website(s). For extra points, only target their parent company. ;)

Re:Not a permanent solution.

[Highdude702]

I'm normally 100% against ddos. But this actually sounds like it might hurt. Bot finds device info, loads up ip for company who's product it is. fires off many UDP and ICMP packets at those ip's until the internet is pulled.

Re:

[drinkypoo]

I'm normally 100% against ddos. But this actually sounds like it might hurt. Bot finds device info, loads up ip for company who's product it is. fires off many UDP and ICMP packets at those ip's until the internet is pulled.

I was going to say that the problem with this plan is that clones of the product will also join the ddos on the makers of the original, but upon reflection this is actually a benefit

Re:

[Highdude702]

Could also grep everything in the html folder to find a brand name or part number which is somewhere on most devices web interface.

Re:

[bill_mcgonigle]

DDoS their makers

The economics is strong with this one.

If they can evade, though, they might not care and there will be secondary collateral damage (if they move IP's, use Cloudflare, etc.). The customers still need to be involved to ruin their reputations as well. Perhaps after a time the bots should still brick themselves.

Re:Not a permanent solution.

[Gravis Zero]

The customers still need to be involved to ruin their reputations as well. Perhaps after a time the bots should still brick themselves.

A curious idea but if it's too obvious then they may just dismiss it as "some hacker's fault" and possibly exchange it for a new one instead of laying the blame on the maker. I think a better solution to this would be to allow the device to function... but only intermittently and/or heavily delayed. This way they are more likely to leave negative reviews of the product itself. It's translating to the owner that insecure/connected devices are terrible products that is the challenge. When this is done it's merely left to survival of the fittest.

Re:

[Highdude702]

That't almost perfect. i cant think of any flaws, but as you said "then they may just dismiss it as "some hacker's fault" " However it would have a much bigger impact.

Re:

[Doke]

DDOSing the manufacturers is interesting. However, the device has to not work for the user as quickly as possible, so they can return it quickly. Ideally, the naive user will think it's dead on arrival, and review it that way. That will hurt the manufacturer's sales numbers and reputation.

Perhaps the ideas could be combined. Have the bot change the device so the only thing it does is DDOS the manufacturer, and not pass any other traffic. I understand this would be much harder, and far more device sp

Re: Not a permanent solution.

[Brockmire]

Securing your device is almost always the responsibility of the user and not the vendor. They have no control how the user uses it.

Re:

[Gravis Zero]

The vendor has all of the control because they are the ones who made the default configuration. Also, blaming users for shitty security on an IoT device doesn't actually solve any problems... unless you are a vendor of an IoT product with shitty security.

Re: Security & web pros on hosts

[Brockmire]

Imitation? You might want to look up the meaning as you don't seem to know what it means. You did not come up with the idea of a hosts file. You are not the first to use the hosts file. You are not even the first person to aggregate block lists into a single block list. You've made nothing original. You made a Windows list aggregator. That is all. If anything, you've flattered the thousands who've made scripts to do this already.

Re:

[Doke]

I agree hosts lists like this are useful protection. However, they are unfortunately off-topic for this discussion. Hosts lists are used only by the more techncalliy knowledgeable users. Insecure IoT devices are more commonly used by the _less_ techncalliy knowledgeable users. Someone who knows enough to use a host list, probably also knows enough to change default passwords and disable UPnP.

Re:

[Anonymous Coward]

Sorry mate, HOSTS won't help you against inbound attackers. It can only prevent the computer possessing the HOSTS file from resolving DNS names in the list. Not saying your concept isn't a good one, just that it's not particularly useful for securing IoT devices, which is what makes it largely off-topic in this thread.

Re:

[Highdude702]

Using hosts and inbound exploiting are completely different. How will you know that after i infect you my dns will be in your hosts list? I run private DNS and change frequently. I also Repack and encrypt my payload weekly. How do you know what im using today? You dont. Only massive Honeypot farms can be even close behind a prevention method like this(think top notch AV company) and even they cant keep somebody who does what im saying from infecting short of completely closing access to said exploit. and s

Re: Did a fine job vs. 9 botnets in 9 days

[Brockmire]

Are you fucking nuts? Embedded devices don't have the processing power or memory to have 60k line hosts files. Jesus Christ, you are fucking deaf and dumb. If you fairly promoted the pros and cons of the hosts file method, most people wouldn't care about your spam. But you are frequently, at best misleading, at worst, outright WRONG. You never respond to valid technical concerns, just spam with people's comments about using your application; like we give a fuck what joe fucking nobody said in a comment

What Is IoT?

[b0bby]

What is an IoT device, exactly? My conception is stuff like cameras and connected toasters, but in TFA the only device maker mentioned is MicroTik, who do routers and APs. Most articles like this are similarly fuzzy on what exactly they are talking about.

Re:

[Highdude702]

IoT pretty much means anything connected to the internet thats not a full computer. but honestly in the sense of this and hackers using exploits and default passwords in general... Basically anything connected to the internet. If it is not properly firewalled or put in to a "Walled Garden" as apple would try to say(and even they are vulnerable at times) is able to be hacked. The most recent rash of wifi cameras and shit like "alexa" or what ever they call it these days. routers, access points, and dozens of

Re:

[b0bby]

It seems to me, though, that the biggest problems are with a couple of categories; primarily crappy cameras/dvrs which require a port to be forwarded for external access and which seem to often have hardcoded root passwords in addition to simple defaults. Almost everything else (Alexa, routers, cloud based cameras and thermostats) *are* firewalled/behind a NAT and really are only vulnerable to a local attack or a hack of the cloud provider. (The MicroTik example was especially puzzling, because you usually

Don't put the Ts on the I

[James McP]

Use a video server like Blue Iris or a home automation gateway like Vera to provide a single T on the I for your remote viewing needs.

Use vera/homeseer/ISY for your home automation. Now you have at most 2 Ts on the I to worry about.

I have almost 2 dozen HA devices (locks, power outlets, switches, bulbs, thermostat, sensors) and only 2 IP addressable devices.

Memory question

[alleycat0]

I'm curious - how/why do IOT devices have sufficient memory to support communications protocols/addresses, a bittorrent-based client, etc.?

Re:

[Highdude702]

Purpose built.

How to secure it?

[OverlordQ]

Figure out why it needs to be on the internet in the first place.

Re:

[The_Other_Kelly]

The problem is, a device does not need to be directly exposed on the Internet.

Mirai and other botnets (including the so-called whitehat ones) are scanning the subnet and attacking all detected hosts.
So if *any* device is compromised, for example a browsing tablet device, then all devices are quickly attacked.

From the corporate side, this is handled using the structured approach (partitioning, firewalling, port control, vlan-ing, ...)
All of which are lacking or absent in the consumer world.

Hence my question!

Re:

[K. S. Kyosuke]

Every village needs an idiot.

Re:

[Anonymous Coward]

Apk made his engine. People like and use it.

The 3 users like it very much!

APK

P.S. - I suck cocks.

Re:

[Sir Holo]

Apk made his engine. People like and use it.

The 3 users like it very much!

APK

P.S. - I suck cocks.

Don't their talons cut-up your face?

Re:

[ls671]

Also, most tcpip stack implementations lack the presence of hosts in their implementation. In VB 6, one can use hosts.dll to prevent that. Also to circumvent any issues nevertheless, handy is a gidney pig host file that piggies back on the VB 6 udp layer kernel stack.

Coupled with the speed of kernel lookups inherent to the special host module built-into every OS, this sure stops electricity wastes and cuts down on your power bill.

Even more; since one would then get less irradiated by electromagnetic waves

Re:

[ls671]

Most OS use mostly standard almost bone stock BSD derived IP stack. Linux, MacOS X, Windows (as admin it can do more than non admin users like raw sockets) do....

I agree, very clever.

But nowadays, if you Intel cpu has the special and very powerful vmx flag you can use raw sockets as a regular user process.

This open great opportunities with regards to in-kernel mode lookups and power efficiency of host only based lookups..

Re:

[Anonymous Coward]

APK you're a dumb fuck talking about yourself at the third person.

Re: Talk to Amazon... apk

[Brockmire]

Stay the fuck out of this conversation, adults are talking.

Re:

[Blig]

What have I done better? I went out and bought a Commodore 64 to use instead!

Re:

[Blig]

Saw a trend in the comments and I had to run with it with my first computer. :-P

Re:

[The_Other_Kelly]

Elitist! VIC 20 should be good enough for everyone ...

Re:

[Highdude702]

This AC aint that dim. Knows his way around a keyboard.