Author of BrickerBot Malware Retires, Says He Bricked 10 Million IoT Devices

An anonymous reader writes: The author of BrickerBot -- the malware that bricks IoT devices -- has announced his retirement in an email to Bleeping Computer, also claiming to have bricked over 10 million devices since he started the "Internet Chemotherapy" project in November 2016. Similar to the authors of the Mirai malware, the BrickerBot developer dumped his malware's source code online, allowing other crooks to profit from his code. The code is said to contain at least one zero-day. In a farewell message left on hundreds of hacked routers, the BrickerBot author also published a list of incidents (ISP downtimes) he caused, while also admitting he is likely to have drawn the attention of law enforcement agencies. "There's also only so long that I can keep doing something like this before the government types are able to correlate my likely network routes (I have already been active for far too long to remain safe). For a while now my worst-case scenario hasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant government figures out who I am," the hacker said.

Re:what a maroon

[Anonymous Coward]

He didn't do it to warn people about a potential threat. He did it to force manufacturers to pay more attention to security. He should be given the key to the fucking city.

Re:

[DontBeAMoran]

That's just it though - he doesn't need the key to the fucking city.

Re:what a maroon

[BronsCon]

He'll just hack the city's smartlock!

Re:what a maroon

[phantomfive]

If you want to call that hacking. Most likely the telnet port was left open with a root password of 'password'. It could be worse, if it were intel management engine, it would have an empty root password.

Re:what a maroon

[Ungrounded Lightning]

It could be worse, if it were intel management engine, it would have an empty root password.

If I recall the reports correctly, the IME didn't have an empty root password. Instead it checked the number of bytes that the code running in the remote browser said were the length of the hashed password - rather than the number of bytes the IME server-side code knew were the length of a hashed password.

So if you entered a zero-length password on the normal web page, you'd fail to log in. But if you hacked up you

Re:

[Ungrounded Lightning]

... if you hacked up your own version of the page's code that would say the hashed password was zero-length, ...

I.e. send a "hashed password" that was zero-length.

Re:

[Narcocide]

That's exactly what my dad told me actually. He used to tell me I was bringing it upon myself by "being different." Of course he used to beat me too, so there is some question as to how unbiased his opinion on the matter really was.

Re: what a maroon

[Brockmire]

This is mostly out of warranty shit.

Re:what a maroon

[KiloByte]

No, he bricked broken IOT(S) devices to stop them from attacking others. A bricked device is harmless, and there's even hope it gets returned to manufacturer. On the other hand, one that's part of a blackhat botnet is bad for everyone.

Re:

[hackertourist]

A bricked device is not harmless: it has to be replaced. If the average price of those devices was as low as $10, he caused $ 100 million in damage.
And he left the owners of those devices with no clue as to what was going on. The user only noticed his device had become unusable, and would be far more likely to assume a hardware problem than someone remotely disabling his device (let alone divine WHY someone chose to do that).

Re:

[Anonymous Coward]

A bricked device is not harmless: it has to be replaced. If the average price of those devices was as low as $10, he caused $ 100 million in damage.

One can only hope the damage is big enough to make the manufacturer start paying attention to security. IoT with no security is a disaster waiting to happen, as they become part of botnets and then are used to DDoS important stuff, which will cause at least as much in damage as you are claiming...

Re:

[Doctor Memory]

One can only hope the damage is big enough to make the manufacturer start paying attention to security.

Right....because consumers are just going to pass those costs right back to the manufacturers...

Or do you have some juvenile fantasy that "word will get around" that $MANUFACTURER's devices are falling over, and refuse to buy any more, thereby forcing $MANUFACTURER to upgrade their security?

Re:

[Kiuas]

A bricked device is not harmless: it has to be replaced. If the average price of those devices was as low as $10, he caused $ 100 million in damage.

Yes, but that cost needs to be paid for by the manufacturer who has sold you a faulty device with a vulnerability.

nd he left the owners of those devices with no clue as to what was going on. The user only noticed his device had become unusable, and would be far more likely to assume a hardware problem than someone remotely disabling his device (let alone divine

Re:

[hackertourist]

Imagine if you were sold a car for example that had a design flaw in the locking system allowing anyone to remotely unlock the doors with an exploit, or start the engine. Obviously you'd want it fixed, but unless these things are brought to public attention the company could just claim that it's bad luck that your car got stolen and they've nothing to do with it.

This guy "called attention" to the flaw by setting fire to every car with a flaw in its locking system, inconveniencing the owners and NOT INDICATING why he did that. His "cure" was worse than the problem.

Re: what a maroon

[Brockmire]

No, you fucking idiot. If you find a remote lock exploit in the car, you notify the vendor so they can fix it. You do responsible disclosure, which forces the fix. There's a whole fucking process for researchers to follow. Have you been asleep during the last few years where this happens all the time? You don't just brick a car without first trying to fix the problem. People who don't do the responsible disclosure are assholes.

Re: what a maroon

[Brockmire]

The user is responsible for its security. Fuck people, it's not new that you attach anything on a public IP, you are responsible for changing passwords and firewalling it. If I was a manufacturer, I'd reject the RMA. Things like Mikrotik are sold to professional admins. They've done training and know this. Educate the admins. Then it doesn't matter what a vendor does, the admin of the device and network is responsible. Blaming the vendor for really bad admin is fucking dumb.

Re: what a maroon

[Brockmire]

To be clear, if the user couldn't change password and were hardcoded, that is a valid vendor problem.

Re: what a maroon

[Brockmire]

Wireless infrastructure should be banned? No Internet for you.

Re: what a maroon

[Brockmire]

And you'd rather pick the damaging solution instead of prevention and education? Seriously, fucking logic with you people, as long as it wasn't your device, right?

Re:what a maroon

[AmiMoJo]

He used publicly known exploits, so if he didn't get there first it was only a matter of time before someone else did.

Since most people wouldn't even know their device was part of a botnet, this is the best outcome. They will return it to the shop as defective or get a software update from the manufacturer.

Re: what a maroon

[Zero__Kelvin]

Apparently your understanding of internet security and well being is non-existent. It wasn't to help the people know they were vulnerable, it was to protect the entire internet from the dangers of said vulnerability. No doubt you would prefer someone use the obvious vulnerabilities to cause damage to the internet while you continue to broadcast your ignorance on Slashdot

Spare us the left-wing lunacy!

[Nutria]

For a while now my worst-case scenario hasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant government figures out who I am," the hacker said.

It's 2017, FFS. In the West, that insane drivel stopped the day W left office, and is Putin going to throw you in the Gulag, or have a show trial, and the throw you in (a very nasty, but public) prison.

Re:

[b0s0z0ku]

Putin will give you a polonium cocktail with cyanide chaser.

Re:

[SuricouRaven]

Do we know what country he is in?

Re: Spare us the left-wing lunacy!

[tigersha]

Well he is not that stupid is he?

Re:

[SuricouRaven]

Exactly. He might not be in 'the west.' He may well be in the sort of country where it is reasonable to fear the government may disappear him, or an angry business owner might ask the local mafia to take care of him.

Re:

[ls671]

He is obviously in Italy since this is published on it.slashdot.org

Re:

[cdu13a]

I don't think he means vanished into a prison or shallow grave. It's more likely a vanished in the way scientists connected to German weapons programs vanished from Germany at the end of ww2.

aka you don't have a choice you are coming to work for us.

Re:

[Nutria]

It's more likely a vanished in the way scientists connected to German weapons programs vanished from Germany at the end of ww2.

Preposterous.

#1 PAPERCLIP scientists were glad to go to the US (the two obvious reasons are "not wanting to be pick up by the Sovs" and "doing what they love in a land of milk and honey, compared to war-destroyed Germany") and continue working on rockets.

#2 Forcing someone to be a secret hacker is guaranteed to get your secret documents sent to the Eneremy.

Re:

[drinkypoo]

It's 2017, FFS. In the West, that insane drivel stopped the day W left office,

Drone strikes on weddings. Extraordinary rendition... Gitmo. Yeah, Obama sure was different.

Re: Spare us the left-wing lunacy!

[tigersha]

War is war. If they don't fight by the rules the so be it.

Re:

[Nutria]

#1 The drivel by the Left about Americans getting thrown in Gitmo silenced the day W left office.

#2 Provide links to MSM news stories about extraordinary rendition during the Obama reign.

Re:

[nasch]

I don't know what exactly you would consider "extraordinary"...

https://www.washingtonpost.com... [washingtonpost.com]

http://america.aljazeera.com/o... [aljazeera.com]

It sounds to me like rendition continued, but with some attempt to ensure the suspects were not tortured.

Yep - public service...

[b0s0z0ku]

(1) He's destroying devices that destroy privacy in themselves
(2) He's destroying devices that are insecure by design ... open Telnet ports

Not crying for the owners of this junk. He's indeed doing the Internet a service...

Re:

[randomErr]

So he sterilized the devices so the couldn't reproduce the same traits in future generation. Where have I heard that before?

Re: Yep - public service...

[Zero__Kelvin]

Holy shit. I'm not exaggerating when I say that was by far the most stupid Godwinism I have ever seen in my life.

Re:

[thegarbz]

Not crying for the owners of this junk. He's indeed doing the Internet a service...

I am. Why should the end user pay for a manufacturer's .... I dare not call it a mistake. The world is full of people with wide skillsets in wide areas. You can't expect everyone to be an expert on everything. There are very few people out there with the capability of analysing their own network security.

At the very least these things better be covered by warranty, or fit for service laws.

Re:

[Baron_Yam]

> You can't expect everyone to be an expert on everything.

And even if they are, you can't expect everyone to spend uncountable amounts of time confirming everything from first principles.

We have the lives we have because we specialize and regulate the specialists. I don't have to do destructive chemical and mechanical testing of my car tires to have confidence they are safe. I don't have to test samples of my morning cereal before sitting down to eat breakfast. I generally expect the probability of my

Thank you

[WaffleMonster]

This guy is my hero.

$100 in damages

[OrangeTide]

Times 10 million devices. A billion dollar lawsuit filed against an individual might break some records.
And no, I'm not playing anything. Just noting something hypothetical here. Personally I want to see every buggy piece of shit IoT removed from the Internet. They can go start their own garbage network to run their shitbox hardware on.

Re: $100 in damages

[tigersha]

My one friend did actually get sued for 200 million USD by his employer but the case was dropped.

Re: 10 million IoT

[Brockmire]

Link? I've only found mention of a different hacker group, Hajime, who closed Mirai holes. I've only read brickerbot bricks. Seriously, there's tons of shit that could have brought it offline without damage. He wanted to do this and would have found any reason (his is bullshit). I don't know why people are not assuming he's not financially benefiting. We keep hearing about malware makers after they're caught, they're in it for the money. When hackers takeover a website, they generally deface it, which ge

Some heroes don't wear capes.

[WolfgangVL]

Give this man a fucking prize.

Seriously, IoT devices should come with goddamn warning labels.

This device in known to the surgeon-general of cyberspace to pose a serous risk to your personal privacy, and the personal privacy of those around you. This device may also cause undesired network traffic, communicate with unauthorized systems, and promote the spread of malware to other network connected devices.

Re:

[WolfgangVL]

Who made this asshole "surgeon-general of cyberspace" and gave him the authority to destroy people's devices, dickface?

Provide an answer to that which doesn't make you look like an arrogant piece of shit.

He was unanimously approved for the position by the same voters that overwhelmingly support the repeal of net-neutrality. Try to keep up.

Headline should read: Author of BrickerBot Malware

[Narcocide]

... finally gets a job.

Re: Headline should read: Author of BrickerBot Mal

[Brockmire]

I highly doubt he hasn't monetized this.

Where's the source

[winse]

I am admittedly lazy. Can someone point me at his source. I couldn't find it in a cursory google search. I'm not planning to use it in the wild, just curious about which exploits he used exactly.

thanks

Re:

[plloi]

I know this is slashdot, but if you RTFA and click around a bit it's not hard to find.

Beware the ides of IOT!

[Bloxclay]

This shit is a wake up call. Like how Watchdogs 1 and 2 was a wake up call hidden in a game. Lets not end up like the shit hole world like in watch dogs 2 where government and corporations have be come entirely nontransparent whilst your average Joe or Jane is so transparent that those nontransparent Political/Corporate entity can monitor every thing you do + metaphorically have their hand up your ass like a puppet e.g tampering with what you see so as to unfairly bias your vote choose i cite this from the

Re:

[Joe_Dragon]

it's only about 456 years.

Re:

[AvitarX]

Clearly missing the / 24 part.

Re: Great

[Anonymous Coward]

He disabled insecure devices before they could be taken over as part of a botnet.

Re:For all to see

[ShanghaiBill]

Screw jail. This guy needs to be drawn and quartered.

Nonsense. Having guys like him probing our infrastructure is a lot better than leaving the holes wide open for Putin and Xi Jingping. He is providing a public service. It may not be pleasant when you get pwned, but flu shots aren't pleasant either.

Re:

[Anonymous Coward]

He was doing more than probing. Anyone who thinks this bottom feeder was performing a public service is an idiot. And this guy will probably find out the retiring doesn't mean law enforcement will stop looking for him. And implying he would be "disappeared" is indicative of his warped view of reality. How many people have been "disappeared" for hacking? This guy, and people like him, are also responsible for giving law enforcement the political support needed to attach harsher penalties for these types of c

Re:For all to see

[WaffleMonster]

He was doing more than probing. Anyone who thinks this bottom feeder was performing a public service is an idiot.

I think he should get a gold medal for each bricked device. He deserves it.

Re: For all to see

[tigersha]

He deserves to be probed. In the ass. With a sharp stick. Coated with capsaicin.

Re:

[rwven]

Wow, .759 people! That's pretty cool. What happened to the .241 of them?

Re:

[war4peace]

I guess those fractions represent missing arms, legs and other appendages.

Re:

[AvitarX]

Just the second period would be enough, we're not that dense.

Re:

[Anonymous Coward]

I would have written it as 9.786.759,0 with the ,0 there to indicate to dumb-ass Americans they are not the only people in the world.

Says the one mindlessly clutching to the losing convention for historical accuracy? tradition? feels? Who knows why. But, good one. You've got your own groove. Get it, stella!

Re:

[petermgreen]

Dumbass mainland Europeans think it's OK to write in English but not follow English numeric conversions resulting in documentation that either makes no sense or worse gives values that are plain wrong.

Re:

[Anonymous Coward]

9786.759 people have disappeared because of these activities this year alone. Its easy to access this information for yourself, just log on to www.CIA/bagmen/illegal/assassinations.org where the government tracks all of these instances for you.

You sound awfully sarcastic. I'd hate to think you didn't think the CIA has ever killed anyone. If you do - read the following - and know it's not the only record from an 'authoritative' source on the subject:

[The dart from this secret CIA weapon can penetrate clothing and leave nothing but a tiny red dot on the skin. On penetration of the deadly dart, the individual targeted for assassination may feel as if bitten by a mosquito, or they may not feel anything at all. The poisonous dart completely disintegra

Re:

[Doctor Memory]

Make sure you steal his ECU or otherwise "brick" his car. He shouldn't drive it until it's secured properly.

Re:

[godel_56]

The next time you fail to lock your car door, I will be sure to rob you and leave a note that says "shit security".

In Australia leaving your car door unlocked when the vehicle is unattended in a public place will get you a fine.

It would be nice if we could get the same sort of treatment for the idiots who code for these IOT devices.

BTW, it seems a lot of his victims were ISPs who are professionals and should know better as to how to set up their equipment.

Re: For all to see

[Brockmire]

That's a stupid law. Although I know Australia started off as a criminal colony, I didn't think you inherently treat your fellow citizens as criminals right off the bat. Gone are the days when you could leave house and car doors unlocked and not have to fear your shit being stolen.

Re: For all to see

[Brockmire]

How the fuck do you expect for a vendor to set unique passwords for the customer? Are you retarded? The device is sold with a default login so that the operator can configure the device and set the password. It's up to the operator to limit access to it. That's ALWAYS been the case. People bitch when they buy a device and it's not locked down, and others complain the vendor oversteps and belongs to the one who purchased it. You can't have both ways. This is a network administration problem. Super obviou

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[JaredOfEuropa]

Sure. Let's have some more guys "probing our infrastructure", by going door to door looking for weak or unlocked doors, then drawing our attention to security vulnerabilities by entering our homes and defecating on the bedsheets, and publishing a list of vulnerable locks and how to break them for other providers of this "public service"

No thanks. No, the only "unpleasant figure" in this story is this criminal.

Re: For all to see

[Zero__Kelvin]

Are you actually so stupid you don't know the difference? When door vendors start selling doors with locks that don't work because there is no financial motivation to add them and your house and 100,000+ others are used by criminals to damage a third party who pays a lot of money to secure their dwelling, then get back to us. Idiots like you are the reason we need guys like this in the world.

Re:

[Anonymous Coward]

Right, so the solution is to punish the owners by destroying their devices to send a "message" to vendors? How's that working out so far? Are IoT device vendors scrambling to secure their shit so it doesn't get bricked? No?

Fuck, if the ends justify the means why didn't he just start murdering insecure IoT device owners until the vendors agreed to change their ways? It would have been a lot more effective and he would have had just as many morons like yourself riding his nuts.

What's a little collateral d

Re: For all to see

[Brockmire]

So if the companies are already increasing security efforts, how is this extra punishment still needed? Responsible reporting could have easily been done, it already has for years. He wrote malware. The malware spread in criminal hands. He causes denial of service attacks. He's a cunt. This is an admin fail problem. Clear as fucking day. There's many IoT devices intended for private use without outside access that doesn't need to spend millions developing a new product. Companies do need to keep selling

Re: For all to see

[Zero__Kelvin]

I didn't read much of your post because your first sentence shows that you are new to the technology world but think you know it all already. Also, you should learn about paragraphs.

Re: For all to see

[Brockmire]

Using Firefox on Android, there's no preview and there's new paragraphs when I submit it, so I only know they're not there afterwards, and there's no fucking edit. Sometimes I'll remember to have two new lines, but not always. Sometimes there's new paragraph and sometimes not. *shrug* Double new line test. I really hate walls of text, too. I guess I should have realized when it happens to others, it's likely the browser or /.

Re: For all to see

[Brockmire]

Fuck you firefox. (Three lines of white space) Or fuck you /.

Re:

[networkBoy]

Chemotherapy sucks balls, but death sucks worse. News at 11.

Re:

[I-am-a-Banana]

Nonsense. Having guys like him probing our infrastructure is a lot better than leaving the holes wide open for Putin and Xi Jingping. He is providing a public service. It may not be pleasant when you get pwned, but flu shots aren't pleasant either.

What?!? So if I am creating an IOT of things with my 7 year old, I don't know a simple weather station just say, and we don't secure it because it is a project for a 7 year old where there is no security risk of leaving it exposed, and it is easier for them to experiment with and this guy bricks it, maybe permanently, how is this a public service?

It is vandalism. It is no different then him walking down the street looking at a weather station attached to a wooden fence post in someones yard and smashing

Re:

[devman]

To clarify the argument (without endorsing this position). It would be like you created an internet connected IOT weather station that because it was unsecured got hijacked to be included in a DDoS swarm.

The problem with poor IoT security is that, even if the device is useful for nothing else to the hacker, if it has a network stack and a connection it can DDoS someone else and there are millions of these devices. If this guy can get in and brick it, than someone else can get in and use it to DDoS

Re:

[I-am-a-Banana]

That clarifies it but doesn't make it right. It is like walking through a person's yard seeing a pick ax and breaking it to prevent a bad person from potentially finding it and using to murder someone.

Re: For all to see

[Brockmire]

So change the password to the MAC address instead. Hard to get remotely, easy with physical access. User learns they fucked up when they go to login and default doesn't work, but it's still operational without permanent damage. Even rebooting it at a specific interval would draw attention. It could be the "4h20 reboot issue" that becomes googleable when it's noticed their devices go offline on this specific time. There's lots of different things this asshole could have done without bricking them. He chose

Re:

[BitterOak]

Nonsense. Having guys like him probing our infrastructure is a lot better than leaving the holes wide open for Putin and Xi Jingping. He is providing a public service. It may not be pleasant when you get pwned, but flu shots aren't pleasant either.

The difference is I choose whether or not to get a flu shot. If someone walked down the street jabbing random people with a hypodermic, I'd suggest harsh penalties for them too.

Re:

[wardrich86]

No, these IoT manufacturers with half-baked bullshit "security" built into them need to be drawn and quartered.