BrickerBot: The vigilante malware taking down unsecure IoT devices
If you’re not a fan of black-and-white news stories, with obvious heroes and villains to cheer and boo, then it’s probably best to read something else. Here’s a delightful story about dropping pets into VR so you don’t trip on them, which is far more straightforward. That said, if you’re happy to delve into a murky ethical grey zone, then this is a doozie.
Earlier this month, security researchers from Radware found an unusual type of malware via honeypot servers: BrickerBot.1 and BrickerBot.2. These bots scoured the internet, hunting for unsecure Internet of Things devices with open ports. If the default login worked, BrickerBot would log in and break the product, wiping the device, corrupting local storage and taking it offline.
So where’s the ethical ambiguity here? This is malware that’s breaking people’s property, right? Well, yes, but it’s only targeting IoT hardware where manufacturers have cut corners on their security obligations to the point where everyone suffers. In other words, the hackers are taking down unsecure products before someone else comes along and uses the same exploits for far more nefarious purposes. Like the Mirai malware that ran riot on the internet late last year.
BrickerBot now has four versions, and the hacker in question – believed by Bleeping Computer to go under the online pseudonym of Janit0r – claims his or her malware has taken down two million unsecure devices. In an interview via email with the site, the hacker wrote: “The IoT security mess is a result of companies with insufficient security knowledge developing powerful internet-connected devices for users with no security knowledge. Most of the consumer-oriented IoT devices that I’ve found on the net appear to have been deployed almost exactly as they left the factory.”
“For example, 9 out of every 10 Avtech IP cameras that I’ve pulled the user db from were set up with the default login admin/admin! Let that statistic sink in for a second.. and then consider that if somebody launched a car or power tool with a safety feature that failed 9 times out of 10, it would be pulled off the market immediately. I don’t see why dangerously designed IoT devices should be treated any differently, and after the internet-breaking attacks of 2016, nobody can seriously argue that the security of these devices isn’t important.”
Janit0r goes on to describe his nuclear solution as “internet chemotherapy,” saying: “Chemotherapy is a harsh treatment that nobody in their right mind would administer to a healthy patient, but the internet was becoming seriously ill in Q3 and Q4/2016, and the moderate remedies were ineffective.”
“The side effects of the treatment were harmful, but the alternative (DDoS botnet sizes numbering in the millions) would have been worse.”
So we’ve got a piece of aggressive malware that sets out to deliberately break people’s property. That’s bad. But it’s committing vandalism to prevent them being co-opted for far wider internet attacks. This is the very definition of a grey area: if it makes manufacturers take their IoT security even slightly more seriously then it will have helped the wider internet ecosystem. However, that’s small consolation to the couple who can’t get a refund on their shoddily made smart lightbulbs, thermostat or connected cameras.