Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
2/8/2018
09:00 AM
Justin Shattuck
Justin Shattuck
Partner Perspectives
Connect Directly
LinkedIn
Twitter
RSS
50%
50%

BrickerBot: Internet Vigilantism Ends Don't Justify the Means

However noble the intention, obtaining unauthorized access to devices and making them unusable is illegal and undermines the work of ethical researchers.

Internet of Things (IoT) devices gained infamy almost overnight for their lack of security. This led to their participation in a thingbot (a botnet built out of IoT devices) named Mirai that launched massive distributed denial-of-service (DDoS) attacks against a handful of victims, including Dyn, OVH, KrebsOnSecurity, and Rutgers University in late 2016.

As a result of these attacks, a project dubbed "Internet Chemotherapy," also known as BrickerBot, was born, believed to be started in November 2016 with the intention of ridding the Internet of vulnerable IoT devices that were low-hanging, infectible hosts for bot herders. The author of the Internet Chemotherapy project, The Janit0r, a.k.a. The Doctor, claims to have "bricked" (cyber attacked electronic devices to cause permanent damage) 10 million devices with BrickerBot. The Janit0r accomplished this by overwriting the firmware of the IoT devices he targeted.

The ethics of the BrickerBot attack are unquestionably wrong. Although members of the information security community understand the rational behind this type of vigilante mindset, even the best intentions cannot justify breaking the law to prove a point. However noble the intention, obtaining unauthorized access to devices and making them unusable, whether temporarily or permanently, is illegal, and it undermines the work of ethical researchers. It is also frustrating to the consumer, government, or business owner who then must replace that device,  efforts that could prove to be ultimately useless if the replacement device is just as insecure.

Internet Vigilantism Versus Ethical Security Research
The Janit0r claims to have disabled more than 10 million vulnerable IoT devices in a little over a year. The number might seem astonishing, but when compared to the 8.4 billion IoT devices Gartner forecast  to be in-use in 2017, 10 million devices is barely a blip on the radar.

"Bad guys are getting more sophisticated, the number of potentially vulnerable devices keep increasing, and it’s only a matter of time before a large-scale Internet-disrupting event will occur," The Janit0r wrote in a 3000-word retirement essay last December. This is not a profound revelation, as evidenced by the sizeable number of thingbots like Mirai and BrickerBot created in the first place. The difference between vigilante activists like The Janit0r and the rest of the security community is our approach to fixing the problem, which is to continually work to increase the true cost to the attacker. For IoT manufacturers, this means following industry standard security controls that make these devices hard to compromise and not worth it to the attacker to even try.

The BrickerBot Timeline
The Janit0r's chronological record of the Internet Chemotherapy project details more than twenty instances of attacks, vulnerabilities, and press events that provide insight into BrickerBot’s objective. One example was the mass disruption of Deutsche Telekom in November 2016, which at the time was believed to have been an attempt by attackers to exploit the victim's equipment to grow Mirai. The Janit0r elaborates on how BrickerBot propagated across these devices, claiming that it infected vulnerable devices and removed the default route for communications, which temporarily removed these devices from further infection by Mirai.

We would love to believe these claims because they would confirm our own data. The Janit0r references the F5 Labs August 2017 report, "The Hunt for IoT: The Rise of Thingbots." In it, we identified a lull in IoT attack activity and speculated that it might have been the result of vigilante bots like BrickerBot (or Hajime). The Janit0r confirms this hypothesis but criticizes F5 Labs for not drawing more definitive conclusions. If data had existed that modestly allowed us to further expand on our hypothesis, we could have given more credit to the Internet Chemotherapy project.  The reality is that without more data, the only responsible thing we can do is speculate.

The Janit0r’s retirement seems entirely appropriate for more reasons than one—death threats, according to him or her — being the biggest. But methodology, ethics and the law are also important considerations. It’s a good thing to be able to decrease the available pool of devices bot herders could use to advance their networks of minions that launch unwanted attacks. However, the methodology and  practice adopted by the Internet Chemotherapy project is unquestionably illegal. Once you cross that line, is there any turning back?

As the industry continues to evolve, perhaps someday device manufacturers will agree to the proposed Digital Millennium Copyright Act (DMCA)  regulations that provide safeguards, albeit modest ones, to protect researchers who proactively attack IOT devices, even with the best of intentions. Until then, just remember, DMCA alone won’t provide protection if you are attacking equipment you do not own and operate.

Get the latest application threat intelligence from F5 Labs.

 

Justin Shattuck is a Principal Threat Researcher for F5 Labs. He has been an avid advance persistent threat hunter for most of his life and continually tracks global attacks and threat actors. He routinely participates in takedowns and helps to inform various law enforcement ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
richalt
50%
50%
richalt,
User Rank: Apprentice
2/16/2018 | 3:12:42 PM
not Brickerbot but an Underwriters Lab for IOT?
Brickerbot is rather brute force.  How about a service which runs such algorithms to certify IOT devices?   A buyer of IOT needs a way to tell the manufacturer "your device is not meeting security standards".

 
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: White Privelege Day
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17283
PUBLISHED: 2018-09-21
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Inject...
CVE-2018-17282
PUBLISHED: 2018-09-20
An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.
CVE-2018-14592
PUBLISHED: 2018-09-20
The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW Article Attachments FREE extension before 1.0.6 for Joomla! allow SQL Injection within download.php.
CVE-2018-15832
PUBLISHED: 2018-09-20
upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI ha...
CVE-2018-16282
PUBLISHED: 2018-09-20
A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI.