Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
2/8/2018
09:00 AM
Justin Shattuck
Justin Shattuck
Partner Perspectives
Connect Directly
LinkedIn
Twitter
RSS
50%
50%

BrickerBot: Internet Vigilantism Ends Don't Justify the Means

However noble the intention, obtaining unauthorized access to devices and making them unusable is illegal and undermines the work of ethical researchers.

Internet of Things (IoT) devices gained infamy almost overnight for their lack of security. This led to their participation in a thingbot (a botnet built out of IoT devices) named Mirai that launched massive distributed denial-of-service (DDoS) attacks against a handful of victims, including Dyn, OVH, KrebsOnSecurity, and Rutgers University in late 2016.

As a result of these attacks, a project dubbed "Internet Chemotherapy," also known as BrickerBot, was born, believed to be started in November 2016 with the intention of ridding the Internet of vulnerable IoT devices that were low-hanging, infectible hosts for bot herders. The author of the Internet Chemotherapy project, The Janit0r, a.k.a. The Doctor, claims to have "bricked" (cyber attacked electronic devices to cause permanent damage) 10 million devices with BrickerBot. The Janit0r accomplished this by overwriting the firmware of the IoT devices he targeted.

The ethics of the BrickerBot attack are unquestionably wrong. Although members of the information security community understand the rational behind this type of vigilante mindset, even the best intentions cannot justify breaking the law to prove a point. However noble the intention, obtaining unauthorized access to devices and making them unusable, whether temporarily or permanently, is illegal, and it undermines the work of ethical researchers. It is also frustrating to the consumer, government, or business owner who then must replace that device,  efforts that could prove to be ultimately useless if the replacement device is just as insecure.

Internet Vigilantism Versus Ethical Security Research
The Janit0r claims to have disabled more than 10 million vulnerable IoT devices in a little over a year. The number might seem astonishing, but when compared to the 8.4 billion IoT devices Gartner forecast  to be in-use in 2017, 10 million devices is barely a blip on the radar.

"Bad guys are getting more sophisticated, the number of potentially vulnerable devices keep increasing, and it’s only a matter of time before a large-scale Internet-disrupting event will occur," The Janit0r wrote in a 3000-word retirement essay last December. This is not a profound revelation, as evidenced by the sizeable number of thingbots like Mirai and BrickerBot created in the first place. The difference between vigilante activists like The Janit0r and the rest of the security community is our approach to fixing the problem, which is to continually work to increase the true cost to the attacker. For IoT manufacturers, this means following industry standard security controls that make these devices hard to compromise and not worth it to the attacker to even try.

The BrickerBot Timeline
The Janit0r's chronological record of the Internet Chemotherapy project details more than twenty instances of attacks, vulnerabilities, and press events that provide insight into BrickerBot’s objective. One example was the mass disruption of Deutsche Telekom in November 2016, which at the time was believed to have been an attempt by attackers to exploit the victim's equipment to grow Mirai. The Janit0r elaborates on how BrickerBot propagated across these devices, claiming that it infected vulnerable devices and removed the default route for communications, which temporarily removed these devices from further infection by Mirai.

We would love to believe these claims because they would confirm our own data. The Janit0r references the F5 Labs August 2017 report, "The Hunt for IoT: The Rise of Thingbots." In it, we identified a lull in IoT attack activity and speculated that it might have been the result of vigilante bots like BrickerBot (or Hajime). The Janit0r confirms this hypothesis but criticizes F5 Labs for not drawing more definitive conclusions. If data had existed that modestly allowed us to further expand on our hypothesis, we could have given more credit to the Internet Chemotherapy project.  The reality is that without more data, the only responsible thing we can do is speculate.

The Janit0r’s retirement seems entirely appropriate for more reasons than one—death threats, according to him or her — being the biggest. But methodology, ethics and the law are also important considerations. It’s a good thing to be able to decrease the available pool of devices bot herders could use to advance their networks of minions that launch unwanted attacks. However, the methodology and  practice adopted by the Internet Chemotherapy project is unquestionably illegal. Once you cross that line, is there any turning back?

As the industry continues to evolve, perhaps someday device manufacturers will agree to the proposed Digital Millennium Copyright Act (DMCA)  regulations that provide safeguards, albeit modest ones, to protect researchers who proactively attack IOT devices, even with the best of intentions. Until then, just remember, DMCA alone won’t provide protection if you are attacking equipment you do not own and operate.

Get the latest application threat intelligence from F5 Labs.

 

Justin Shattuck is a Principal Threat Researcher for F5 Labs. He has been an avid advance persistent threat hunter for most of his life and continually tracks global attacks and threat actors. He routinely participates in takedowns and helps to inform various law enforcement ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
richalt
50%
50%
richalt,
User Rank: Apprentice
2/16/2018 | 3:12:42 PM
not Brickerbot but an Underwriters Lab for IOT?
Brickerbot is rather brute force.  How about a service which runs such algorithms to certify IOT devices?   A buyer of IOT needs a way to tell the manufacturer "your device is not meeting security standards".

 
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-13435
PUBLISHED: 2018-08-16
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.0 for iOS. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method to disable passcode authentication. NOTE: the vendor indicates that this is not an attack of interest w...
CVE-2018-13446
PUBLISHED: 2018-08-16
** DISPUTED ** An issue was discovered in the LINE jp.naver.line application 8.8.1 for Android. The Passcode feature allows authentication bypass via runtime manipulation that forces a certain method's return value to true. In other words, an attacker could authenticate with an arbitrary passcode. ...
CVE-2018-14567
PUBLISHED: 2018-08-16
libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251.
CVE-2018-15122
PUBLISHED: 2018-08-16
An issue found in Progress Telerik JustAssembly through 2018.1.323.2 and JustDecompile through 2018.2.605.0 makes it possible to execute code by decompiling a compiled .NET object (such as DLL or EXE) with an embedded resource file by clicking on the resource.
CVE-2018-11509
PUBLISHED: 2018-08-16
ASUSTOR ADM 3.1.0.RFQ3 uses the same default root:admin username and password as it does for the NAS itself for applications that are installed from the online repository. This may allow an attacker to login and upload a webshell.