Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
2/8/2018
09:00 AM
Justin Shattuck
Justin Shattuck
Partner Perspectives
Connect Directly
LinkedIn
Twitter
RSS
50%
50%

BrickerBot: Internet Vigilantism Ends Don't Justify the Means

However noble the intention, obtaining unauthorized access to devices and making them unusable is illegal and undermines the work of ethical researchers.

Internet of Things (IoT) devices gained infamy almost overnight for their lack of security. This led to their participation in a thingbot (a botnet built out of IoT devices) named Mirai that launched massive distributed denial-of-service (DDoS) attacks against a handful of victims, including Dyn, OVH, KrebsOnSecurity, and Rutgers University in late 2016.

As a result of these attacks, a project dubbed "Internet Chemotherapy," also known as BrickerBot, was born, believed to be started in November 2016 with the intention of ridding the Internet of vulnerable IoT devices that were low-hanging, infectible hosts for bot herders. The author of the Internet Chemotherapy project, The Janit0r, a.k.a. The Doctor, claims to have "bricked" (cyber attacked electronic devices to cause permanent damage) 10 million devices with BrickerBot. The Janit0r accomplished this by overwriting the firmware of the IoT devices he targeted.

The ethics of the BrickerBot attack are unquestionably wrong. Although members of the information security community understand the rational behind this type of vigilante mindset, even the best intentions cannot justify breaking the law to prove a point. However noble the intention, obtaining unauthorized access to devices and making them unusable, whether temporarily or permanently, is illegal, and it undermines the work of ethical researchers. It is also frustrating to the consumer, government, or business owner who then must replace that device,  efforts that could prove to be ultimately useless if the replacement device is just as insecure.

Internet Vigilantism Versus Ethical Security Research
The Janit0r claims to have disabled more than 10 million vulnerable IoT devices in a little over a year. The number might seem astonishing, but when compared to the 8.4 billion IoT devices Gartner forecast  to be in-use in 2017, 10 million devices is barely a blip on the radar.

"Bad guys are getting more sophisticated, the number of potentially vulnerable devices keep increasing, and it’s only a matter of time before a large-scale Internet-disrupting event will occur," The Janit0r wrote in a 3000-word retirement essay last December. This is not a profound revelation, as evidenced by the sizeable number of thingbots like Mirai and BrickerBot created in the first place. The difference between vigilante activists like The Janit0r and the rest of the security community is our approach to fixing the problem, which is to continually work to increase the true cost to the attacker. For IoT manufacturers, this means following industry standard security controls that make these devices hard to compromise and not worth it to the attacker to even try.

The BrickerBot Timeline
The Janit0r's chronological record of the Internet Chemotherapy project details more than twenty instances of attacks, vulnerabilities, and press events that provide insight into BrickerBot’s objective. One example was the mass disruption of Deutsche Telekom in November 2016, which at the time was believed to have been an attempt by attackers to exploit the victim's equipment to grow Mirai. The Janit0r elaborates on how BrickerBot propagated across these devices, claiming that it infected vulnerable devices and removed the default route for communications, which temporarily removed these devices from further infection by Mirai.

We would love to believe these claims because they would confirm our own data. The Janit0r references the F5 Labs August 2017 report, "The Hunt for IoT: The Rise of Thingbots." In it, we identified a lull in IoT attack activity and speculated that it might have been the result of vigilante bots like BrickerBot (or Hajime). The Janit0r confirms this hypothesis but criticizes F5 Labs for not drawing more definitive conclusions. If data had existed that modestly allowed us to further expand on our hypothesis, we could have given more credit to the Internet Chemotherapy project.  The reality is that without more data, the only responsible thing we can do is speculate.

The Janit0r’s retirement seems entirely appropriate for more reasons than one—death threats, according to him or her — being the biggest. But methodology, ethics and the law are also important considerations. It’s a good thing to be able to decrease the available pool of devices bot herders could use to advance their networks of minions that launch unwanted attacks. However, the methodology and  practice adopted by the Internet Chemotherapy project is unquestionably illegal. Once you cross that line, is there any turning back?

As the industry continues to evolve, perhaps someday device manufacturers will agree to the proposed Digital Millennium Copyright Act (DMCA)  regulations that provide safeguards, albeit modest ones, to protect researchers who proactively attack IOT devices, even with the best of intentions. Until then, just remember, DMCA alone won’t provide protection if you are attacking equipment you do not own and operate.

Get the latest application threat intelligence from F5 Labs.

 

Justin Shattuck is a Principal Threat Researcher for F5 Labs. He has been an avid advance persistent threat hunter for most of his life and continually tracks global attacks and threat actors. He routinely participates in takedowns and helps to inform various law enforcement ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
richalt
50%
50%
richalt,
User Rank: Apprentice
2/16/2018 | 3:12:42 PM
not Brickerbot but an Underwriters Lab for IOT?
Brickerbot is rather brute force.  How about a service which runs such algorithms to certify IOT devices?   A buyer of IOT needs a way to tell the manufacturer "your device is not meeting security standards".

 
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1659
PUBLISHED: 2019-02-21
A vulnerability in the Identity Services Engine (ISE) integration feature of Cisco Prime Infrastructure (PI) could allow an unauthenticated, remote attacker to perform a man-in-the-middle attack against the Secure Sockets Layer (SSL) tunnel established between ISE and PI. The vulnerability is due to...
CVE-2019-8983
PUBLISHED: 2019-02-21
MDaemon Webmail 14.x through 18.x before 18.5.2 has XSS (issue 1 of 2).
CVE-2019-8984
PUBLISHED: 2019-02-21
MDaemon Webmail 14.x through 18.x before 18.5.2 has XSS (issue 2 of 2).
CVE-2018-20122
PUBLISHED: 2019-02-21
The web interface on FASTGate Fastweb devices with firmware through 0.00.47_FW_200_Askey 2017-05-17 (software through 1.0.1b) exposed a CGI binary that is vulnerable to a command injection vulnerability that can be exploited to achieve remote code execution with root privileges. No authentication is...
CVE-2018-6687
PUBLISHED: 2019-02-21
Loop with Unreachable Exit Condition ('Infinite Loop') in McAfee GetSusp (GetSusp) 3.0.0.461 and earlier allows attackers to DoS a manual GetSusp scan via while scanning a specifically crafted file . GetSusp is a free standalone McAfee tool that runs on several versions of Microsoft Windows.