Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
2/8/2018
09:00 AM
Justin Shattuck
Justin Shattuck
Partner Perspectives
Connect Directly
LinkedIn
Twitter
RSS
50%
50%

BrickerBot: Internet Vigilantism Ends Don't Justify the Means

However noble the intention, obtaining unauthorized access to devices and making them unusable is illegal and undermines the work of ethical researchers.

Internet of Things (IoT) devices gained infamy almost overnight for their lack of security. This led to their participation in a thingbot (a botnet built out of IoT devices) named Mirai that launched massive distributed denial-of-service (DDoS) attacks against a handful of victims, including Dyn, OVH, KrebsOnSecurity, and Rutgers University in late 2016.

As a result of these attacks, a project dubbed "Internet Chemotherapy," also known as BrickerBot, was born, believed to be started in November 2016 with the intention of ridding the Internet of vulnerable IoT devices that were low-hanging, infectible hosts for bot herders. The author of the Internet Chemotherapy project, The Janit0r, a.k.a. The Doctor, claims to have "bricked" (cyber attacked electronic devices to cause permanent damage) 10 million devices with BrickerBot. The Janit0r accomplished this by overwriting the firmware of the IoT devices he targeted.

The ethics of the BrickerBot attack are unquestionably wrong. Although members of the information security community understand the rational behind this type of vigilante mindset, even the best intentions cannot justify breaking the law to prove a point. However noble the intention, obtaining unauthorized access to devices and making them unusable, whether temporarily or permanently, is illegal, and it undermines the work of ethical researchers. It is also frustrating to the consumer, government, or business owner who then must replace that device,  efforts that could prove to be ultimately useless if the replacement device is just as insecure.

Internet Vigilantism Versus Ethical Security Research
The Janit0r claims to have disabled more than 10 million vulnerable IoT devices in a little over a year. The number might seem astonishing, but when compared to the 8.4 billion IoT devices Gartner forecast  to be in-use in 2017, 10 million devices is barely a blip on the radar.

"Bad guys are getting more sophisticated, the number of potentially vulnerable devices keep increasing, and it’s only a matter of time before a large-scale Internet-disrupting event will occur," The Janit0r wrote in a 3000-word retirement essay last December. This is not a profound revelation, as evidenced by the sizeable number of thingbots like Mirai and BrickerBot created in the first place. The difference between vigilante activists like The Janit0r and the rest of the security community is our approach to fixing the problem, which is to continually work to increase the true cost to the attacker. For IoT manufacturers, this means following industry standard security controls that make these devices hard to compromise and not worth it to the attacker to even try.

The BrickerBot Timeline
The Janit0r's chronological record of the Internet Chemotherapy project details more than twenty instances of attacks, vulnerabilities, and press events that provide insight into BrickerBot’s objective. One example was the mass disruption of Deutsche Telekom in November 2016, which at the time was believed to have been an attempt by attackers to exploit the victim's equipment to grow Mirai. The Janit0r elaborates on how BrickerBot propagated across these devices, claiming that it infected vulnerable devices and removed the default route for communications, which temporarily removed these devices from further infection by Mirai.

We would love to believe these claims because they would confirm our own data. The Janit0r references the F5 Labs August 2017 report, "The Hunt for IoT: The Rise of Thingbots." In it, we identified a lull in IoT attack activity and speculated that it might have been the result of vigilante bots like BrickerBot (or Hajime). The Janit0r confirms this hypothesis but criticizes F5 Labs for not drawing more definitive conclusions. If data had existed that modestly allowed us to further expand on our hypothesis, we could have given more credit to the Internet Chemotherapy project.  The reality is that without more data, the only responsible thing we can do is speculate.

The Janit0r’s retirement seems entirely appropriate for more reasons than one—death threats, according to him or her — being the biggest. But methodology, ethics and the law are also important considerations. It’s a good thing to be able to decrease the available pool of devices bot herders could use to advance their networks of minions that launch unwanted attacks. However, the methodology and  practice adopted by the Internet Chemotherapy project is unquestionably illegal. Once you cross that line, is there any turning back?

As the industry continues to evolve, perhaps someday device manufacturers will agree to the proposed Digital Millennium Copyright Act (DMCA)  regulations that provide safeguards, albeit modest ones, to protect researchers who proactively attack IOT devices, even with the best of intentions. Until then, just remember, DMCA alone won’t provide protection if you are attacking equipment you do not own and operate.

Get the latest application threat intelligence from F5 Labs.

 

Justin Shattuck is a Principal Threat Researcher for F5 Labs. He has been an avid advance persistent threat hunter for most of his life and continually tracks global attacks and threat actors. He routinely participates in takedowns and helps to inform various law enforcement ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
richalt
50%
50%
richalt,
User Rank: Apprentice
2/16/2018 | 3:12:42 PM
not Brickerbot but an Underwriters Lab for IOT?
Brickerbot is rather brute force.  How about a service which runs such algorithms to certify IOT devices?   A buyer of IOT needs a way to tell the manufacturer "your device is not meeting security standards".

 
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29040
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
CVE-2021-29041
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
CVE-2021-29047
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
CVE-2021-22668
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
CVE-2021-29039
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.