If you think the Internet of Things is a good idea that’s being badly implemented, you’re not alone.

A hacker going by the name of janit0r has created a botnet that actively seeks out poorly-secured IoT devices… and bricks them.

Its name? BrickerBot.

A necessary service?

On the surface, this sounds like just another hacker releasing software that messes things up. It also sounds illegal. And, technically speaking, it is both of those – but it’s also “a necessary service” aimed at preventing truly malicious software from infecting IoT devices while also raising awareness that better security is needed on all IoT devices.

How it works

BrickerBot works by testing the security of all IoT devices that it can find using its own army of bots, and causing to stop functioning those that fail its simple tests by way of a “Permanent Denial of Service” attack.

You’ve heard of Distributed Denial of Service attacks by botnets by now, whereby an attacker shuts a website or internet-based service down by flooding its servers with traffic using a botnet, thereby overloading it and causing it to throw out errors.

A Permanent Denial of Service attack is even more destructive: it physically disables the device by corrupting its firmware, prompting a physical replacement of said device rather than just a quick repair.

And that’s largely what BrickBot does: it scans the internet for IoT devices that are still using default passwords and “bricks” those devices, corrupting their storage and disconnecting them from the internet.

An inconvenient truth

A site called Bleeping Computer managed to track down the likely author of BrickBot, a hacker calling himself janit0r, and asked him about his motivations. As it turns out, he’s less of a hacker looking to cause trouble than a concerned citizen who took it upon himself to clean up the “mess” created by the huge number of unsecured IoT devices that have been co-opted by hackers into massive botnet armies.

In the email interview, janit0r said “The IoT security mess is a result of companies with insufficient security knowledge developing powerful Internet-connected devices for users with no security knowledge. Most of the consumer-oriented IoT devices that I’ve found on the net appear to have been deployed almost exactly as they left the factory.

“For example 9 out of every 10 Avtech IP cameras that I’ve pulled the user db from were set up with the default login admin/admin! Let that statistic sink in for a second.. and then consider that if somebody launched a car or power tool with a safety feature that failed 9 times out of 10 it would be pulled off the market immediately. I don’t see why dangerously designed IoT devices should be treated any differently and after the Internet-breaking attacks of 2016 nobody can seriously argue that the security of these devices isn’t important.”

It’s hard to argue with that position, given the IoT industry’s fledgling status and the sheer volume of manufacturers who’re climbing onto the IoT bandwagon, without there being sufficient standards in place to ensure smart, secure deployments of IoT devices.

Botnet armies attack

The “attacks of 2016” janit0r mentioned happened in October last year, when the US experienced a rather alarming internet outage that was caused by a botnet army. That botnet was created by hackers who co-opted a large number of unsecured but internet-connected digital video recorders and surveillance cameras mainly from one Chinese manufacturer to launch the DDoS attack that blocked access to a number of American websites and internet services.

That specific botnet is known as Mirai, and apparently the hacker behind it released its source code in September 2016 for anyone to adapt and use for their own purposes. janit0r’s actions were specifically intended to weaken existing botnet armies, quite ironically by using his own to undermine them.

Don’t miss the point

While it’s easy to get angry at janit0r for causing the destruction of someone else’s property, that would be to miss the point entirely.

The issue here is not that someone would design a botnet to wreak havoc on IoT devices, but that manufacturers create unsecure IoT devices in the first place, and the people who deploy them don’t do much more than simply to set them up with their factory default settings unchanged.

It’s about forcing parties and end users to take responsibility for their products through the application of some “tough love”, really. Sure, it’s not pleasant or pain-free, but it’s a lot better than the alternative – an ever-increasing number of unsecured devices that would otherwise likely end up as part of future botnets capable of doing even more harm.

Besides that, janit0r claims that BrickBot’s first course of action is to attempt to secure the IoT devices it finds, and only bricks them when that turns out to not be possible. He didn’t go into detail about how the initial attempt at securing them works, though.

The problem

The problem is that the IT security industry just keeps sweeping the issue under the carpet. janit0r’s actions stem from the fact that even though he’d uncovered flaws before and approached the responsible vendors with his findings, they were often very slow to do anything about them, if they even responded at all. And as a result, the number of IoT devices that were compromised and roped into being part of massive botnets skyrocketed.

He told BleepingComputer that

“Like so many others I was dismayed by the indiscriminate DDoS attacks by IoT botnets in 2016. I thought for sure that the large attacks would force the industry to finally get its act together, but after a few months of record-breaking attacks it became obvious that in spite of all the sincere efforts the problem couldn’t be solved quickly enough by conventional means.”

and

“I hope that regulatory bodies will do more to penalize (sic) careless manufacturers since market forces can’t fix this problem. The reality of the market is that technically unskilled consumers will get the cheapest whitelabel DVR they can find at their local store, then they’ll ask their nephew to plug it into the Internet, and a few minutes later it’ll be full of malware. At least with ‘BrickerBot’ there was some brief hope that such dangerous devices could become the merchant’s and manufacturer’s problem rather than our problem.”

White hat hacks

janit0r claims at the time of his interview with BleepingComputer, BrickBot had taken down over two million vulnerable IoT devices, and that he’d like to be considered to be cut from the same cloth as the people behind the Wifatch and Hajime malware – so-called “white hat hackers” who compromise devices in the name of testing their security and making them better.

Wifatch sought to lock down Linux-based IoT devices that have weak or default Telnet credentials against other malware, and Hajime is a self-propagating malware that infects vulnerable IoT devices and blocks access to the ports that made them vulnerable. Security researchers say Hajime has been used by a “vigilante hacker” to wrestle with big botnets like Mirai for the past six months.

A wanted man

Make no mistake, whether you agree with janit0r’s motivations or not, he’s not going to get a slap on the wrist if law enforcement ever catches up to him, as what he’s doing is highly illegal. To prevent that from happening, he works to ensure his real name won’t be discovered… as any good hacker does.

On a practical level, though, it’s not unfair to say that until the IT industry has established effective IoT security standards and all manufacturers agree to abide by it (and then DO), the sort of hacks and denials-of-service that prompted his drastic response will keep on happening.

If not by janit0r’s hand, then by someone else’s.

[Image – Carna Botnet Mar-Dec 2012, CC by SA 4.0]