Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Vigilante Hackers Could Stop the Internet of Things Botnet (vice.com)

Posted by BeauHD on from the white-hat dept.

An anonymous reader quotes a report from Motherboard: Some have put forth a perhaps desperate -- and certainly illegal -- solution to stop massive internet outages, like the one on Friday, from happening: Have white-hat vigilante hackers take over the insecure Internet of Things that the Mirai malware targets and take them away from the criminals. Several hackers and security researchers agree that taking over the zombies in the Mirai botnet would be relatively easy. After all, if the "bad guys" Mirai can do it, a "good guys" Mirai -- perhaps even controlled by the FBI -- could do the same. The biggest technical hurdle to this plan, as F-Secure chief research officer Mikko Hypponen put it, is that once it infects a device, Mirai "closes the barn door behind it." Mirai spreads by scanning the internet for devices that have the old-fashioned remote access telnet protocol enabled and have easy to guess passwords such as "123456" or "passwords." Then, once it infects them, it disables telnet access, theoretically stopping others from doing the same. The good news is that the code that controls this function actually doesn't at times work very well, according to Darren Martyn, a security researcher who has been analyzing the malware and who said he's seen some infected devices that still have telnet enabled and thus can be hacked again. Also, Mirai disappears once an infected device is rebooted, which likely happens often as owners of infected cameras and DVRs try to fix their devices that suddenly have their bandwidth saturated. The bad news is that the Mirai spreads so fast that a rebooted, clean, device gets re-infected in five minutes, according to the estimates of researchers who've been tracking the botnets. So a vigilante hacker has a small window before the bad guys come back. The other problem is what a do-gooder hacker could do once they took over the botnet. The options are: brick the devices, making them completely unusable; change the default passwords, locking out even their legitimate owners; or try to fix their firmware to make them more resistant to future hack attempts, and also still perfectly functioning. The real challenge of this whole scenario, however, is that despite being for good, this is still illegal. "No one has any real motivation to do so. Anyone with the desire to do so, is probably afraid of the potential jail time. Anyone not afraid of the potential jail time...can think of better uses for the devices," Martyn told Motherboard, referring to criminals who can monetize the Mirai botnet.

37 of 64 comments (clear)

  1. Transfer the Responsibility by Anonymous Coward · · Score: 1

    Re: "Anyone with the desire to do so, is probably afraid of the potential jail time."

    Transfer the responsibility back to where it belongs, the manufacturers and vendors. Make them liable if they do not start patching their own devices. The cost of their devices might go up a little but that's their issue, regardless.

    This problem is like pollution. It's pollution of the Internet and the device manufacturers are the root cause. The purchasers of the products might have some secondary responsibility, but we need to be careful what we ask of the consumer. Many consumers aren't very tech savvy and they will never, in most cases, become so. These IoT devices are mostly sold as plug-and-play devices. They need to stay that way.

    If the problem is pollution of the Internet then we need a rule, or even a law: Polluter Pays. The polluter is responsible for the pollution and thus liability accrues to them. Since they are the manufacturer they need not be concerned about going to jail for patching their devices. We might need to make them concerned about going to jail for not patching their devices though.

    1. Re:Transfer the Responsibility by amicusNYCL · · Score: 4, Insightful

      Make them liable if they do not start patching their own devices.

      That's the long-term solution, which wouldn't do much for the current problem devices that are out there.

      Personally, I like the idea of changing the default password. Some people may never see any change, but if someone realizes that they no longer have access to their device then they do a factory reset (1 or more times, depending on how quickly they catch on) before changing the default password themselves.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    2. Re:Transfer the Responsibility by david_bonn · · Score: 1

      The problem is using something as lame and ancient and telnet and sending a password in the clear.

      Using something as rudimentary as ssh and having each device have a unique password (probably generated with the mac address of the device as an input) would be a big improvement. A remote attacker wouldn't have a good way to guess the mac address of such a device.

      Better would be a mechanism for booting such devices in "management mode" (by holding a switch down while powering up the device, or maybe if the device sees a magic ethernet packet within a minute or so of powering up -- note that said packet shouldn't be an IP packet so nobody can send one remotely and that said packet should contain some password that is again a function of the device's mac address).

      Neither of those mechanisms are perfect and both can be defeated by determined attackers. But it would make attackers work to build a million-host botnet.

    3. Re:Transfer the Responsibility by locofungus · · Score: 1

      Make them liable if they do not start patching their own devices.

      Don't necessarily even need the cost to go up.

      Your device is found vulnerable to hackers. a) release a fix or b) release the source code in a form that allows others to fix it.

      In a dream world I could imagine a time where the source code is released with the device. How much IP can there really be in a webcam? The vast majority of the work involved in writing a firmware from scratch would be researching how to address the hardware.

      --
      God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
    4. Re:Transfer the Responsibility by houstonbofh · · Score: 1

      The problem is that like Windows XP in 2001, the minute the thing is connected to the internet it gets re-infected.

      Not if the password is changed like they said in the summery...

    5. Re:Transfer the Responsibility by Rakarra · · Score: 1

      That's the long-term solution, which wouldn't do much for the current problem devices that are out there.

      We'll get over the current problem. We always do.
      But we never seem to get around to that 'long-term solution.'
      I think at this point implementing the long-term solution is more important than stopping the bleeding. Otherwise the neverending cycle will continue.

  2. Brick 'em by duke_cheetah2003 · · Score: 4, Insightful

    The other problem is what a do-gooder hacker could do once they took over the botnet. The options are: brick the devices, making them completely unusable; change the default passwords, locking out even their legitimate owners; or try to fix their firmware to make them more resistant to future hack attempts, and also still perfectly functioning.

    I say brick them. Perhaps when bad security starts costing ordinary people time and money, they'll take it more seriously.

    1. Re:Brick 'em by thegarbz · · Score: 2

      People would only move to the next device and it would open the hacker to liabilities.

    2. Re:Brick 'em by Opportunist · · Score: 1

      So people get pissed at the white hats, after all the black hats kept them functional...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:Brick 'em by amicusNYCL · · Score: 1

      after all the black hats kept them functional...

      The black hats kept what functional, the devices? What about the rest of the internet? They aren't all that worried about keeping things like DNS servers functional. So maybe your camera gets knocked offline until you figure out how to change the default password so that your camera can stop attacking the internet.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    4. Re:Brick 'em by Opportunist · · Score: 2

      Welcome to the wonderful world of egoistic, selfish assholes where nobody gives a fuck if the whole world goes to hell as long as my stuff works. And this is how people are, they don't care that they are a danger to the whole internet and them being knocked off is a service to the world. What they care about is their stupid little gimmicky toy.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:Brick 'em by Obfuscant · · Score: 2

      And this is how people are, they don't care that they are a danger to the whole internet and them being knocked off is a service to the world. What they care about is their stupid little gimmicky toy.

      How people really are is that they don't know what the Internet is so they don't know that their "stupid little gimmicky toy" could possibly be a problem because of some distant and unknown infrastructure issue. It's not a deliberate decision to cause harm, and it's not selfish.

      What you think is a "gimmicky toy" may be a security cam they use to keep track of the house while they're gone because they've had issues before. It certainly is NOT something that was sold with a big warning notice that attaching it to the network in their house, behind a cable router that stops everything else from getting in, will cause death and destruction, or problems of any kind to anyone. They certainly did NOT say "fuck you" to any idea of trouble and forge ahead maliciously.

      And I'd hate to think that maybe they are thinking that YOUR use of the Internet is for "gimmicky toys" like "why do you need to run your own mail server when Gmail does it for free"?

      So, maybe notch the venom down a bit and accept that the problem is not the fault of the people who buy the devices and use them as instructed. People don't need to be, and shouldn't have to be, leet haxor neckbeards with in-depth knowledge of the Internet to use a network-connected device. This is why the idea of having white-hat hackers brick the devices is so tragically wrong. As soon as they start doing that to protect their turf they lose any ethical high ground because they are hurting innocent people and not the ones who produced the faulty devices.

      But they'll all call the manufacturer and complain, right? Probably not. They'll take the thing back to the store they bought it from (also not network experts) and get a new one. When it stops working again, they'll get their money back. They won't search out the manufacturer, and are unlikely to find who actually built and programmed it anyway considering it is probably a Chinese company to start with. For example, I have some internet power switches that I caught sending data off to China. Don't know who, and I have no idea who built them. I know the store I bought them from. That's where the trail to the culprits ends.

    6. Re:Brick 'em by dargaud · · Score: 1

      I'd say turn them off. If by 'brick' you mean make them unusable unless you reflash the firmware, why not simply turn them off ? Yes, the owner will notice and turn it back on, but after a few times like that he'll probably sent it back to manufacturer. And you can't be accused to damaging the device for simply turning it off.

      --
      Non-Linux Penguins ?
    7. Re:Brick 'em by duke_cheetah2003 · · Score: 1

      Now your (also appreciated by others) idea:
      - "Let's brick consumer's devices, that'll teach the company!" Sound familiar? (see above)

      No, it won't. It will make regular people mad.

      Yes, it most certainly will. And we all know shit gets done when a large enough group of people are getting mad. I don't wanna teach the 'company,' I want to teach everyone. Security is serious and needs to be taken seriously, and you should have at least some what of a clue what the fuck you're doing before you go plugging your garbage into the Internet.

  3. A more amusing approach by somenickname · · Score: 2

    Why not take a more amusing spin on this idea: Tell all the nodes in the botnet to attack 192.168.0.0/16. Basically, have them attack their own local network.

    Then change the telnet password.

    1. Re:A more amusing approach by thegarbz · · Score: 1

      Anytime you start a sentence with "A more amusing" straight away put the word liability after it and then realise it is not an idea that would get you any kudos.

  4. I'm thinking..... by bobbied · · Score: 1

    Convert them to BitCoin mining operations and PROFIT! Yea.....

    Oh, wait....

    Sarcasm aside... As the fine article points out, hacking someone else's device, regardless of the reason, is not a legal activity. And as my mother always said "two wrongs don't make a right" applies here. Where this is an interesting thought experiment, unless you can get the legal authorities to approve this kind of activity, let's not develop this idea too far. Perhaps you'd get by with a way to remove the affliction and reboot the device, they are likely to never find you, it would be all to easy to get your hat color misinterpreted should ISP's start monitoring this kind of thing.

    Perhaps it's time to put some legal safeguards in place for users to force device manufacturers into having liability when they ship stuff with gaping holes like this. But I'm not going to hold my breath waiting for Congress to draft and pass anything reasonable in this regard and I loath that they would likely make a bloody mess of things if they even tried. Maybe some kind of regulation on ISP's to monitor and deal with such garbage coming from their networks? Again, I wouldn't trust Congress to write that law either.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    1. Re:I'm thinking..... by moeinvt · · Score: 1

      "hacking someone else's device, regardless of the reason, is not a legal activity"

      I was waiting for this comment. "Access" is the crime regardless of what you do to the system.
      The hacker Max Butler wrote a worm to patch a vulnerability in BIND, but the FBI prosecuted him for "unauthorized access" to government computer systems. "Hey! I made your system MORE secure!" didn't fly as a defense.

  5. Temporarily Brick 'em by Okian+Warrior · · Score: 3, Informative

    The other problem is what a do-gooder hacker could do once they took over the botnet. The options are: brick the devices, making them completely unusable; change the default passwords, locking out even their legitimate owners; or try to fix their firmware to make them more resistant to future hack attempts, and also still perfectly functioning.

    I say brick them. Perhaps when bad security starts costing ordinary people time and money, they'll take it more seriously.

    If I understand the process correctly, most hacked IoT devices aren't firmware hacked, the exploits live in volatile memory while the device is powered. The exploit can't get into the firmware because that's much more difficult, and in many cases the firmware is read-only.

    Power cycling the device will clear the hack, but it can be taken over again using the same exploit.

    Bricking the device, or perhaps making the device access an online site intended to catch the owner's attention(*) seems like a reasonable solution when used in concert with all the other solutions - going after the perpetrators legally, going after the device manufacturers, changing net rules to disallow IP address spoofing, and so on.

    (*) Lead to a website with a landing page alerting the owner of the issue, or (for cameras) upload video to the user's account alerting the owner to the issue, and so on.

    1. Re:Temporarily Brick 'em by Anonymous Coward · · Score: 1

      ... perhaps making the device access an online site intended to catch the owner's attention(*) seems like a reasonable solution when used in concert with all the other solutions - going after the perpetrators legally, going after the device manufacturers, changing net rules to disallow IP address spoofing, and so on.

      (*) Lead to a website with a landing page alerting the owner of the issue, or (for cameras) upload video to the user's account alerting the owner to the issue, and so on.

      At last! a constructive use for Goatse.

    2. Re:Temporarily Brick 'em by ceoyoyo · · Score: 1

      It seems like changing the admin password to something random would work perfectly well. If the clueless user needed to change something they'd have to reset to factory defaults and in learning how to do that perhaps they'd learn about changing the password. Likely the vast majority would never even notice.

    3. Re:Temporarily Brick 'em by anegg · · Score: 1

      How about the "Internet Police" take the device into "protective custody" because its creating a "public nuisance" and "being a threat to public safety". Then charge the original manufacturer a fine each time one of their devices has to be taken into "protective custody" due to a manufacturer's flaw in the device.

      By extension, if the problem device is a problem because of Joe/Jill Homeowner, do the same but charge them the fine, not the manufacturer. A bit murkier to handle since there will be so many Joe/Jill Homeowners and they will be so hard to track down, but perhaps someone can find a good way to handle this.

      Exercise for the reader: Define/organize the "Internet Police" - perhaps its a division of the FTC (Federal Trade Commission) in the United States, define their scope: devices on IP addresses allocated to entities operating within the United States of America for the US Internet Police, for example. Constrain their duties: the Internet Police are charged with addressing threats to the health and well-being of the Internet caused by poorly configured devices (for example).

  6. This brings back memories by thegarbz · · Score: 1

    Where have I heard of hackers with Chaotic Good before?

    Blaster's worst enemy

  7. Wrong approach by Opportunist · · Score: 2

    Two wrongs don't make a right.

    What we need is to grasp the careless morons that made those devices by the balls and squeeze 'til patches materialize.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Wrong approach by Anonymous Coward · · Score: 1

      Even ignoring the second wrong in such an act, it is still one more step of escalation that in the end is guaranteed to be pointless.

      Once the first wave of white hat intrusions is performed, now begins an arms race such that which ever side exploits a device first and closes the door behind them wins the device.

      There are way more black hats than there are white hats, and the black hats are exponentially better funded, and the majority of the black hats have much more time on their hands.

      Given those odds, the black hats WILL win that war.

      In the end we will be right back where we are now, where the black hats have control over more devices than the white hats have secured, only the black hats will have secured the devices behind them while still having a rootkit installed to do the same actions as right now.

      The only difference will be that the devices won't be fixable after the fact by the white hats, since the door will be closed. The root kitted devices will still be just as capable for DDoS attacks and spam and bouncing to obscure real source IPs as is the case now.

      It really is a pointless bar to raise things to. The problem needs to be solved at its source.

    2. Re:Wrong approach by AHuxley · · Score: 1

      Get AV brands, free and pay to scan every device on the local network by default. Test with all expected passwords and report on junk apps and hardware.
      Ban the IoT apps from cell phones and desktops so users are forced to upgrade, buy new or cant network with a power on.

      --
      Domestic spying is now "Benign Information Gathering"
  8. Send new password to manufacturer? by CannonballHead · · Score: 1

    If they have access to the internet, couldn't manufacturers setup an API endpoint that accepts a serial number and a password... so that the password could be changed and the manufacturer could be sent the new one?

    The owner, when locked out, can call the manufacturer, they can look up the password, etc.

    Not totally sure how one might secure said API so it doesn't just get spammed as well, but... :P

    1. Re:Send new password to manufacturer? by AHuxley · · Score: 1

      If firmware upgrades are that networked, malware will seek the same pathway in and re update all found devices rather than just swarm networking output.

      --
      Domestic spying is now "Benign Information Gathering"
  9. This reminds me of this story by itsownreward · · Score: 1

    I wondered when this was going to come up. It totally reminds me of this short story.

  10. Umm... by Anonymous Coward · · Score: 1

    "a "good guys" Mirai -- perhaps even controlled by the FBI -- could do the same."

    I think I see a flaw here....

  11. ISPs should blackball insecure devices by Anonymous Coward · · Score: 2, Interesting

    Much easier to have ISP's run an automated white-hat type scan against new devices the first time a home user attempts to connect one to the Internet. This device "registration" process would look for open telnet, insecure hard coded passwords, etc. Failing devices would be blackballed and confined behind the home router. The ISP could generate a report for the user suggesting corrective action, etc. to fix the offending device. Not perfect, but it would reduce the footprint of low-hanging IoT devices.

    1. Re:ISPs should blackball insecure devices by gweihir · · Score: 2

      You are talking about the same ISPs that are unable to implement egress filtering (a basic requirement for any halfway secure network installation), thereby allowing source-spoofing, right?

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  12. I would prefer bricking the devices by gweihir · · Score: 1

    And I think we should make that something globally legal. Put in some safeguards, like a 48h observation period and a requirement to record logs and upload them with your identity to some legal entity that a device owner can then find out from what happened (but not who did it).

    But if that is all fulfilled, make it legal for anyone to secure the hazard presented by these devices. After all, you are allowed, say, to put out a fire by yourself too.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  13. Re:Naive approach by gweihir · · Score: 1

    And yet, if you had read up on Mirai, you would know that after a reboot these devices are open again, because it is memory-only. Talk about posting an irrelevant generic statement because of cluelessness.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  14. Re:How to remove the INJECTED ADS from Slashdot by JustAnotherOldGuy · · Score: 1

    What worked for me was:

    hxxps://slashdot.org/ajax.pl?op=nel

    --
    Just cruising through this digital world at 33 1/3 rpm...
  15. Re:Just have a Democrat do it! by jeremy.brown3327 · · Score: 1

    idiot

  16. Hooray! by Toad-san · · Score: 1

    I for one am VERY glad to see ANY sort of suggested solution to this huge problem. I've always had the motto, "Don't bitch unless you have a solution." I had no solution (other than "sue the careless hardware vendors until they fix it", and that's no solution at all), so I just kept quiet. But this is a good one. Liability be damned: white hats, go for it! Brick them sons of bitches!

    Alternatively, force a second "Internet Of Things" Internet, used ONLY by inhuman devices. If you want to talk to your goddamned front door lock, use THAT Internet. Stay the hell off mine: I need it for WoW!