Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Vigilante Hackers Could Stop the Internet of Things Botnet (vice.com)

Posted by BeauHD on from the white-hat dept.

An anonymous reader quotes a report from Motherboard: Some have put forth a perhaps desperate -- and certainly illegal -- solution to stop massive internet outages, like the one on Friday, from happening: Have white-hat vigilante hackers take over the insecure Internet of Things that the Mirai malware targets and take them away from the criminals. Several hackers and security researchers agree that taking over the zombies in the Mirai botnet would be relatively easy. After all, if the "bad guys" Mirai can do it, a "good guys" Mirai -- perhaps even controlled by the FBI -- could do the same. The biggest technical hurdle to this plan, as F-Secure chief research officer Mikko Hypponen put it, is that once it infects a device, Mirai "closes the barn door behind it." Mirai spreads by scanning the internet for devices that have the old-fashioned remote access telnet protocol enabled and have easy to guess passwords such as "123456" or "passwords." Then, once it infects them, it disables telnet access, theoretically stopping others from doing the same. The good news is that the code that controls this function actually doesn't at times work very well, according to Darren Martyn, a security researcher who has been analyzing the malware and who said he's seen some infected devices that still have telnet enabled and thus can be hacked again. Also, Mirai disappears once an infected device is rebooted, which likely happens often as owners of infected cameras and DVRs try to fix their devices that suddenly have their bandwidth saturated. The bad news is that the Mirai spreads so fast that a rebooted, clean, device gets re-infected in five minutes, according to the estimates of researchers who've been tracking the botnets. So a vigilante hacker has a small window before the bad guys come back. The other problem is what a do-gooder hacker could do once they took over the botnet. The options are: brick the devices, making them completely unusable; change the default passwords, locking out even their legitimate owners; or try to fix their firmware to make them more resistant to future hack attempts, and also still perfectly functioning. The real challenge of this whole scenario, however, is that despite being for good, this is still illegal. "No one has any real motivation to do so. Anyone with the desire to do so, is probably afraid of the potential jail time. Anyone not afraid of the potential jail time...can think of better uses for the devices," Martyn told Motherboard, referring to criminals who can monetize the Mirai botnet.

10 of 64 comments (clear)

  1. Brick 'em by duke_cheetah2003 · · Score: 4, Insightful

    The other problem is what a do-gooder hacker could do once they took over the botnet. The options are: brick the devices, making them completely unusable; change the default passwords, locking out even their legitimate owners; or try to fix their firmware to make them more resistant to future hack attempts, and also still perfectly functioning.

    I say brick them. Perhaps when bad security starts costing ordinary people time and money, they'll take it more seriously.

    1. Re:Brick 'em by thegarbz · · Score: 2

      People would only move to the next device and it would open the hacker to liabilities.

    2. Re:Brick 'em by Opportunist · · Score: 2

      Welcome to the wonderful world of egoistic, selfish assholes where nobody gives a fuck if the whole world goes to hell as long as my stuff works. And this is how people are, they don't care that they are a danger to the whole internet and them being knocked off is a service to the world. What they care about is their stupid little gimmicky toy.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:Brick 'em by Obfuscant · · Score: 2

      And this is how people are, they don't care that they are a danger to the whole internet and them being knocked off is a service to the world. What they care about is their stupid little gimmicky toy.

      How people really are is that they don't know what the Internet is so they don't know that their "stupid little gimmicky toy" could possibly be a problem because of some distant and unknown infrastructure issue. It's not a deliberate decision to cause harm, and it's not selfish.

      What you think is a "gimmicky toy" may be a security cam they use to keep track of the house while they're gone because they've had issues before. It certainly is NOT something that was sold with a big warning notice that attaching it to the network in their house, behind a cable router that stops everything else from getting in, will cause death and destruction, or problems of any kind to anyone. They certainly did NOT say "fuck you" to any idea of trouble and forge ahead maliciously.

      And I'd hate to think that maybe they are thinking that YOUR use of the Internet is for "gimmicky toys" like "why do you need to run your own mail server when Gmail does it for free"?

      So, maybe notch the venom down a bit and accept that the problem is not the fault of the people who buy the devices and use them as instructed. People don't need to be, and shouldn't have to be, leet haxor neckbeards with in-depth knowledge of the Internet to use a network-connected device. This is why the idea of having white-hat hackers brick the devices is so tragically wrong. As soon as they start doing that to protect their turf they lose any ethical high ground because they are hurting innocent people and not the ones who produced the faulty devices.

      But they'll all call the manufacturer and complain, right? Probably not. They'll take the thing back to the store they bought it from (also not network experts) and get a new one. When it stops working again, they'll get their money back. They won't search out the manufacturer, and are unlikely to find who actually built and programmed it anyway considering it is probably a Chinese company to start with. For example, I have some internet power switches that I caught sending data off to China. Don't know who, and I have no idea who built them. I know the store I bought them from. That's where the trail to the culprits ends.

  2. A more amusing approach by somenickname · · Score: 2

    Why not take a more amusing spin on this idea: Tell all the nodes in the botnet to attack 192.168.0.0/16. Basically, have them attack their own local network.

    Then change the telnet password.

  3. Temporarily Brick 'em by Okian+Warrior · · Score: 3, Informative

    The other problem is what a do-gooder hacker could do once they took over the botnet. The options are: brick the devices, making them completely unusable; change the default passwords, locking out even their legitimate owners; or try to fix their firmware to make them more resistant to future hack attempts, and also still perfectly functioning.

    I say brick them. Perhaps when bad security starts costing ordinary people time and money, they'll take it more seriously.

    If I understand the process correctly, most hacked IoT devices aren't firmware hacked, the exploits live in volatile memory while the device is powered. The exploit can't get into the firmware because that's much more difficult, and in many cases the firmware is read-only.

    Power cycling the device will clear the hack, but it can be taken over again using the same exploit.

    Bricking the device, or perhaps making the device access an online site intended to catch the owner's attention(*) seems like a reasonable solution when used in concert with all the other solutions - going after the perpetrators legally, going after the device manufacturers, changing net rules to disallow IP address spoofing, and so on.

    (*) Lead to a website with a landing page alerting the owner of the issue, or (for cameras) upload video to the user's account alerting the owner to the issue, and so on.

  4. Wrong approach by Opportunist · · Score: 2

    Two wrongs don't make a right.

    What we need is to grasp the careless morons that made those devices by the balls and squeeze 'til patches materialize.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Re:Transfer the Responsibility by amicusNYCL · · Score: 4, Insightful

    Make them liable if they do not start patching their own devices.

    That's the long-term solution, which wouldn't do much for the current problem devices that are out there.

    Personally, I like the idea of changing the default password. Some people may never see any change, but if someone realizes that they no longer have access to their device then they do a factory reset (1 or more times, depending on how quickly they catch on) before changing the default password themselves.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  6. ISPs should blackball insecure devices by Anonymous Coward · · Score: 2, Interesting

    Much easier to have ISP's run an automated white-hat type scan against new devices the first time a home user attempts to connect one to the Internet. This device "registration" process would look for open telnet, insecure hard coded passwords, etc. Failing devices would be blackballed and confined behind the home router. The ISP could generate a report for the user suggesting corrective action, etc. to fix the offending device. Not perfect, but it would reduce the footprint of low-hanging IoT devices.

    1. Re:ISPs should blackball insecure devices by gweihir · · Score: 2

      You are talking about the same ISPs that are unable to implement egress filtering (a basic requirement for any halfway secure network installation), thereby allowing source-spoofing, right?

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.