Developer of BrickerBot Malware Claims He Destroyed Over Two Million Devices (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Developer of BrickerBot Malware Claims He Destroyed Over Two Million Devices (bleepingcomputer.com)

Posted by BeauHD on Friday April 21, 2017 @01:20PM from the unintended-consequences dept.

An anonymous reader writes: In an interview today, the author of BrickerBot, a malware that bricks IoT and networking devices, claimed he destroyed over 2 million devices, but he never intended to do so in the first place. His intentions were to fight the rising number of IoT botnets that were used to launch DDoS attacks last year, such as Gafgyt and Mirai. He says he created BrickerBot with 84 routines that try to secure devices so they can't be taken over by Mirai and other malware. Nevertheless, he realized that some devices are so badly designed that he could never protect them. He says that for these, he created a "Plan B," which meant deleting the device's storage, effectively bricking the device. His identity was revealed after a reporter received an anonymous tip about a HackForum users claiming he was destroying IoT devices since last November, just after BrickerBot appeared. When contacted, BrickerBot's author revealed that the malware is a personal project which he calls "Internet Chemotherapy" and he's "the doctor" who will kill all the cancerous unsecured IoT devices.

88 comments

Min score:

Reason:

Sort:

And nothing of value was lost! by Anonymous Coward · 2017-04-21 13:24 · Score: 0

L0de Radio Hours is one the air!
twitch.tv/l0de
1. Re: And nothing of value was lost! by Anonymous Coward · 2017-04-21 14:43 · Score: 0
  
  Thats a good.way to.end.up.on.someones.radar
2. Re: And nothing of value was lost! by Anonymous Coward · 2017-04-21 15:04 · Score: 0
  
  Only.hack.hakckers hack hacks.
3. Re: And nothing of value was lost! by Anonymous Coward · 2017-04-21 21:52 · Score: 0
  
  How many hacks can a hacker hack, if a hacker can hack hacks?
4. Re:And nothing of value was lost! by Anonymous Coward · 2017-04-22 02:14 · Score: 0
  
  Een Soviet Appistan, the app ees you.
Welchia by Anonymous Coward · 2017-04-21 13:26 · Score: 0

Sounds like Welchia, which was intended to remove and patch against the Blaster worm, but generated so much traffic by scanning for vulnerable systems that it effectively caused denial of service attacks. Using worms to patch vulnerabilities is often a terrible idea.
1. Re:Welchia by gweihir · 2017-04-21 16:59 · Score: 2
  
  People do not learn from history. Most do not even learn from personal experience.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
2. Re: Welchia by tigersha · 2017-04-21 18:35 · Score: 0
  
  It's ok, mr hacker idiot will have enough time to reflect on that in prison
  
  --
  The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
3. Re: Welchia by gweihir · 2017-04-23 02:22 · Score: 1
  
  Since prison or the threat of prison (or even harsher penalties) never did anything to curb crime, I highly doubt that.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Mighty Fine by Anonymous Coward · 2017-04-21 13:28 · Score: 5, Insightful

Doing some righteous work.
If he gets busted... by Type44Q · 2017-04-21 13:33 · Score: 5, Funny

If he gets busted, I'm good for a $20 towards his legal costs... but if he's willing to target all IoT devices, I'll make it a hundred. ;)
1. Re:If he gets busted... by rholtzjr · 2017-04-21 14:02 · Score: 1
  
  It is unfortunate that retribution type attacks are not considered "appropriate". Maybe it is time to fight fire with fire.
2. Re: If he gets busted... by Anonymous Coward · 2017-04-21 14:13 · Score: 4, Insightful
  
  But is this retribution? The problem is that manufacturers don't secure the IoT devices they produce, and that's who your ire should be directed at. However, this punishes the users who purchased those devices, usually out of ignorance. If users have their devices bricked, they may simply buy another vulnerable IoT device to replace it, perhaps from the same manufacturer. It's possible that this may actually drive sales for manufacturers who produce poorly secured IoT devices. That's the opposite of retribution, if you're actually helping them to increase revenue and profits. Instead, there needs to be consequences for the manufacturers that are serious enough that they are significantly more expensive than the cost of making secure devices.
3. Re: If he gets busted... by Anonymous Coward · 2017-04-21 14:24 · Score: 1, Insightful
  
  they may simply buy another vulnerable IoT device to replace it, perhaps from the same manufacturer. It's possible that this may actually drive sales for manufacturers who produce poorly secured IoT devices.
  People are ignorant about security because they don't care. If their device gets bricked because it's insecure, they'll start caring.
4. Re:If he gets busted... by bill_mcgonigle · 2017-04-21 14:46 · Score: 2
  
  It is unfortunate that retribution type attacks are not considered "appropriate".
  Self-defense is not retribution. Third-party defense is always considered valid when a threat is imminent.
  All the data we have shows that devices that are vulnerable to Mirai, et. al. will become Mirai bots in a short amount of time, and will begin attacking third-party Internet infrastructure.
  If somebody can show the above claim to be false, please do so, showing reason and evidence.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
5. Re: If he gets busted... by bill_mcgonigle · 2017-04-21 14:49 · Score: 5, Insightful
  
  If users have their devices bricked, they may simply buy another vulnerable IoT device to replace it, perhaps from the same manufacturer.
  Are you suggesting there are people who will keep buying the same type of e.g. WiFi lightbulbs that work for a couple hours and then stop working, without returning them?
  A return usually costs more than the profit on a device; it's an economically valid feedback mechanism assuming that kind of person isn't actually common. It seems unlikely to me that it is the typical behavior pattern.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
6. Re: If he gets busted... by Alwin+Henseler · 2017-04-21 14:53 · Score: 1, Insightful
  
  The problem is that manufacturers don't secure the IoT devices they produce, and that's who your ire should be directed at. However, this punishes the users who purchased those devices, usually out of ignorance.
  
  As those users should be.
  The reason that insecure (or otherwise unreliable) devices are the norm these days, is that a) hardware & software vendors get away with it. And b) most users don't care. Or at least not seem to care enough to change things.
  If a device can be bricked simply by hooking it up to a network, but buyer is too lazy or ignorant to check before buying, then buyer deserves what he gets. If buyer does his/her homework (and finds device is vulnerable), but buys the product anyway, then buyer deserves what he gets.
  That leaves the case where buyer did his homework, product "looks good", but gets bricked anyway. That should be a warranty issue, shifting the burden onto vendors. As it should be.
  So if things like this BrickerBot help to invalidate the "vendor gets away with insecure crap" equation, then please: carry on with the good work!
7. Re: If he gets busted... by Anonymous Coward · 2017-04-21 14:56 · Score: 0
  
  The pentagon ok'd the Internet as a platform of operations so this is entirely possible
8. Re:If he gets busted... by Anonymous Coward · 2017-04-21 15:20 · Score: 1
  
  The thing is, we've all done this.
  I will admit that when WiFi was a new thing, I'd type in the default password to the routers and upgrade the firmware and then secure the admin panel. This was well over 12 years ago, so it's likely those devices have been replaced twice since then, and mostly by ISP-issued routers that have been secured properly.
  So I'd actually encourage more "Brickerbot" type of hacking as long as:
  1. The goal is to secure the device, not destroy it
  2. Destroying the device is the solution of last resort.
  Again, showing how old I am, when dial-up internet was a new thing, many Windows 95/98 and Windows 2000/XP devices were directly on the internet. I rebooted one ISP that had been running backoriface, I also knew that these devices were not secure so would disable things like NetBIOS over tcp/ip of the machines that I could hack into, and since I was also a local technician, also make proactive efforts to prevent these machines from being hacked when they went out, even if they had not asked to be secured.
  Things like "Brickerbot" have existed in some shape since the 90's. It's only in recent memory that devices have become so utterly shitty in default mode that we need to resort to destroying them. Hopefully the direct result of that is that the device is sent back to it's manufacturer is defective, and the manufacturer incurs a loss dealing with them. That is the end goal.
9. Re: If he gets busted... by Anonymous Coward · 2017-04-21 15:45 · Score: 0
  
  Iot.things was.destinesnto be broken
10. Re: If he gets busted... by sconeu · 2017-04-21 15:46 · Score: 1
  
  The reason that insecure (or otherwise unreliable) devices are the norm these days, is that a) hardware & software vendors get away with it. And b) most users don't care. Or at least not seem to care enough to change things.
  
  No, most users don't know enough to care.
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
11. Re: If he gets busted... by Anonymous Coward · 2017-04-21 15:47 · Score: 0
  
  Doesn't that argument imply that targeting someone else's system to deliberately brick it is not a crime? Or do you somehow judge the intent of the bricker?
12. Re: If he gets busted... by Anonymous Coward · 2017-04-21 15:52 · Score: 0
  
  Destroy can never be an option. Someone malicious creates an attack virus, puts it on a few systems, then creates a white-knight bricker using the same exploit and claiming he/she couldn't come up with any better solution.
13. Re: If he gets busted... by anegg · 2017-04-21 16:18 · Score: 1
  
  One way we could look at this is as a cost function on the devices. For a market-based system to work, things have to have costs that ideally reflect their total cost. Cheap IOT devices that are a huge threat to the system don't have an adequate cost assigned to them unless something like this steps in. Perhaps this just evens it up a bit. Carbon tax for IOT?
14. Re:If he gets busted... by suss · 2017-04-21 17:21 · Score: 1
  
  A lot of these things are broken by design and can't be fixed.
  Companies have been dumping IP cameras here for bargain prices right after the vulnerabilities made the news, instead of trying to fix them.
  So now you have a â140 camera you paid â30 for, which has telnet open to the world and announces its local IP to 4 different chinese dyndns servers and neither of these "features" can be disabled...
15. Re: If he gets busted... by Anonymous Coward · 2017-04-21 18:19 · Score: 0
  
  No they won't. Your naivety is astounding.
  if it is that simple there won't be crime anymore....we can just have a police state that hang petty criminals.
16. Re: If he gets busted... by jabuzz · 2017-04-21 18:48 · Score: 1
  
  Yes they can be fixed. Just drop them in a vlan of their own and deny they access to the internet. Plenty of cheap switches these days have vlan support. I got a 16 port gigabit switch for 70gbp from a major switch vendor last year.
17. Re: If he gets busted... by Bert64 · 2017-04-21 21:03 · Score: 2
  
  People buy such devices because they're cheap, if the device gets bricked they won't know how or why it got bricked just that it stopped working... They will either get it replaced under warranty (if there is one), or just write it off and buy a replacement (cheap devices being unreliable is no surprise to anyone).
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
18. Re: If he gets busted... by Anonymous Coward · 2017-04-21 21:05 · Score: 0
  
  Something can both be a crime, and public service, at the same time. Bricking IoT devices before they destroy the internet (which WILL cause loss of life) could easily be both.
19. Re: If he gets busted... by mikael · 2017-04-21 21:57 · Score: 1
  
  I think it's ridiculous that wifi routers have only one password that can be bandied around. Even worse that the default passwords are listed on websites. I think every device that connects should have its own personal password. Does that give me the right to whack out wi-fi routers on these lists?
  Has anyone seen the configuration menus for the firewall tables on these devices? Microsoft puts everything into one giant spreadsheet table; applications vs. user groups and accounts and types of service. Other companies block by port number and inbound/outbound or multicasts/broadcasts and IP bit masks.
  Why can't /etc/hosts redirect or block using bitmasking as well?
  
  --
  Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
20. Re:If he gets busted... by mikael · 2017-04-21 21:59 · Score: 1
  
  If you upgraded the firmware on a Cisco router, you would find that you could only configure it through the cloud.
  
  --
  Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
21. Re: If he gets busted... by Bert64 · 2017-04-21 22:02 · Score: 1
  
  Intent is often taken into account, for instance carrying a knife isn't illegal unless you intended to use it for illegal purposes - you might be intending to use it for cooking etc.
  You could argue that by bricking these insecure devices, you were attempting to prevent other more serious crimes from taking place.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
22. Re: If he gets busted... by Anonymous Coward · 2017-04-21 23:00 · Score: 0
  
  What kinda Klingon bullshit is this
23. Re: If he gets busted... by Anonymous Coward · 2017-04-22 00:49 · Score: 0
  
  How old you are and dial-up being new, and mention Windows 95 and XP? Ha!
  Dial-up being new would have been in at least the 3.1 days using Trumpet Winsock and the like (and when earlier OS's existed depending on your definition of dial-up).
24. Re:If he gets busted... by rholtzjr · 2017-04-22 01:56 · Score: 2
  
  That does not excuse the attack on someone else property (even if they are stupid) due to an inherent flaw in it's design. This has already been somewhat questioned.
  
  The law forbids hacking, even in self-defense. The report mentioned the Computer Misuse Act in the UK and the Computer Fraud and Abuse Act in the US as examples of legal roadblocks preventing private hackback operations.
  Reference here
  While I would not be adverse to removing said devices from the bot pool permanently, but there may be legalities involved.
25. Re: If he gets busted... by Anonymous Coward · 2017-04-22 01:58 · Score: 0
  
  Vigilantism is still illegal in the US. Breaking the law to stop others from breaking the law is not a proper excuse.
  You are stealing from people by kntentionally brick g their devices.
26. Re: If he gets busted... by Anonymous Coward · 2017-04-22 02:38 · Score: 1
  
  So by that logic, if you buy a home that has a construction defect that causes a collapse that injures a family member, it's your fault right. Same thing you are arguing. People have different knowledge bases. One day you may realize that it is not the fault nor the responsibility of the buyer to have the level of knowledge you assume.
27. Re: If he gets busted... by gnasher719 · 2017-04-22 03:18 · Score: 2
  
  If a device can be bricked simply by hooking it up to a network, but buyer is too lazy or ignorant to check before buying, then buyer deserves what he gets. If buyer does his/her homework (and finds device is vulnerable), but buys the product anyway, then buyer deserves what he gets.
  If a hacker causes massive damage, and is too lazy or ignorant to check that he or she might be jailed for causing that damage, then the hacker deserves what he gets. If the hacker does his/her homework (and finds there's the risk of jail time) and causes the damage anyway, then the hacker deserves what he gets.
28. Re: If he gets busted... by Anonymous Coward · 2017-04-22 03:49 · Score: 0
  
  See Star Trek TNG S1E8: "Justice". In a world where even minor crimes are punished by death, very little crime occurrs.
29. Re: If he gets busted... by Anonymous Coward · 2017-04-22 03:59 · Score: 0
  
  And yet justifiable homocide is defined as killing somebody who was committing a felony.
30. Re: If he gets busted... by Anonymous Coward · 2017-04-22 05:09 · Score: 0
  
  Idiot. That's an episode of a television program, written by writers. The planet you describe does not exist.
31. Re: If he gets busted... by Anonymous Coward · 2017-04-22 05:15 · Score: 0
  
  No writer can imagine that. They clearly had the idea after visiting the planet.
32. Re: If he gets busted... by Anonymous Coward · 2017-04-22 05:31 · Score: 0
  
  And if you actually watch the episode you'll see one of the 'morals of the story' is just how fucking stupid that approach actually is.
33. Re: If he gets busted... by Anonymous Coward · 2017-04-22 05:34 · Score: 0
  
  Bullshit. 'Justifiable homicide' is usually restricted more toward things like defending *yourself* from a *lethal* threat from another. If I see a major drug deal going down somewhere, and pull out a gun and shoot the dealer, I'm not going to get off scot-free just because that person was committing a felony. The law doesn't give me the right to step in with lethal force against any random crime I happen to see in progress.
34. Re: If he gets busted... by Anonymous Coward · 2017-04-22 07:28 · Score: 0
  
  Maybe, but most consumers, even if they're ignorant of why their device stops working will start associating it with the company if they've had 3-4 bad experiences with the same device one after the other.
  They might not know why it's failing, but they'll at the very least assume it's shoddy workmanship (which isn't far from the truth honestly.) and start to buy a different brand.
35. Re: If he gets busted... by JThundley · 2017-04-22 07:39 · Score: 1
  
  They might buy a second to replace the first, but will they buy a third? IOT manufacturers might see short-term profits, but they won't last when users finally get wary of buying IOT devices, or at least take security into consideration before they do.
  It'll take time, but it'll happen.
36. Re: If he gets busted... by Miamicanes · 2017-04-22 10:10 · Score: 1
  
  Or they use something like WizNet's serial/SPI/I2C-to-UDP boards, whose 'security' can be bruteforced by anyone within a few hours.
37. Re: If he gets busted... by Anonymous Coward · 2017-04-22 14:43 · Score: 0
  
  And in this case there wasnt even a crime in progress, and nobody needed his kind of "help".
38. Re: If he gets busted... by xanadu-xtroot.com · 2017-04-22 14:55 · Score: 1
  
  I work for a prominent IoT company and I agree with this. Additional in-house security via ZWave, etc, is good. Having every damn thing you own directly accessible from the internet is just plain stupid. M.
  
  --
  I'm not a prophet or a stone-age man,
  I'm just a mortal with potential of a super man.
39. Re: If he gets busted... by nasch · 2017-04-22 16:11 · Score: 1
  
  If the cost were put on the manufacturer, yes. This is just shifting negative externalities around and hoping that helps, without knowing if it will or not.
40. Re: If he gets busted... by nasch · 2017-04-22 16:14 · Score: 1
  
  I think every device that connects should have its own personal password.
  The problem with that is if you forget the password and have lost your documentation, your device is now inaccessible to you. After that happens once, the vast majority of customers will permanently avoid that brand and go with someone who has a default username and password. Your suggestion would be market suicide.
41. Re: If he gets busted... by Anonymous Coward · 2017-04-23 04:27 · Score: 0
  
  But the core central idea behind being a CEO is "maximize profits for the next two quarters at the expense of everything else"
  
  The threat of complete destruction does not in any way influence their behaviors. That's why you see CEOs slashing the R&D budgets, firing all the experienced engineers, etc. Profits go up, they claim a win, they leave to do the same thing to another company, the company files bankruptcy 9 months later and it gets blamed on the new CEO, not the one who broke all the supports out.
  
  It matters to consumers and employees if a company is around in 1 year. It doesn't matter to the decision makers one bit.
42. Re: If he gets busted... by ilsaloving · 2017-04-23 07:07 · Score: 1
  
  Some might. Some will simply shift the blame because they refuse to accept that they are in any way responsible for the situation. I had such a thing happen with a neighbour whose internet had been cut off because his machine had been infected and was spewing spam.
  He was irate that the ISP didn't protect him from this and felt he was being unfairly penalized, and wouldn't budge no matter how much I tried to explain to him that the computer was his property and he was responsible for maintenance and security. Eventually I told him that the only option was to backup any critical data and completely reformat his hard drive, and that there was nothing else I could do for him.
  Every word that came out of his mouth made me less and less sympathetic to him, to the point where I hoped he was never able to access the internet again. People like that are beyond help. The only thing you can do is isolate them so they don't hurt others.
43. Re:If he gets busted... by ilsaloving · 2017-04-23 07:22 · Score: 1
  
  That may well be true, except there's one critical problem
  Individuals who do not do their due diligence, who do not take the necessary steps to secure their property so that it doesn't cause harm to others, are *not* in any way liable for the damage they cause. Because they arn't liable, they don't give a shit, and won't make attempts to rectify the situation. The manufacturers are not liable for putting out insecure crap. Because they arn't liable, they don't give a shit, and won't make attempts to rectify the situation.
  And so vigilantism like this becomes inevitable, because the law isn't doing fuck all about the actual problem.
  There are going to be bad actors. There are *always* going to be bad actors. Whether it's individual, terrorist organization, or even governments, there will always be someone pumping out this kind of malware. This is not an argument of blaming the victim vs blaming the offender. This isn't analogous to some petty crime. This is close to war than anything else. And as anyone (should) knows, there are no rules in war. There are only the survivors and the dead.
  You either defend against it, or you get steamrolled by the inevitable. You may still get steamrolled even if you defend against it, but the point is that you have to at least try because if you don't you *will* be compromised, and your devices *will* be used to harm others.
  If you do not at least try to secure your devices, then IMO you are as liable for the damage they cause as if you performed the act yourself, in the same way that you are still responsible if you leave a loaded gun on the sidewalk in a crime-ridden neighbourhood.
44. Re: If he gets busted... by Orgasmatron · 2017-04-23 10:16 · Score: 1
  
  Put a sticker on it.
  I helped a friend set up his new router recently. Common brand, I forget which. The serial number sticker also had a password on it. If you went through the hardware reset process, the default password was the one on the sticker. In most cases, this would require paying an extra couple of cents for a serialized flash chip and a few minutes to add a routine to the reset code to generate the password based on the flash chip's serial number.
  
  --
  See that "Preview" button?
45. Re: If he gets busted... by nasch · 2017-04-23 10:33 · Score: 1
  
  Yeah that works if it's labeled on the device. Maybe that will catch on.
46. Re: If he gets busted... by n329619 · 2017-04-23 18:32 · Score: 1
  
  They won't know why it got bricked except for one thing, that "It was cheap". When the consumer find that the reliability is no longer worth the cheap cost investment they've added, they will start to look for other more reliable IoT, which in this case it would be more secured IoT that doesn't brick.
  This happens a lot in Mainland China. One example is when they found out the cheap baby formula were poisonous. It caused a rushed in to buy high cost and high quality baby formulas while dropping cheap baby formulas.
47. Re: If he gets busted... by Anonymous Coward · 2017-04-23 21:23 · Score: 0
  
  Shut up Wesley.
48. Re:If he gets busted... by tlhIngan · 2017-04-24 04:09 · Score: 1
  
  Self-defense is not retribution. Third-party defense is always considered valid when a threat is imminent.
  All the data we have shows that devices that are vulnerable to Mirai, et. al. will become Mirai bots in a short amount of time, and will begin attacking third-party Internet infrastructure.
  If somebody can show the above claim to be false, please do so, showing reason and evidence.
  But in many jurisdictions there can be limits to what you can claim as self-defense. For example, shooting a burglar running away will actually land you with manslaughter or attempted manslaughter charges in quite a few places. The response has to be measured and not excessive.
  So depending on where you are, a vulnerable IoT device that getws bricked without being a part of a botnet might be seen as an excessive response, especially if you can do a more measured one instead (e.g., disable routing so it cannot get on the internet, or simply disabling it with a warning). Destroying it or bricking it may be seen as excessive. Now, if it was participating in the botnet, then maybe bricking it can be seen as an appropriate response.
Golf clap! by Anonymous Coward · 2017-04-21 13:38 · Score: 1

Nicely done sir or madam, intentionally or not.
Commode bricked by Anonymous Coward · 2017-04-21 14:01 · Score: 0

When I found out my Wifi commode was hacked, I shit a brick!
And it was broadcast live on ChinaPorn. by Grog6 · 2017-04-21 14:33 · Score: 1

You just gave it away for free! :)

--
Truth isn't Truth - Guliani
There is a time for everything. by Gravis+Zero · 2017-04-21 14:45 · Score: 1, Interesting

I guess it is time.

--
Anons need not reply. Questions end with a question mark.
"Destroyed" is such a harsh term... by hackwrench · 2017-04-21 15:19 · Score: 1

... Why, I bet one firmware replacement and they're good as new. Getting one on the other hand... I marked this "slow news day".
1. Re: "Destroyed" is such a harsh term... by Anonymous Coward · 2017-04-21 16:48 · Score: 0
  
  its an established term and fits. ever here of a bricked phone(not physically damaged) a firmware and or software injection would probably get it going. but your right to an extent they were not fried or anything.
2. Re: "Destroyed" is such a harsh term... by hackwrench · 2017-04-21 18:09 · Score: 1
  
  And the group it is established among is the sensationalizers.
3. Re: "Destroyed" is such a harsh term... by Immerman · 2017-04-22 02:50 · Score: 1
  
  In my experience "bricked" refers fairly exclusively to a non-recoverable state - at least through "normal" means. E.g. you've borked the firmware badly enough that you can no longer install the updates that would repair it. Hence things like "unbrickable" motherboards that have a second back-up BIOS in case something goes wrong when updating the primary one.
  Granted, often times there's internal diagnostic pins that can be accessed by sufficiently knowledgeable individuals with the right equipment in order to get things working again - but it's not something your average firmware-updating geek is going to be prepared for.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
4. Re: "Destroyed" is such a harsh term... by Miamicanes · 2017-04-22 10:21 · Score: 1
  
  plus, "JTAG" is very implementation-dependent. AFAIK, for example, you can't use an Atmel JTAG-Ice200 to reflash anything besides specific Atmel MCUs. Want to reflash a PIC? You need to buy yet another proprietary JTAG programmer. And so on, for every common microcontroller family. And if some third-party (Keil?) DOES make a multi-platform JTAG, it will be (a) mind-blowingly expensive (like almost every 'pro-grade' tool for non-hobby embedded development), (b) suck, or (c) both.
Not a permanent solution. by Gravis+Zero · 2017-04-21 15:25 · Score: 5, Insightful

The problem with this solution is that the companies are not getting the negative finacial feedback (punishment) that they need to correct their behavior.
I've said it before but it's worth repeating.
IoT vendors will only secure their devices after it starts costing them money or are legally required to do so.
The best option is to high jack the IoT devices to DDoS their makers because it creates a direct feedback loop. The more insecure devices they sell, the more it will cost them to host their company's website(s). For extra points, only target their parent company. ;)

--
Anons need not reply. Questions end with a question mark.
1. Re:Not a permanent solution. by Anonymous Coward · 2017-04-21 16:42 · Score: 0
  
  It's worse than that, really. By destroying the devices that the customers have already paid for, they are likely forced to buy a new one... which is positive reinforcement for the IoT vendors.
  Therefore, they have financial incentive NOT to patch their devices with solutions like this one.
2. Re: Not a permanent solution. by Anonymous Coward · 2017-04-21 19:11 · Score: 1, Insightful
  
  You know there is a thing called warranty (at least in EU) that last at least 2 years. If it doesn't work anymore you bring it back to the manufacturer/seller and they have to deal with it.
3. Re: Not a permanent solution. by Anonymous Coward · 2017-04-21 19:30 · Score: 0
  
  If these companies aren't responsible for the device's security, then such breaches falls outside the warranty.
  You can't have the cake and eat it too.
4. Re: Not a permanent solution. by flux · 2017-04-21 20:05 · Score: 2
  
  The company is responsible for the device working. Obviously they are not responsible for ie. resetting passwords the customer forgot.
  And who is to tell why the device doesn't boot up anymore? They are, and investigating is likely going to mean having an engineer spend time with the device. And that costs money.
  And if the device is cleaned wipe, there is really no proof that the client had done anything bad regarding its securing. It's not going to be an easy situation for a company to handle a sudden surge of 10000 warranty repairs.
He'll get 27 years in jail by Anonymous Coward · 2017-04-21 15:35 · Score: 0

They just prosecuted one of the Russian hackers (grabbing him in while he was on holiday in the Maldives).... he got a sentence of 27 years.
I think this mans "I'm doing it for good" argument is more an "oh shit they found me, better justify it" sort of claim, rather than any serious attempt to justify his actions.
I don't think the righteous claim will work. He's probably bricked a few security devices and cameras, and there will be sob stories for those that work against him. He'd be better shutting up until they actually arrest him, and he gets a lawyer.
1. Re:He'll get 27 years in jail by monkeyzoo · 2017-04-21 22:13 · Score: 3, Interesting
  
  Definitely righteous work:
  1) Protecting individuals and society from the harms of shoddy IOT devices. Would you rather have your cheap IOT device fail and realize something is wrong with it or have it become an entry point for stealing critical data from your network or infecting your important devices with ransomware? At least if your device breaks, you realize something is wrong with it and can complain to the manufacturer for a refund instead of it spying on you and/or serving as a node in a criminal's botnet. The greater good is served in any case by society as a whole being protected from weaponized IOT devices.
  2) Creating economic imperatives for the companies producing them to design in security. The immediate impact of brickerbot would hopefully be that companies face immediate PR blowback that kills sales when they release shoddy devices that are vulnerable. And over time such products that suffer widespread vulnerabilites to brickage will be tarnished by consumers on the marketplace, and the manufacturers will learn that to make any money they need to pay attention to implementing security precautions.
Linux by Anonymous Coward · 2017-04-21 16:14 · Score: 0

LOLs.. should have gone with Windows Embedded....
Doing the Lord's work by Anonymous Coward · 2017-04-21 16:40 · Score: 1

I appreciate his kind, selfless effort to save people from their insecure devices by bricking them.
I have undertaken the same effort in the physical security realm. I go to the front door of people's houses, and if I can easily pick the lock, I steal everything in their house, because otherwise a real thief would take it all. I am doing the owners a favor.
1. Re: Doing the Lord's work by tigersha · 2017-04-21 18:40 · Score: 1
  
  And the idiots on /. Will cheer you on as you go
  
  --
  The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
2. Re:Doing the Lord's work by Anonymous Coward · 2017-04-21 21:14 · Score: 0
  
  Invalid analogy. If I leave my door unsecure, a possibility is that someone comes in and steals all my shit, which hurts me. If instead the MOST likely scenario to an unsecure front door was that my house was snuck into by a paramilitary organization which lobs bombs at hospitals, then me being lazy would be MOST likely to hurt someone else, and I'm unwittingly abetting them. Shifting the cost that I'm artificially externalizing right back to me may needs be against the law, but the morality is a lot more complex. The IoT risk is that botnets increase censorship dramatically (controversial websites can be kicked offline), decrease privacy dramatically (most connections suddenly have to go through cloudflare), increase second order risks of this centralization (now that cloudflare is handling traffic, why not ask them to block pirate-friendly sites, or sites that have political views opposed to whomever is in control of the police), risk serious amounts of productivity (plenty of internet connected infrastructure), and actually risk lives (plenty of internet connected medical infrastructure).
3. Re:Doing the Lord's work by Immerman · 2017-04-22 02:56 · Score: 1
  
  A more accurate analogy would be trying to "pick the lock" in a bad neighborhood by rattling the door knob a few times, and if that opened it you then lock it again and fill it with epoxy, so that the insecure entry point is now permanently sealed against further intrusion.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
I see hard prison time in his future by Anonymous Coward · 2017-04-21 17:17 · Score: 3, Insightful

Sorry dude, I agree that IoT is a bad idea as currently implemented, but crime isn't the way to bring about the change you want.
You are now seen as a threat to national security.
You will go to prison for millions of counts of whatever they feel like charging you with, especially now that you've admitted it.
And no, they're not going to give you a million concurrent 5-year sentences. You're going to get life without parole. Sucks to be you.
1. Re:I see hard prison time in his future by Anonymous Coward · 2017-04-21 19:13 · Score: 0
  
  Oh yeah. They're definetely looking for him, that's for sure.
2. Re:I see hard prison time in his future by Anonymous Coward · 2017-04-21 22:41 · Score: 0
  
  You say that his approach is not the way to bring about change with respect to IoT security.
  Well, what is the right way to do it? Educate the consumer? Forget it, been tried more than once, hasn't worked yet. Regulation? You don't really want that... Have the ISP take accounts with botnet members offline until fixed? That would cost them money and not the owner of the compromised IoT device. It's also not always possible to determine, compromised devices no longer saturate the uplink, so you might take an innocent customer offline.
Good! Fuck iot! by Anonymous Coward · 2017-04-22 00:09 · Score: 0

Fuck the whole shitty concept.
Good feedback! by Dr.+Crash · 2017-04-22 02:38 · Score: 1

Bricking insecure devices has a nice upshot - the cost of a returned device isn't just the profit - because all of the handling and
coping has to be done (so far) by a human, the actual _cost_ to the distributor or manufacturer of a failed device is often the
loss of profit on the whole minimum order quantity to the distributor - the whole crate.
That's why if you get a DOA item from Amazon, they often don't even want it back, they send you another on your word of
honor- not because they're so nice, but because (absent evidence of fraud) IT'S CHEAPER TO JUST SEND ANOTHER
RATHER THAN RECEIVING THE ORIGINAL DOA UNIT BACK AND DISPOSING OF IT UNTESTED. It's not free, just cheaper.
But just because it's cheaper, doesn't make it nonzero. Every bricked device replaced under warranty costs $$ and every
device that fails, in warranty or out, costs reputation. How much would you pay for an iPhone if the battery stopped
holding charge after between three days and six months of use?
Bottom line: it's damn expensive to adequately secure an already-damn-expensive IoT light bulb. And as BrickerBot
expands (and no doubt improves, just as the original chemotherapy drugs were improved) the cost to make a secure
IoT device is going to skyrocket.
Which may effectively doom IoT for consumers. Industrial IoT is a different game with different rules and the most
important is that airgapping is feasible.
1. Re:Good feedback! by west · 2017-04-23 00:37 · Score: 1
  
  Which may effectively doom IoT for consumers.
  I suspect that's the idea. If you have something that's cheap and "weaponizable", then society often ends up restricting them in one fashion or another. What's different about the Internet is that the damage one can do isn't geographically restricted, making control a lot harder.
  At least in the mind of its creator, something like "BrickerBot" may be the only way to raise the cost of ownership high enough to prevent destruction of the Internet.
  I'm constantly amazed that in a flash of misanthropy, someone hasn't built a "BrickerBot" for PCs. These machines are unlikely to be restored (they're generally owned by non-techies with very limited resources) and the maker could easily use the same justification as BrickerBot.
  Just to be clear, I still strongly disapprove of BrickerBot.
2. Re:Good feedback! by ilsaloving · 2017-04-23 07:34 · Score: 1
  
  Which may effectively doom IoT for consumers.
  You say that as if it's a bad idea.
  It's one thing to empower the average person with technology. It's another thing if you simply vomit fancy gizmos on a public that isn't skilled or responsible enough to use them properly.
  I mean, we have people who still refuse to accept evolution exists. Or think that vaccines cause autism because some celebrity told them so. Or hell, actually think the world is flat. These people by definition do not have the knowledge and critical thinking skills necessary to use advanced technology. So maybe they shouldn't get to use it at all.
It's a good thing by allo · 2017-04-22 05:34 · Score: 1

because it shifts the burden from the user who says "i do not care about dDoSing somebody else" to the producer, who says "i cannot afford angry customers".