Slashdot Mirror
Developer of BrickerBot Malware Claims He Destroyed Over Two Million Devices (bleepingcomputer.com)
An anonymous reader writes: In an interview today, the author of BrickerBot, a malware that bricks IoT and networking devices, claimed he destroyed over 2 million devices, but he never intended to do so in the first place. His intentions were to fight the rising number of IoT botnets that were used to launch DDoS attacks last year, such as Gafgyt and Mirai. He says he created BrickerBot with 84 routines that try to secure devices so they can't be taken over by Mirai and other malware. Nevertheless, he realized that some devices are so badly designed that he could never protect them. He says that for these, he created a "Plan B," which meant deleting the device's storage, effectively bricking the device. His identity was revealed after a reporter received an anonymous tip about a HackForum users claiming he was destroying IoT devices since last November, just after BrickerBot appeared. When contacted, BrickerBot's author revealed that the malware is a personal project which he calls "Internet Chemotherapy" and he's "the doctor" who will kill all the cancerous unsecured IoT devices.
Doing some righteous work.
But is this retribution? The problem is that manufacturers don't secure the IoT devices they produce, and that's who your ire should be directed at. However, this punishes the users who purchased those devices, usually out of ignorance. If users have their devices bricked, they may simply buy another vulnerable IoT device to replace it, perhaps from the same manufacturer. It's possible that this may actually drive sales for manufacturers who produce poorly secured IoT devices. That's the opposite of retribution, if you're actually helping them to increase revenue and profits. Instead, there needs to be consequences for the manufacturers that are serious enough that they are significantly more expensive than the cost of making secure devices.
they may simply buy another vulnerable IoT device to replace it, perhaps from the same manufacturer. It's possible that this may actually drive sales for manufacturers who produce poorly secured IoT devices.
People are ignorant about security because they don't care. If their device gets bricked because it's insecure, they'll start caring.
If users have their devices bricked, they may simply buy another vulnerable IoT device to replace it, perhaps from the same manufacturer.
Are you suggesting there are people who will keep buying the same type of e.g. WiFi lightbulbs that work for a couple hours and then stop working, without returning them?
A return usually costs more than the profit on a device; it's an economically valid feedback mechanism assuming that kind of person isn't actually common. It seems unlikely to me that it is the typical behavior pattern.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
The problem is that manufacturers don't secure the IoT devices they produce, and that's who your ire should be directed at. However, this punishes the users who purchased those devices, usually out of ignorance.
As those users should be.
The reason that insecure (or otherwise unreliable) devices are the norm these days, is that a) hardware & software vendors get away with it. And b) most users don't care. Or at least not seem to care enough to change things.
If a device can be bricked simply by hooking it up to a network, but buyer is too lazy or ignorant to check before buying, then buyer deserves what he gets. If buyer does his/her homework (and finds device is vulnerable), but buys the product anyway, then buyer deserves what he gets.
That leaves the case where buyer did his homework, product "looks good", but gets bricked anyway. That should be a warranty issue, shifting the burden onto vendors. As it should be.
So if things like this BrickerBot help to invalidate the "vendor gets away with insecure crap" equation, then please: carry on with the good work!
The problem with this solution is that the companies are not getting the negative finacial feedback (punishment) that they need to correct their behavior.
I've said it before but it's worth repeating.
IoT vendors will only secure their devices after it starts costing them money or are legally required to do so.
The best option is to high jack the IoT devices to DDoS their makers because it creates a direct feedback loop. The more insecure devices they sell, the more it will cost them to host their company's website(s). For extra points, only target their parent company. ;)
Anons need not reply. Questions end with a question mark.
Sorry dude, I agree that IoT is a bad idea as currently implemented, but crime isn't the way to bring about the change you want.
You are now seen as a threat to national security.
You will go to prison for millions of counts of whatever they feel like charging you with, especially now that you've admitted it.
And no, they're not going to give you a million concurrent 5-year sentences. You're going to get life without parole. Sucks to be you.