Slashdot Mirror

← Back to Stories (view on slashdot.org)

Developer of BrickerBot Malware Claims He Destroyed Over Two Million Devices (bleepingcomputer.com)

Posted by BeauHD on from the unintended-consequences dept.

An anonymous reader writes: In an interview today, the author of BrickerBot, a malware that bricks IoT and networking devices, claimed he destroyed over 2 million devices, but he never intended to do so in the first place. His intentions were to fight the rising number of IoT botnets that were used to launch DDoS attacks last year, such as Gafgyt and Mirai. He says he created BrickerBot with 84 routines that try to secure devices so they can't be taken over by Mirai and other malware. Nevertheless, he realized that some devices are so badly designed that he could never protect them. He says that for these, he created a "Plan B," which meant deleting the device's storage, effectively bricking the device. His identity was revealed after a reporter received an anonymous tip about a HackForum users claiming he was destroying IoT devices since last November, just after BrickerBot appeared. When contacted, BrickerBot's author revealed that the malware is a personal project which he calls "Internet Chemotherapy" and he's "the doctor" who will kill all the cancerous unsecured IoT devices.

13 of 88 comments (clear)

  1. Mighty Fine by Anonymous Coward · · Score: 5, Insightful

    Doing some righteous work.

  2. If he gets busted... by Type44Q · · Score: 5, Funny

    If he gets busted, I'm good for a $20 towards his legal costs... but if he's willing to target all IoT devices, I'll make it a hundred. ;)

    1. Re: If he gets busted... by Anonymous Coward · · Score: 4, Insightful

      But is this retribution? The problem is that manufacturers don't secure the IoT devices they produce, and that's who your ire should be directed at. However, this punishes the users who purchased those devices, usually out of ignorance. If users have their devices bricked, they may simply buy another vulnerable IoT device to replace it, perhaps from the same manufacturer. It's possible that this may actually drive sales for manufacturers who produce poorly secured IoT devices. That's the opposite of retribution, if you're actually helping them to increase revenue and profits. Instead, there needs to be consequences for the manufacturers that are serious enough that they are significantly more expensive than the cost of making secure devices.

    2. Re:If he gets busted... by bill_mcgonigle · · Score: 2

      It is unfortunate that retribution type attacks are not considered "appropriate".

      Self-defense is not retribution. Third-party defense is always considered valid when a threat is imminent.

      All the data we have shows that devices that are vulnerable to Mirai, et. al. will become Mirai bots in a short amount of time, and will begin attacking third-party Internet infrastructure.

      If somebody can show the above claim to be false, please do so, showing reason and evidence.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    3. Re: If he gets busted... by bill_mcgonigle · · Score: 5, Insightful

      If users have their devices bricked, they may simply buy another vulnerable IoT device to replace it, perhaps from the same manufacturer.

      Are you suggesting there are people who will keep buying the same type of e.g. WiFi lightbulbs that work for a couple hours and then stop working, without returning them?

      A return usually costs more than the profit on a device; it's an economically valid feedback mechanism assuming that kind of person isn't actually common. It seems unlikely to me that it is the typical behavior pattern.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    4. Re: If he gets busted... by Bert64 · · Score: 2

      People buy such devices because they're cheap, if the device gets bricked they won't know how or why it got bricked just that it stopped working... They will either get it replaced under warranty (if there is one), or just write it off and buy a replacement (cheap devices being unreliable is no surprise to anyone).

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    5. Re:If he gets busted... by rholtzjr · · Score: 2

      That does not excuse the attack on someone else property (even if they are stupid) due to an inherent flaw in it's design. This has already been somewhat questioned.

      The law forbids hacking, even in self-defense. The report mentioned the Computer Misuse Act in the UK and the Computer Fraud and Abuse Act in the US as examples of legal roadblocks preventing private hackback operations.

      Reference here

      While I would not be adverse to removing said devices from the bot pool permanently, but there may be legalities involved.

    6. Re: If he gets busted... by gnasher719 · · Score: 2

      If a device can be bricked simply by hooking it up to a network, but buyer is too lazy or ignorant to check before buying, then buyer deserves what he gets. If buyer does his/her homework (and finds device is vulnerable), but buys the product anyway, then buyer deserves what he gets.

      If a hacker causes massive damage, and is too lazy or ignorant to check that he or she might be jailed for causing that damage, then the hacker deserves what he gets. If the hacker does his/her homework (and finds there's the risk of jail time) and causes the damage anyway, then the hacker deserves what he gets.

  3. Not a permanent solution. by Gravis+Zero · · Score: 5, Insightful

    The problem with this solution is that the companies are not getting the negative finacial feedback (punishment) that they need to correct their behavior.

    I've said it before but it's worth repeating.

    IoT vendors will only secure their devices after it starts costing them money or are legally required to do so.

    The best option is to high jack the IoT devices to DDoS their makers because it creates a direct feedback loop. The more insecure devices they sell, the more it will cost them to host their company's website(s). For extra points, only target their parent company. ;)

    --
    Anons need not reply. Questions end with a question mark.
    1. Re: Not a permanent solution. by flux · · Score: 2

      The company is responsible for the device working. Obviously they are not responsible for ie. resetting passwords the customer forgot.

      And who is to tell why the device doesn't boot up anymore? They are, and investigating is likely going to mean having an engineer spend time with the device. And that costs money.

      And if the device is cleaned wipe, there is really no proof that the client had done anything bad regarding its securing. It's not going to be an easy situation for a company to handle a sudden surge of 10000 warranty repairs.

  4. Re:Welchia by gweihir · · Score: 2

    People do not learn from history. Most do not even learn from personal experience.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  5. I see hard prison time in his future by Anonymous Coward · · Score: 3, Insightful

    Sorry dude, I agree that IoT is a bad idea as currently implemented, but crime isn't the way to bring about the change you want.
    You are now seen as a threat to national security.

    You will go to prison for millions of counts of whatever they feel like charging you with, especially now that you've admitted it.
    And no, they're not going to give you a million concurrent 5-year sentences. You're going to get life without parole. Sucks to be you.

  6. Re:He'll get 27 years in jail by monkeyzoo · · Score: 3, Interesting

    Definitely righteous work:

    1) Protecting individuals and society from the harms of shoddy IOT devices. Would you rather have your cheap IOT device fail and realize something is wrong with it or have it become an entry point for stealing critical data from your network or infecting your important devices with ransomware? At least if your device breaks, you realize something is wrong with it and can complain to the manufacturer for a refund instead of it spying on you and/or serving as a node in a criminal's botnet. The greater good is served in any case by society as a whole being protected from weaponized IOT devices.

    2) Creating economic imperatives for the companies producing them to design in security. The immediate impact of brickerbot would hopefully be that companies face immediate PR blowback that kills sales when they release shoddy devices that are vulnerable. And over time such products that suffer widespread vulnerabilites to brickage will be tarnished by consumers on the marketplace, and the manufacturers will learn that to make any money they need to pay attention to implementing security precautions.