Slashdot Mirror

← Back to Stories (view on slashdot.org)

Developer of BrickerBot Malware Claims He Destroyed Over Two Million Devices (bleepingcomputer.com)

Posted by BeauHD on from the unintended-consequences dept.

An anonymous reader writes: In an interview today, the author of BrickerBot, a malware that bricks IoT and networking devices, claimed he destroyed over 2 million devices, but he never intended to do so in the first place. His intentions were to fight the rising number of IoT botnets that were used to launch DDoS attacks last year, such as Gafgyt and Mirai. He says he created BrickerBot with 84 routines that try to secure devices so they can't be taken over by Mirai and other malware. Nevertheless, he realized that some devices are so badly designed that he could never protect them. He says that for these, he created a "Plan B," which meant deleting the device's storage, effectively bricking the device. His identity was revealed after a reporter received an anonymous tip about a HackForum users claiming he was destroying IoT devices since last November, just after BrickerBot appeared. When contacted, BrickerBot's author revealed that the malware is a personal project which he calls "Internet Chemotherapy" and he's "the doctor" who will kill all the cancerous unsecured IoT devices.

7 of 88 comments (clear)

  1. Mighty Fine by Anonymous Coward · · Score: 5, Insightful

    Doing some righteous work.

  2. If he gets busted... by Type44Q · · Score: 5, Funny

    If he gets busted, I'm good for a $20 towards his legal costs... but if he's willing to target all IoT devices, I'll make it a hundred. ;)

    1. Re: If he gets busted... by Anonymous Coward · · Score: 4, Insightful

      But is this retribution? The problem is that manufacturers don't secure the IoT devices they produce, and that's who your ire should be directed at. However, this punishes the users who purchased those devices, usually out of ignorance. If users have their devices bricked, they may simply buy another vulnerable IoT device to replace it, perhaps from the same manufacturer. It's possible that this may actually drive sales for manufacturers who produce poorly secured IoT devices. That's the opposite of retribution, if you're actually helping them to increase revenue and profits. Instead, there needs to be consequences for the manufacturers that are serious enough that they are significantly more expensive than the cost of making secure devices.

    2. Re: If he gets busted... by bill_mcgonigle · · Score: 5, Insightful

      If users have their devices bricked, they may simply buy another vulnerable IoT device to replace it, perhaps from the same manufacturer.

      Are you suggesting there are people who will keep buying the same type of e.g. WiFi lightbulbs that work for a couple hours and then stop working, without returning them?

      A return usually costs more than the profit on a device; it's an economically valid feedback mechanism assuming that kind of person isn't actually common. It seems unlikely to me that it is the typical behavior pattern.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  3. Not a permanent solution. by Gravis+Zero · · Score: 5, Insightful

    The problem with this solution is that the companies are not getting the negative finacial feedback (punishment) that they need to correct their behavior.

    I've said it before but it's worth repeating.

    IoT vendors will only secure their devices after it starts costing them money or are legally required to do so.

    The best option is to high jack the IoT devices to DDoS their makers because it creates a direct feedback loop. The more insecure devices they sell, the more it will cost them to host their company's website(s). For extra points, only target their parent company. ;)

    --
    Anons need not reply. Questions end with a question mark.
  4. I see hard prison time in his future by Anonymous Coward · · Score: 3, Insightful

    Sorry dude, I agree that IoT is a bad idea as currently implemented, but crime isn't the way to bring about the change you want.
    You are now seen as a threat to national security.

    You will go to prison for millions of counts of whatever they feel like charging you with, especially now that you've admitted it.
    And no, they're not going to give you a million concurrent 5-year sentences. You're going to get life without parole. Sucks to be you.

  5. Re:He'll get 27 years in jail by monkeyzoo · · Score: 3, Interesting

    Definitely righteous work:

    1) Protecting individuals and society from the harms of shoddy IOT devices. Would you rather have your cheap IOT device fail and realize something is wrong with it or have it become an entry point for stealing critical data from your network or infecting your important devices with ransomware? At least if your device breaks, you realize something is wrong with it and can complain to the manufacturer for a refund instead of it spying on you and/or serving as a node in a criminal's botnet. The greater good is served in any case by society as a whole being protected from weaponized IOT devices.

    2) Creating economic imperatives for the companies producing them to design in security. The immediate impact of brickerbot would hopefully be that companies face immediate PR blowback that kills sales when they release shoddy devices that are vulnerable. And over time such products that suffer widespread vulnerabilites to brickage will be tarnished by consumers on the marketplace, and the manufacturers will learn that to make any money they need to pay attention to implementing security precautions.