A Sophisticated Grey Hat Vigilante Protects Insecure IoT Devices

Ars Technica reports on Hajime, a sophisticated "vigilante botnet that infects IoT devices before blackhats can hijack them." Once Hajime infects an Internet-connected camera, DVR, and other Internet-of-things device, the malware blocks access to four ports known to be the most widely used vectors for infecting IoT devices. It also displays a cryptographically signed message on infected device terminals that describes its creator as "just a white hat, securing some systems." But unlike the bare-bones functionality found in Mirai, Hajime is a full-featured package that gives the botnet reliability, stealth, and reliance that's largely unparalleled in the IoT landscape...

Hajime doesn't rashly cycle through a preset list of the most commonly used user name-password combinations when trying to hijack a vulnerable device. Instead, it parses information displayed on the login screen to identify the device manufacturer and then tries combinations the manufacturer uses by default... Also, in stark contrast to Mirai and its blackhat botnet competitors, Hajime goes to great lengths to maintain resiliency. It uses a BitTorrent-based peer-to-peer network to issue commands and updates. It also encrypts node-to-node communications. The encryption and decentralized design make Hajime more resistant to takedowns by ISPs and Internet backbone providers.
Pascal Geenens, a researcher at security firm Radware, watched the botnet attempt 14,348 hijacks from 12,000 unique IP addresses around the world, and says "If Hajime is a glimpse into what the future of IoT botnets looks like, I certainly hope the IoT industry gets its act together and starts seriously considering securing existing and new products. If not, our connected hopes and futures might depend on...grey hat vigilantes to purge the threat the hard way."

And long-time Slashdot reader The_Other_Kelly asks a good question. "While those with the ability and time can roll their own solutions, what off-the-shelf home security products are there, for non-technical people to use to protect their home/IoT networks?"

That's neither white nor grey.

Hajime prevents these devices from being taken down. Instead it adds them to a botnet under the control of someone we don't know. Just because they say they're whitehat doesn't mean they are, and none of their behavior actually supports that claim. They attack other people's systems, instate defenses to maintain the ill-gotten control and use the devices to attack more devices, all without a public mandate. That's black hat.

Turn off UPnP to start

[raymorris]

Both "non-technical people" amd "home networks" combined make that a tough one. A business full of non-technical people, or just people who don't specialize in security, can use a "experts included" solutions from companies like Alert Logic, but that's probably not reasonable for a home network.

A typical home network can be made noticeably more secure from these kinds of attacks by simply turning off UPnP on the router, though. Without UPnP, by default devices on the network can't be accessed from outside, from the internet. The standard router configuration using overloaded NAT (aka PAT) has the side effect of acting like a strict firewall. It's not an enterprise-grade firewall, just a simple packet filter, but it does prevent incoming connections / attacks, except for any port-forwards that are manually configured.

Other than disabling UPnP, the other main thing I can think of is keeping software and firmware up to date, at least for security patches. Devices running old versions are the low-hanging fruit for bad guys. The new software might have new security holes that nobody knows about, but the old version definitely has security holes that everybody knows about, and the bad guy and just run a script to automatically exploit those vulnerabilities.

Sorry I don't have better answers right now. The lack of good answers is why Australia is looking at having the ISP take care of some protection. The ISP can see trends across the whole network, and more importantly they can spend a few thousand dollars per month to contract with companies like Cisco TALOS and Alert Logic to deploy and monitor sophisticated, modern security systems. Yeah that brings up privacy issues, so there is no great solution that I can see.

He's not protecting devices

He's not protecting devices. He's compromising them.

He's exploiting a machine, to make it do what he wants it to do. Maybe most of us agree with why (stupid unsecured devices) but he's still exploiting it.

He's not a "greyhat" he's a blackhat (or a script kiddy, depending on how you look at it). He's making peoples computers do things they never agreed was acceptable to them.

Vigilante justice. Lets not celebrate this person.

Re:He's not protecting devices

[Highdude702]

Script Kiddie refers to somebody using somebody elses malicious code because they can not write their own. Which is not what this guy has done.

ajime doesn't rashly cycle through a preset list of the most commonly used user name-password combinations when trying to hijack a vulnerable device. Instead, it parses information displayed on the login screen to identify the device manufacturer and then tries combinations the manufacturer uses by default... Also, in stark contrast to Mirai and its blackhat botnet competitors, Hajime goes to great lengths to maintain resiliency.

This guy obviously is NOT a script kiddie. As long as he doesnt have ddos capability and doesnt turn to nefarious purposes hes doing everybody a favor, and hes not even bricking the devices. which you guys were bitching about last week. so what, you people just want to LEAVE the exploitable low hanging fruit for the ddos script kiddies to get? are you stupid?

Re:Not a permanent solution.

[Gravis+Zero]

The customers still need to be involved to ruin their reputations as well. Perhaps after a time the bots should still brick themselves.

A curious idea but if it's too obvious then they may just dismiss it as "some hacker's fault" and possibly exchange it for a new one instead of laying the blame on the maker. I think a better solution to this would be to allow the device to function... but only intermittently and/or heavily delayed. This way they are more likely to leave negative reviews of the product itself. It's translating to the owner that insecure/connected devices are terrible products that is the challenge. When this is done it's merely left to survival of the fittest.