Slashdot Mirror
Author of BrickerBot Malware Retires, Says He Bricked 10 Million IoT Devices (bleepingcomputer.com)
An anonymous reader writes: The author of BrickerBot -- the malware that bricks IoT devices -- has announced his retirement in an email to Bleeping Computer, also claiming to have bricked over 10 million devices since he started the "Internet Chemotherapy" project in November 2016. Similar to the authors of the Mirai malware, the BrickerBot developer dumped his malware's source code online, allowing other crooks to profit from his code. The code is said to contain at least one zero-day. In a farewell message left on hundreds of hacked routers, the BrickerBot author also published a list of incidents (ISP downtimes) he caused, while also admitting he is likely to have drawn the attention of law enforcement agencies. "There's also only so long that I can keep doing something like this before the government types are able to correlate my likely network routes (I have already been active for far too long to remain safe). For a while now my worst-case scenario hasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant government figures out who I am," the hacker said.
it's only about 456 years.
He didn't do it to warn people about a potential threat. He did it to force manufacturers to pay more attention to security. He should be given the key to the fucking city.
For a while now my worst-case scenario hasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant government figures out who I am," the hacker said.
It's 2017, FFS. In the West, that insane drivel stopped the day W left office, and is Putin going to throw you in the Gulag, or have a show trial, and the throw you in (a very nasty, but public) prison.
"I don't know, therefore Aliens" Wafflebox1
No, he bricked broken IOT(S) devices to stop them from attacking others. A bricked device is harmless, and there's even hope it gets returned to manufacturer. On the other hand, one that's part of a blackhat botnet is bad for everyone.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
He disabled insecure devices before they could be taken over as part of a botnet.
That's just it though - he doesn't need the key to the fucking city.
#DeleteFacebook
Screw jail. This guy needs to be drawn and quartered.
Nonsense. Having guys like him probing our infrastructure is a lot better than leaving the holes wide open for Putin and Xi Jingping. He is providing a public service. It may not be pleasant when you get pwned, but flu shots aren't pleasant either.
He was doing more than probing. Anyone who thinks this bottom feeder was performing a public service is an idiot. And this guy will probably find out the retiring doesn't mean law enforcement will stop looking for him. And implying he would be "disappeared" is indicative of his warped view of reality. How many people have been "disappeared" for hacking? This guy, and people like him, are also responsible for giving law enforcement the political support needed to attach harsher penalties for these types of crimes.
(1) He's destroying devices that destroy privacy in themselves ... open Telnet ports
(2) He's destroying devices that are insecure by design
Not crying for the owners of this junk. He's indeed doing the Internet a service...
He'll just hack the city's smartlock!
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
This guy is my hero.
Times 10 million devices. A billion dollar lawsuit filed against an individual might break some records.
And no, I'm not playing anything. Just noting something hypothetical here. Personally I want to see every buggy piece of shit IoT removed from the Internet. They can go start their own garbage network to run their shitbox hardware on.
“Common sense is not so common.” — Voltaire
He was doing more than probing. Anyone who thinks this bottom feeder was performing a public service is an idiot.
I think he should get a gold medal for each bricked device. He deserves it.
Wow, .759 people! That's pretty cool. What happened to the .241 of them?
Give this man a fucking prize.
Seriously, IoT devices should come with goddamn warning labels.
This device in known to the surgeon-general of cyberspace to pose a serous risk to your personal privacy, and the personal privacy of those around you. This device may also cause undesired network traffic, communicate with unauthorized systems, and promote the spread of malware to other network connected devices.
You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
I guess those fractions represent missing arms, legs and other appendages.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
That's exactly what my dad told me actually. He used to tell me I was bringing it upon myself by "being different." Of course he used to beat me too, so there is some question as to how unbiased his opinion on the matter really was.
If you want to call that hacking. Most likely the telnet port was left open with a root password of 'password'. It could be worse, if it were intel management engine, it would have an empty root password.
"First they came for the slanderers and i said nothing."
... finally gets a job.
Just the second period would be enough, we're not that dense.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Clearly missing the / 24 part.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
I would have written it as 9.786.759,0 with the ,0 there to indicate to dumb-ass Americans they are not the only people in the world.
Says the one mindlessly clutching to the losing convention for historical accuracy? tradition? feels? Who knows why. But, good one. You've got your own groove. Get it, stella!
You forgot tp mention Mossad and the NSA and all others.
Don't fight for your country, if your country does not fight for you.
He used publicly known exploits, so if he didn't get there first it was only a matter of time before someone else did.
Since most people wouldn't even know their device was part of a botnet, this is the best outcome. They will return it to the shop as defective or get a software update from the manufacturer.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
A bricked device is not harmless: it has to be replaced. If the average price of those devices was as low as $10, he caused $ 100 million in damage.
One can only hope the damage is big enough to make the manufacturer start paying attention to security. IoT with no security is a disaster waiting to happen, as they become part of botnets and then are used to DDoS important stuff, which will cause at least as much in damage as you are claiming...
Yes, but that cost needs to be paid for by the manufacturer who has sold you a faulty device with a vulnerability.
The user doesn't even need to know what was the true cause because this is identical to a serious hardware issue.
I once bought an iPod that suddenly stopped working after some months of use because the hard drive failed. I returned the device and got my money back. In that case it was actually the fault of the seller because it turned out the device was not indeed brand new but a returned device which had been repackaged and sold as new, which is of course illegal. However the point is as a customer I don't care one bit 'what's going on' and whether or not it's faulty hardware or if someone's remotely bricked the device. The only thing I care about is I paid money for something that doesn't work as intended, and it needs to be fixed.
Imagine if you were sold a car for example that had a design flaw in the locking system allowing anyone to remotely unlock the doors with an exploit, or start the engine. Obviously you'd want it fixed, but unless these things are brought to public attention the company could just claim that it's bad luck that your car got stolen and they've nothing to do with it.
That's why it's good that these things happen. Exposing critical vulnerabilities publicly is the only guaranteed way of putting pressure on the manufacturer to fix the vulnerability as they're legally obligated to do.
"It is the business of the future to be dangerous" -Alfred North Whitehead
He deserves to be probed. In the ass. With a sharp stick. Coated with capsaicin.
The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
Sure. Let's have some more guys "probing our infrastructure", by going door to door looking for weak or unlocked doors, then drawing our attention to security vulnerabilities by entering our homes and defecating on the bedsheets, and publishing a list of vulnerable locks and how to break them for other providers of this "public service"
No thanks. No, the only "unpleasant figure" in this story is this criminal.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
9786.759 people have disappeared because of these activities this year alone. Its easy to access this information for yourself, just log on to www.CIA/bagmen/illegal/assassinations.org where the government tracks all of these instances for you.
You sound awfully sarcastic. I'd hate to think you didn't think the CIA has ever killed anyone. If you do - read the following - and know it's not the only record from an 'authoritative' source on the subject:
[The dart from this secret CIA weapon can penetrate clothing and leave nothing but a tiny red dot on the skin. On penetration of the deadly dart, the individual targeted for assassination may feel as if bitten by a mosquito, or they may not feel anything at all. The poisonous dart completely disintegrates upon entering the target. The lethal poison then rapidly enters the bloodstream causing a heart attack. Once the damage is done, the poison denatures quickly, so that an autopsy is very unlikely to detect that the heart attack resulted from anything other than natural causes. Sounds like the perfect James Bond weapon, doesn't it?] http://www.military.com/video/guns/pistols/cias-secret-heart-attack-gun/2555371072001
No, these IoT manufacturers with half-baked bullshit "security" built into them need to be drawn and quartered.
I am admittedly lazy. Can someone point me at his source. I couldn't find it in a cursory google search. I'm not planning to use it in the wild, just curious about which exploits he used exactly.
thanks
this sig is deprecated
Are you actually so stupid you don't know the difference? When door vendors start selling doors with locks that don't work because there is no financial motivation to add them and your house and 100,000+ others are used by criminals to damage a third party who pays a lot of money to secure their dwelling, then get back to us. Idiots like you are the reason we need guys like this in the world.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Apparently your understanding of internet security and well being is non-existent. It wasn't to help the people know they were vulnerable, it was to protect the entire internet from the dangers of said vulnerability. No doubt you would prefer someone use the obvious vulnerabilities to cause damage to the internet while you continue to broadcast your ignorance on Slashdot
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Dumbass mainland Europeans think it's OK to write in English but not follow English numeric conversions resulting in documentation that either makes no sense or worse gives values that are plain wrong.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Make sure you steal his ECU or otherwise "brick" his car. He shouldn't drive it until it's secured properly.
Just junk food for thought...
One can only hope the damage is big enough to make the manufacturer start paying attention to security.
Right....because consumers are just going to pass those costs right back to the manufacturers...
Or do you have some juvenile fantasy that "word will get around" that $MANUFACTURER's devices are falling over, and refuse to buy any more, thereby forcing $MANUFACTURER to upgrade their security?
Just junk food for thought...
Right, so the solution is to punish the owners by destroying their devices to send a "message" to vendors? How's that working out so far? Are IoT device vendors scrambling to secure their shit so it doesn't get bricked? No?
Fuck, if the ends justify the means why didn't he just start murdering insecure IoT device owners until the vendors agreed to change their ways? It would have been a lot more effective and he would have had just as many morons like yourself riding his nuts.
What's a little collateral damage when fighting the "good" fight?
Chemotherapy sucks balls, but death sucks worse. News at 11.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Nonsense. Having guys like him probing our infrastructure is a lot better than leaving the holes wide open for Putin and Xi Jingping. He is providing a public service. It may not be pleasant when you get pwned, but flu shots aren't pleasant either.
What?!? So if I am creating an IOT of things with my 7 year old, I don't know a simple weather station just say, and we don't secure it because it is a project for a 7 year old where there is no security risk of leaving it exposed, and it is easier for them to experiment with and this guy bricks it, maybe permanently, how is this a public service?
It is vandalism. It is no different then him walking down the street looking at a weather station attached to a wooden fence post in someones yard and smashing it because, he wants you to know that unless you put a secure cage around it or bring it into your home it is unsafe. This guy should be charged for vandalism for each device he broke and serve time for each. Just a single day for each device I think would suffice.
To clarify the argument (without endorsing this position). It would be like you created an internet connected IOT weather station that because it was unsecured got hijacked to be included in a DDoS swarm.
The problem with poor IoT security is that, even if the device is useful for nothing else to the hacker, if it has a network stack and a connection it can DDoS someone else and there are millions of these devices. If this guy can get in and brick it, than someone else can get in and use it to DDoS
That clarifies it but doesn't make it right. It is like walking through a person's yard seeing a pick ax and breaking it to prevent a bad person from potentially finding it and using to murder someone.
Nonsense. Having guys like him probing our infrastructure is a lot better than leaving the holes wide open for Putin and Xi Jingping. He is providing a public service. It may not be pleasant when you get pwned, but flu shots aren't pleasant either.
The difference is I choose whether or not to get a flu shot. If someone walked down the street jabbing random people with a hypodermic, I'd suggest harsh penalties for them too.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
It could be worse, if it were intel management engine, it would have an empty root password.
If I recall the reports correctly, the IME didn't have an empty root password. Instead it checked the number of bytes that the code running in the remote browser said were the length of the hashed password - rather than the number of bytes the IME server-side code knew were the length of a hashed password.
So if you entered a zero-length password on the normal web page, you'd fail to log in. But if you hacked up your own version of the page's code that would say the hashed password was zero-length, the IME code would believe it, check zero bytes for match (which always passes), and let you in.
So it didn't get discovered (at least publicly) until a security researcher did that hack and had his WTF moment, years after the broken code was deployed.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The next time you fail to lock your car door, I will be sure to rob you and leave a note that says "shit security".
In Australia leaving your car door unlocked when the vehicle is unattended in a public place will get you a fine.
It would be nice if we could get the same sort of treatment for the idiots who code for these IOT devices.
BTW, it seems a lot of his victims were ISPs who are professionals and should know better as to how to set up their equipment.
... if you hacked up your own version of the page's code that would say the hashed password was zero-length, ...
I.e. send a "hashed password" that was zero-length.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
How the fuck do you expect for a vendor to set unique passwords for the customer? Are you retarded? The device is sold with a default login so that the operator can configure the device and set the password. It's up to the operator to limit access to it. That's ALWAYS been the case. People bitch when they buy a device and it's not locked down, and others complain the vendor oversteps and belongs to the one who purchased it. You can't have both ways. This is a network administration problem. Super obvious, sunshine. There's already many proper disclosures sent to ISP'S when open resolver DNS servers or SNMP with default community strings are found open. That's the responsible thing and leads to change and educated admins. Damaging property and causing issues on property you don't own is clear as fucking day illegal and this prick will eventually get caught when he steps into the USA. He's a cunt looking for the lulz. Fuck you and your 'you deserve it because you didn't change protocols soon enough', rather than limiting access in the first place as the vendor expects the admin to fucking do.
That's a stupid law. Although I know Australia started off as a criminal colony, I didn't think you inherently treat your fellow citizens as criminals right off the bat. Gone are the days when you could leave house and car doors unlocked and not have to fear your shit being stolen.
So if the companies are already increasing security efforts, how is this extra punishment still needed? Responsible reporting could have easily been done, it already has for years. He wrote malware. The malware spread in criminal hands. He causes denial of service attacks. He's a cunt. This is an admin fail problem. Clear as fucking day. There's many IoT devices intended for private use without outside access that doesn't need to spend millions developing a new product. Companies do need to keep selling these devices and there is demand, sometimes there is no replacement product or the company is out of business. WinXP is no longer supported but is still needed for various things in various industries. You don't need to fuck around with spending time and effort changing shit to Windows 10 when you IP limit access or similar firewalling, especially if there is no upgrade path. I worked for a company that forced changing password on first login. ZERO fucking people praised it, but MANY complained when they typo (it's double prompted so they're the same, but doesn't help if caps was on without them knowing), forget passwords, or employees just die. When something is deployed, of course you should change it and record the password safely. That's the fucking admin's job. The botnet fuckers can learn of zero days and infect shitloads of devices regardless of SSH or changed passwords way before a patch can be distributed (scheduled downtime period, people sick, vacations, etc) even by the most responsible vendors. In the end, you need firewall and limited remote access for anything reachable from the public. That's the fucking message, not just "change your passwords", which is not enough.
So change the password to the MAC address instead. Hard to get remotely, easy with physical access. User learns they fucked up when they go to login and default doesn't work, but it's still operational without permanent damage. Even rebooting it at a specific interval would draw attention. It could be the "4h20 reboot issue" that becomes googleable when it's noticed their devices go offline on this specific time. There's lots of different things this asshole could have done without bricking them. He chose this. In court, the prosecution will present lots of alternative ways of educating the user and the jury will agree he's a cunt and he'll get decent prison time.
This is mostly out of warranty shit.
I didn't read much of your post because your first sentence shows that you are new to the technology world but think you know it all already. Also, you should learn about paragraphs.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
No, you fucking idiot. If you find a remote lock exploit in the car, you notify the vendor so they can fix it. You do responsible disclosure, which forces the fix. There's a whole fucking process for researchers to follow. Have you been asleep during the last few years where this happens all the time? You don't just brick a car without first trying to fix the problem. People who don't do the responsible disclosure are assholes.
The user is responsible for its security. Fuck people, it's not new that you attach anything on a public IP, you are responsible for changing passwords and firewalling it. If I was a manufacturer, I'd reject the RMA. Things like Mikrotik are sold to professional admins. They've done training and know this. Educate the admins. Then it doesn't matter what a vendor does, the admin of the device and network is responsible. Blaming the vendor for really bad admin is fucking dumb.
To be clear, if the user couldn't change password and were hardcoded, that is a valid vendor problem.
Wireless infrastructure should be banned? No Internet for you.
And you'd rather pick the damaging solution instead of prevention and education? Seriously, fucking logic with you people, as long as it wasn't your device, right?
Link? I've only found mention of a different hacker group, Hajime, who closed Mirai holes. I've only read brickerbot bricks. Seriously, there's tons of shit that could have brought it offline without damage. He wanted to do this and would have found any reason (his is bullshit). I don't know why people are not assuming he's not financially benefiting. We keep hearing about malware makers after they're caught, they're in it for the money. When hackers takeover a website, they generally deface it, which gets all the security attention required. They don't often delete the entire website.
I highly doubt he hasn't monetized this.
This shit is a wake up call. Like how Watchdogs 1 and 2 was a wake up call hidden in a game. Lets not end up like the shit hole world like in watch dogs 2 where government and corporations have be come entirely nontransparent whilst your average Joe or Jane is so transparent that those nontransparent Political/Corporate entity can monitor every thing you do + metaphorically have their hand up your ass like a puppet e.g tampering with what you see so as to unfairly bias your vote choose i cite this from the story line of watchdogs 2... and they treat you like products for making money rather than as as actual humans!
Switch it Off,Switch it On[SOSO] Solves 95% of all IT problems!
Using Firefox on Android, there's no preview and there's new paragraphs when I submit it, so I only know they're not there afterwards, and there's no fucking edit. Sometimes I'll remember to have two new lines, but not always. Sometimes there's new paragraph and sometimes not. *shrug* Double new line test. I really hate walls of text, too. I guess I should have realized when it happens to others, it's likely the browser or /.
Fuck you firefox. (Three lines of white space) Or fuck you /.