Slashdot Mirror

← Back to Stories (view on slashdot.org)

Author of BrickerBot Malware Retires, Says He Bricked 10 Million IoT Devices (bleepingcomputer.com)

Posted by BeauHD on from the time-has-come dept.

An anonymous reader writes: The author of BrickerBot -- the malware that bricks IoT devices -- has announced his retirement in an email to Bleeping Computer, also claiming to have bricked over 10 million devices since he started the "Internet Chemotherapy" project in November 2016. Similar to the authors of the Mirai malware, the BrickerBot developer dumped his malware's source code online, allowing other crooks to profit from his code. The code is said to contain at least one zero-day. In a farewell message left on hundreds of hacked routers, the BrickerBot author also published a list of incidents (ISP downtimes) he caused, while also admitting he is likely to have drawn the attention of law enforcement agencies. "There's also only so long that I can keep doing something like this before the government types are able to correlate my likely network routes (I have already been active for far too long to remain safe). For a while now my worst-case scenario hasn't been going to jail, but simply vanishing in the middle of the night as soon as some unpleasant government figures out who I am," the hacker said.

15 of 149 comments (clear)

  1. Re:what a maroon by Anonymous Coward · · Score: 5, Insightful

    He didn't do it to warn people about a potential threat. He did it to force manufacturers to pay more attention to security. He should be given the key to the fucking city.

  2. Re:what a maroon by KiloByte · · Score: 5, Insightful

    No, he bricked broken IOT(S) devices to stop them from attacking others. A bricked device is harmless, and there's even hope it gets returned to manufacturer. On the other hand, one that's part of a blackhat botnet is bad for everyone.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  3. Re:For all to see by ShanghaiBill · · Score: 4, Insightful

    Screw jail. This guy needs to be drawn and quartered.

    Nonsense. Having guys like him probing our infrastructure is a lot better than leaving the holes wide open for Putin and Xi Jingping. He is providing a public service. It may not be pleasant when you get pwned, but flu shots aren't pleasant either.

  4. Yep - public service... by b0s0z0ku · · Score: 3, Insightful

    (1) He's destroying devices that destroy privacy in themselves
    (2) He's destroying devices that are insecure by design ... open Telnet ports

    Not crying for the owners of this junk. He's indeed doing the Internet a service...

    1. Re:Yep - public service... by randomErr · · Score: 2

      So he sterilized the devices so the couldn't reproduce the same traits in future generation. Where have I heard that before?

      --
      You say things that offend me and I can deal with it. Can you?
  5. Re:what a maroon by BronsCon · · Score: 3, Funny

    He'll just hack the city's smartlock!

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  6. Thank you by WaffleMonster · · Score: 2, Insightful

    This guy is my hero.

  7. Re:For all to see by WaffleMonster · · Score: 3, Interesting

    He was doing more than probing. Anyone who thinks this bottom feeder was performing a public service is an idiot.

    I think he should get a gold medal for each bricked device. He deserves it.

  8. Re:what a maroon by phantomfive · · Score: 3, Funny

    If you want to call that hacking. Most likely the telnet port was left open with a root password of 'password'. It could be worse, if it were intel management engine, it would have an empty root password.

    --
    "First they came for the slanderers and i said nothing."
  9. Headline should read: Author of BrickerBot Malware by Narcocide · · Score: 5, Funny

    ... finally gets a job.

  10. Re:what a maroon by AmiMoJo · · Score: 5, Interesting

    He used publicly known exploits, so if he didn't get there first it was only a matter of time before someone else did.

    Since most people wouldn't even know their device was part of a botnet, this is the best outcome. They will return it to the shop as defective or get a software update from the manufacturer.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  11. Re:what a maroon by Kiuas · · Score: 2

    A bricked device is not harmless: it has to be replaced. If the average price of those devices was as low as $10, he caused $ 100 million in damage.

    Yes, but that cost needs to be paid for by the manufacturer who has sold you a faulty device with a vulnerability.

    nd he left the owners of those devices with no clue as to what was going on. The user only noticed his device had become unusable, and would be far more likely to assume a hardware problem than someone remotely disabling his device (let alone divine WHY someone chose to do that).

    The user doesn't even need to know what was the true cause because this is identical to a serious hardware issue.

    I once bought an iPod that suddenly stopped working after some months of use because the hard drive failed. I returned the device and got my money back. In that case it was actually the fault of the seller because it turned out the device was not indeed brand new but a returned device which had been repackaged and sold as new, which is of course illegal. However the point is as a customer I don't care one bit 'what's going on' and whether or not it's faulty hardware or if someone's remotely bricked the device. The only thing I care about is I paid money for something that doesn't work as intended, and it needs to be fixed.

    Imagine if you were sold a car for example that had a design flaw in the locking system allowing anyone to remotely unlock the doors with an exploit, or start the engine. Obviously you'd want it fixed, but unless these things are brought to public attention the company could just claim that it's bad luck that your car got stolen and they've nothing to do with it.

    That's why it's good that these things happen. Exposing critical vulnerabilities publicly is the only guaranteed way of putting pressure on the manufacturer to fix the vulnerability as they're legally obligated to do.

    --
    "It is the business of the future to be dangerous" -Alfred North Whitehead
  12. Re:For all to see by wardrich86 · · Score: 2

    No, these IoT manufacturers with half-baked bullshit "security" built into them need to be drawn and quartered.

  13. Re:Spare us the left-wing lunacy! by ls671 · · Score: 2

    He is obviously in Italy since this is published on it.slashdot.org

    --
    Everything I write is lies, read between the lines.
  14. Re: For all to see by Zero__Kelvin · · Score: 2

    Are you actually so stupid you don't know the difference? When door vendors start selling doors with locks that don't work because there is no financial motivation to add them and your house and 100,000+ others are used by criminals to damage a third party who pays a lot of money to secure their dwelling, then get back to us. Idiots like you are the reason we need guys like this in the world.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun