How Vigilante Hackers Could Stop the Internet of Things Botnet (vice.com) 64
An anonymous reader quotes a report from Motherboard: Some have put forth a perhaps desperate -- and certainly illegal -- solution to stop massive internet outages, like the one on Friday, from happening: Have white-hat vigilante hackers take over the insecure Internet of Things that the Mirai malware targets and take them away from the criminals. Several hackers and security researchers agree that taking over the zombies in the Mirai botnet would be relatively easy. After all, if the "bad guys" Mirai can do it, a "good guys" Mirai -- perhaps even controlled by the FBI -- could do the same. The biggest technical hurdle to this plan, as F-Secure chief research officer Mikko Hypponen put it, is that once it infects a device, Mirai "closes the barn door behind it." Mirai spreads by scanning the internet for devices that have the old-fashioned remote access telnet protocol enabled and have easy to guess passwords such as "123456" or "passwords." Then, once it infects them, it disables telnet access, theoretically stopping others from doing the same. The good news is that the code that controls this function actually doesn't at times work very well, according to Darren Martyn, a security researcher who has been analyzing the malware and who said he's seen some infected devices that still have telnet enabled and thus can be hacked again. Also, Mirai disappears once an infected device is rebooted, which likely happens often as owners of infected cameras and DVRs try to fix their devices that suddenly have their bandwidth saturated. The bad news is that the Mirai spreads so fast that a rebooted, clean, device gets re-infected in five minutes, according to the estimates of researchers who've been tracking the botnets. So a vigilante hacker has a small window before the bad guys come back. The other problem is what a do-gooder hacker could do once they took over the botnet. The options are: brick the devices, making them completely unusable; change the default passwords, locking out even their legitimate owners; or try to fix their firmware to make them more resistant to future hack attempts, and also still perfectly functioning. The real challenge of this whole scenario, however, is that despite being for good, this is still illegal. "No one has any real motivation to do so. Anyone with the desire to do so, is probably afraid of the potential jail time. Anyone not afraid of the potential jail time...can think of better uses for the devices," Martyn told Motherboard, referring to criminals who can monetize the Mirai botnet.
Re: (Score:2)
What worked for me was:
hxxps://slashdot.org/ajax.pl?op=nel
Transfer the Responsibility (Score:1)
Re: "Anyone with the desire to do so, is probably afraid of the potential jail time."
Transfer the responsibility back to where it belongs, the manufacturers and vendors. Make them liable if they do not start patching their own devices. The cost of their devices might go up a little but that's their issue, regardless.
This problem is like pollution. It's pollution of the Internet and the device manufacturers are the root cause. The purchasers of the products might have some secondary responsibility, but
Re:Transfer the Responsibility (Score:5, Insightful)
Make them liable if they do not start patching their own devices.
That's the long-term solution, which wouldn't do much for the current problem devices that are out there.
Personally, I like the idea of changing the default password. Some people may never see any change, but if someone realizes that they no longer have access to their device then they do a factory reset (1 or more times, depending on how quickly they catch on) before changing the default password themselves.
Re: (Score:2)
The problem is using something as lame and ancient and telnet and sending a password in the clear.
Using something as rudimentary as ssh and having each device have a unique password (probably generated with the mac address of the device as an input) would be a big improvement. A remote attacker wouldn't have a good way to guess the mac address of such a device.
Better would be a mechanism for booting such devices in "management mode" (by holding a switch down while powering up the device, or maybe if the de
Re: (Score:2)
That's the long-term solution, which wouldn't do much for the current problem devices that are out there.
We'll get over the current problem. We always do.
But we never seem to get around to that 'long-term solution.'
I think at this point implementing the long-term solution is more important than stopping the bleeding. Otherwise the neverending cycle will continue.
Re: (Score:2)
Make them liable if they do not start patching their own devices.
Don't necessarily even need the cost to go up.
Your device is found vulnerable to hackers. a) release a fix or b) release the source code in a form that allows others to fix it.
In a dream world I could imagine a time where the source code is released with the device. How much IP can there really be in a webcam? The vast majority of the work involved in writing a firmware from scratch would be researching how to address the hardware.
Re: (Score:2)
The problem is that like Windows XP in 2001, the minute the thing is connected to the internet it gets re-infected.
Not if the password is changed like they said in the summery...
Re: (Score:1)
Brick 'em (Score:5, Insightful)
The other problem is what a do-gooder hacker could do once they took over the botnet. The options are: brick the devices, making them completely unusable; change the default passwords, locking out even their legitimate owners; or try to fix their firmware to make them more resistant to future hack attempts, and also still perfectly functioning.
I say brick them. Perhaps when bad security starts costing ordinary people time and money, they'll take it more seriously.
Temporarily Brick 'em (Score:4, Informative)
The other problem is what a do-gooder hacker could do once they took over the botnet. The options are: brick the devices, making them completely unusable; change the default passwords, locking out even their legitimate owners; or try to fix their firmware to make them more resistant to future hack attempts, and also still perfectly functioning.
I say brick them. Perhaps when bad security starts costing ordinary people time and money, they'll take it more seriously.
If I understand the process correctly, most hacked IoT devices aren't firmware hacked, the exploits live in volatile memory while the device is powered. The exploit can't get into the firmware because that's much more difficult, and in many cases the firmware is read-only.
Power cycling the device will clear the hack, but it can be taken over again using the same exploit.
Bricking the device, or perhaps making the device access an online site intended to catch the owner's attention(*) seems like a reasonable solution when used in concert with all the other solutions - going after the perpetrators legally, going after the device manufacturers, changing net rules to disallow IP address spoofing, and so on.
(*) Lead to a website with a landing page alerting the owner of the issue, or (for cameras) upload video to the user's account alerting the owner to the issue, and so on.
Re: (Score:1)
... perhaps making the device access an online site intended to catch the owner's attention(*) seems like a reasonable solution when used in concert with all the other solutions - going after the perpetrators legally, going after the device manufacturers, changing net rules to disallow IP address spoofing, and so on.
(*) Lead to a website with a landing page alerting the owner of the issue, or (for cameras) upload video to the user's account alerting the owner to the issue, and so on.
At last! a constructive use for Goatse.
Re: (Score:2)
It seems like changing the admin password to something random would work perfectly well. If the clueless user needed to change something they'd have to reset to factory defaults and in learning how to do that perhaps they'd learn about changing the password. Likely the vast majority would never even notice.
Re: (Score:2)
How about the "Internet Police" take the device into "protective custody" because its creating a "public nuisance" and "being a threat to public safety". Then charge the original manufacturer a fine each time one of their devices has to be taken into "protective custody" due to a manufacturer's flaw in the device.
By extension, if the problem device is a problem because of Joe/Jill Homeowner, do the same but charge them the fine, not the manufacturer. A bit murkier to handle since there will be so many Jo
Re: (Score:3)
People would only move to the next device and it would open the hacker to liabilities.
Re: (Score:2)
So people get pissed at the white hats, after all the black hats kept them functional...
Re: (Score:2)
after all the black hats kept them functional...
The black hats kept what functional, the devices? What about the rest of the internet? They aren't all that worried about keeping things like DNS servers functional. So maybe your camera gets knocked offline until you figure out how to change the default password so that your camera can stop attacking the internet.
Re: (Score:3)
Welcome to the wonderful world of egoistic, selfish assholes where nobody gives a fuck if the whole world goes to hell as long as my stuff works. And this is how people are, they don't care that they are a danger to the whole internet and them being knocked off is a service to the world. What they care about is their stupid little gimmicky toy.
Re: (Score:3)
And this is how people are, they don't care that they are a danger to the whole internet and them being knocked off is a service to the world. What they care about is their stupid little gimmicky toy.
How people really are is that they don't know what the Internet is so they don't know that their "stupid little gimmicky toy" could possibly be a problem because of some distant and unknown infrastructure issue. It's not a deliberate decision to cause harm, and it's not selfish.
What you think is a "gimmicky toy" may be a security cam they use to keep track of the house while they're gone because they've had issues before. It certainly is NOT something that was sold with a big warning notice that attachin
Re: (Score:2)
Re: (Score:2)
Now your (also appreciated by others) idea:
- "Let's brick consumer's devices, that'll teach the company!" Sound familiar? (see above)
No, it won't. It will make regular people mad.
Yes, it most certainly will. And we all know shit gets done when a large enough group of people are getting mad. I don't wanna teach the 'company,' I want to teach everyone. Security is serious and needs to be taken seriously, and you should have at least some what of a clue what the fuck you're doing before you go plugging your garbage into the Internet.
A more amusing approach (Score:3)
Why not take a more amusing spin on this idea: Tell all the nodes in the botnet to attack 192.168.0.0/16. Basically, have them attack their own local network.
Then change the telnet password.
Re: (Score:2)
Anytime you start a sentence with "A more amusing" straight away put the word liability after it and then realise it is not an idea that would get you any kudos.
I'm thinking..... (Score:2)
Convert them to BitCoin mining operations and PROFIT! Yea.....
Oh, wait....
Sarcasm aside... As the fine article points out, hacking someone else's device, regardless of the reason, is not a legal activity. And as my mother always said "two wrongs don't make a right" applies here. Where this is an interesting thought experiment, unless you can get the legal authorities to approve this kind of activity, let's not develop this idea too far. Perhaps you'd get by with a way to remove the affliction and reboot
Re: (Score:2)
"hacking someone else's device, regardless of the reason, is not a legal activity"
I was waiting for this comment. "Access" is the crime regardless of what you do to the system.
The hacker Max Butler wrote a worm to patch a vulnerability in BIND, but the FBI prosecuted him for "unauthorized access" to government computer systems. "Hey! I made your system MORE secure!" didn't fly as a defense.
This brings back memories (Score:2)
Where have I heard of hackers with Chaotic Good before?
Blaster's worst enemy [wikipedia.org]
Wrong approach (Score:3)
Two wrongs don't make a right.
What we need is to grasp the careless morons that made those devices by the balls and squeeze 'til patches materialize.
Re: (Score:1)
Even ignoring the second wrong in such an act, it is still one more step of escalation that in the end is guaranteed to be pointless.
Once the first wave of white hat intrusions is performed, now begins an arms race such that which ever side exploits a device first and closes the door behind them wins the device.
There are way more black hats than there are white hats, and the black hats are exponentially better funded, and the majority of the black hats have much more time on their hands.
Given those odds, th
Re: (Score:2)
Ban the IoT apps from cell phones and desktops so users are forced to upgrade, buy new or cant network with a power on.
Send new password to manufacturer? (Score:2)
If they have access to the internet, couldn't manufacturers setup an API endpoint that accepts a serial number and a password... so that the password could be changed and the manufacturer could be sent the new one?
The owner, when locked out, can call the manufacturer, they can look up the password, etc.
Not totally sure how one might secure said API so it doesn't just get spammed as well, but... :P
Re: (Score:2)
This reminds me of this story (Score:2)
Umm... (Score:1)
"a "good guys" Mirai -- perhaps even controlled by the FBI -- could do the same."
I think I see a flaw here....
ISPs should blackball insecure devices (Score:2, Interesting)
Much easier to have ISP's run an automated white-hat type scan against new devices the first time a home user attempts to connect one to the Internet. This device "registration" process would look for open telnet, insecure hard coded passwords, etc. Failing devices would be blackballed and confined behind the home router. The ISP could generate a report for the user suggesting corrective action, etc. to fix the offending device. Not perfect, but it would reduce the footprint of low-hanging IoT devices.
Re: (Score:3)
You are talking about the same ISPs that are unable to implement egress filtering (a basic requirement for any halfway secure network installation), thereby allowing source-spoofing, right?
Re: (Score:2)
And yet, if you had read up on Mirai, you would know that after a reboot these devices are open again, because it is memory-only. Talk about posting an irrelevant generic statement because of cluelessness.
I would prefer bricking the devices (Score:2)
And I think we should make that something globally legal. Put in some safeguards, like a 48h observation period and a requirement to record logs and upload them with your identity to some legal entity that a device owner can then find out from what happened (but not who did it).
But if that is all fulfilled, make it legal for anyone to secure the hazard presented by these devices. After all, you are allowed, say, to put out a fire by yourself too.
Hooray! (Score:2)
I for one am VERY glad to see ANY sort of suggested solution to this huge problem. I've always had the motto, "Don't bitch unless you have a solution." I had no solution (other than "sue the careless hardware vendors until they fix it", and that's no solution at all), so I just kept quiet. But this is a good one. Liability be damned: white hats, go for it! Brick them sons of bitches!
Alternatively, force a second "Internet Of Things" Internet, used ONLY by inhuman devices. If you want to talk to your