
Vigilantes are working hard to infect IoT devices with the Hajime botnet - Fjolsvith
https://arstechnica.com/security/2017/04/a-vigilante-is-putting-huge-amount-of-work-into-infecting-iot-devices/
======
orng
Anyone who has played Pandemic 2, or similar games where you control a virus
intent on killing all humans, knows that the most effective strategy is to
spread as far as possible with as little symptoms as possible before mutating
into a killing machine. Apparently Hajime has update capabilities, so perhaps
it is too soon to call the creators vigilantes?

~~~
aaronchall
That's true, and a lot of effort is being poured into it.

I hope that this activity is being sponsored by victims of botnets or their
governments to reduce malicious infections, since the Internet of $#!^ has no
incentive. This may be the best case scenario.

You describe the worst case scenario. I hope you're wrong, but only time will
tell.

------
neom
I hope we start to see some pretty strong regulation around what type of
computer can be put inside of non-standard computing device, and guidance and
regulation on how it must be secured and updated. I work in city tech
specifically around IoT and I'm incredibly worried about where all of this is
going, cities DDoSing themselves in critical infrastructure points sounds
pretty annoying.

~~~
runeks
I think we should forget about regulating the implementation details for IoT
devices, and instead mandate insurance, such that manufacturers become
financially responsible for attacks committed using their hardware.

I'm almost certain that an excise tax on IoT devices proportional to how much
damage they can do, combined with giving white hats legal immunity to hack
devices as well as being paid a part of the device-tax, will be both more
effective and cheaper than having politicians write detailed laws on software
security.

If a company wants to drill into the ground looking for oil, and we know that
this company can't pay the bill if things go wrong, we force them to pay an
insurance premium/excise tax that covers the potential cleanup work. Of course
we should do the same for devices that can be weaponized in this manner.

For example: a tax of 1 cent/mbit/s of network throughput, where 10% goes to
administration costs, and 90% is paid out to white hats who are able to
penetrate the device and display a "defective device; return to <local device-
drop-off office>" message on the screen.

~~~
zild3d
Some devil's advocate thoughts -

Proportional to how much damage they can do doesn't seem like a
possible/reasonable measure. Should every car manufacturer now be responsible
for insuring the cost of every car on the road causing a synchronized
collision around the world? Should airplane manufacturers have to be insured
for every airplane being in the sky, full of VIPs, and dropping onto the X
most expensive buildings on earth, also full of prized possessions and more
VIPs?

About giving white hats legal immunity to hack devices and be paid. How do you
determine who is a white hat? Why wouldn't every black hat attempt to play the
part of a white hat, gaining free range to play around with a system without
any legal concerns. And if they find a crippling vulnerability, being able to
sell it in a black market / partner with other black hats, and pretend they
found nothing?

~~~
groby_b
Yes, they should.

Those of us that worked in regulated industries (health, nuclear, etc.) had to
do that for a long time now, at least based on my experience in Germany.

If your system has the potential to bring down the entire airfleet you sold,
yes, you're on the hook for that event. Try building systems that are
resilient in the face of failure, make that case to the insurer, premiums will
go down.

I'm tired of the argument "well, we can break A LOT of shit in one go, so we
shouldn't be held liable for our sloppiness". It's "too big to fail" in
disguise.

~~~
joncrocks
I think the difference is that the types of problems caused are kind of
second-order effects based on co-ordination, rather than individual actions
that each device is taking that is 'bad'.

So yes, air plane manufacturers might have insurance to cover them for all of
their planes being down, but it's probably limited to the first-order damages
of all of the planes being down, rather than the potential extra due to the
fact they are all down at the same time.

e.g. If I own a mail-order business and I ship my stuff via air (with no
contracts in place etc.), and suddenly no air planes can fly, so my business
folds, I probably can't sue the air plane manufacturers.

In a similar way, the individual 'damages' that are attributed in a DDOS
attack are due to the coordinated nature, rather than each device doing actual
harm/damage.

~~~
groby_b
Yes, second-order effects are harder to insure against, because the actuarial
computations are harder. But introduce liability for the issue, and insurance
will follow.

"It's hard to do things right" is not an excuse for not doing them right.

------
brodie78382
Certain parts of the list of subnets avoided by Hajime strikes me as rather
interesting...

Some countries:

\- Ukraine; Region Vinnyts’ka Oblast’ /16

\- Iran, Islamic Republic of; Region Tehran /16

\- Germany Virtela Communications Inc Amsterdam, NL POP /16

\- South Africa; Region Gauteng /16

Then:

\- General Electric's /8

\- both Hewlett-Packard's /8

\- US Postal Service's /8

and finally all of the US Department of Defence (obviously)

I would have thought HP would be a goldmine seeing as they put anything and
everything on public, proxied IP's. And why not avoid Xerox, Apple, and CIA
subnets too while you're at it?

Krebs has a more detailed writeup on this for anyone interested in reading
more:
[https://security.rapiditynetworks.com/publications/2016-10-1...](https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf)

------
rubatuga
I'm disappointed with the media praising the actions of this IOT virus. Why do
we have any reason to trust them? Articles should really be focusing on how
these vulnerabilities are extremely dangerous, and that this should be a
wakeup call for the introduction of stringent IOT standards

------
H4CK3RM4N
The article mentions Telnet login credentials about halfway through. Is that
honestly what's happening? I'd assumed it was at least SSH logins being abused
on the systems.

~~~
tyingq
Here's a Jidetech Camera that serves up telnet:
[https://www.amazon.com/Wireless-Security-Recording-One-
Key-S...](https://www.amazon.com/Wireless-Security-Recording-One-Key-
Setting/dp/B06X41WH4V)

And an article on how bad it is:
[http://www.networkworld.com/article/3143133/security/iot-
sec...](http://www.networkworld.com/article/3143133/security/iot-security-
camera-infected-within-98-seconds-of-plugging-it-in.html) (98 seconds to being
infected after exposing it to the internet)

~~~
mnw21cam
From the article you linked:

> The correct mitigation, Graham said, is to “put these devices behind your
> firewall” because “many of the Mirai passwords can’t be changed.”

No, the correct mitigation is to not have one of those devices.

You don't buy a rotten apple, and then store it on your kitchen table, because
"it's fine because it's sealed in a plastic bag".

    
    
      Richards' Laws of Data Security:
      1. Don't buy a computer.
      2. If you must buy a computer, don't turn it on.

------
scrps
It probably doesn't help that seemingly everyone is slapping a SoC into
anything that has electricity, spending 0 time/effort to harden the device,
providing little to no guidance to end-users on best security practices then
pushing them out as fast as they can be manufactured at a fat markup.

I recently saw an IoT room humidifier... Really?! How badly do you need to
humidifier your (presumably unoccupied) room remotely? My garage door opener
was internet-capable until I disable it. Some objects having remote
accessibility makes sense but a lot of it is wow-factor marketing.

~~~
noobiemcfoob
Just because you can't see a use for a connected device does not mean the use
doesn't exist. And given the amount of time, energy and money that goes into
developing any manufactured product, it doesn't happen on accident.

There is a large market of people who have property too large to spend walking
around all day turning on and off devices to keep everything copacetic.
Simple, arguably stupid, devices with IoT capability can greatly reduce this.
Then you move into any application slightly larger than a personal home and
the power of managing all these devices with software at scale becomes
immense.

Specifically for the IoT room humidifier, I've seen such things in labs
studying bugs or other exotic life that needs proper controls. These labs are
setup by scientists who are just trying to get the conditions ideal and keep
them that way and becomes an interesting mix of industrialized equipment and
odd one-offs like a connected humidifier.

------
jaboutboul
If I really had to guess who was behind this I would guess it is the kid who
was behind Mirai because of the similarities between the two.

Seems like his unmasking by krebsonsecurity must have scared the crap out of
him and he's now realized how stupid his pursuits were. May also be trying to
find a way to lower the impending charges that will likely come.

Plus, if his motivation was to take over other botnets, to earn some hacker
street cred then what better way to win the ultimate battle by making sure no
one else can hack into these devices again?

------
Robotbeat
Isn't this how Skynet starts in one of the Terminator films?

~~~
overcast
Yes, the third one.

------
ircshotty
This seems like a good thing in theory... but if it's all all successful,
where goes the inventive for manufacturers to be more careful about their
code?

Why should they make secure code if it's just going to be fixed for them?

Also, where's the incentive for lawmakers to regulate IoT security if less
people are affected?

~~~
csydas
I think the general idea is more "they're not fixing it and there is no
incentive, and while we wait and see if there is, botnets are spinning up huge
DDoS attacks on demand, plus much much more."

The vigilante concept implies some known disregard or dismissal for the
current law/powers that be for whatever reason the vigilante is motivated by.
Add in the vast number of products made in jurisdictions where regulations
aren't well enforced or can be circumvented easily, and soon it starts to look
a bit dire to wait for the proper authorities to work.

I don't really know what to think about the Hajime botnet, but their motives
are pretty easily understood.

~~~
noobiemcfoob
But they are fixing it. And there is incentive. People are just upset that it
isn't happening faster, so they clamor for _more_ incentive. IoT is a new born
baby in an industrial filled with 3 year olds. I guarantee in 100 years, we
all will seem bumpkins developing the WORST ideas of security.

------
beeftime
Good. I'd rather someone brick your wifi lightbulbs and discount guangdong
webcams than hold the door open for ever-worse DDoS attacks.

------
brudgers
A recent discussion of the news,
[https://news.ycombinator.com/item?id=14201908](https://news.ycombinator.com/item?id=14201908)

~~~
cryptarch
No, that discussion and article are about Janit0r and his BrickerBot software.

This article is about Hajime, a sophisticated trackerless BitTorrent-backed
botnet with resillience and stealth functionality. Self-professed greyhat.

Still relevant to this discussion, though.

