
A vigilante trying to improve IoT security - jgrahamc
https://gizmodo.com/this-hacker-is-my-new-hero-1794630960
======
086421357909764
It's all fine and well until one of those improperly configured devices are a
medical device or something critical. Yes I understand that's part of the
problem, but proving a point with risk isn't the right answer either. Every
Dialysis machine i've seen runs windows xp, which any security professional
will tell you is game over, but given the market hasn't provided an
alternative, it's becomes a necessity to figure out how to protect these
improperly updated / configured / designed devices.

Fandom of actions that impact others in a negative way is bad, and one day
someone will do something they feel is right that impacts you and you'll say..
well that's not fair.

~~~
adamclarkestes
I'm the author of the Gizmodo post. Having covered IoT hacks for a few years,
it's obvious that drastic measures would be necessary to convince
manufacturers to build more secure products. While I'm not necessarily
endorsing this hacker's methods, I do salute his taking a stand. It might land
him in jail. But still, the mission is worthwhile.

~~~
JustSomeNobody
Engineering needs to stop being subordinate to anything but top management (if
at all). An MBA can _always_ outrank an engineer's decision and that is a big
reason why we have crap devices out in the field.

~~~
na85
Yes, no engineer has ever made a bad design or decision, ever.

~~~
jacquesm
That's totally besides the point.

The idea here is that no engineer would _knowingly_ sign off on something bad.

~~~
jsmthrowaway
A rather optimistic idea, I'd contend.

~~~
086421357909764
I concur, in fact, how many IT professionals make bad SECURITY decisions
because they in fact are trained to build and maintain an working
infrastructure first and foremost.

------
ihodes
This is a more in-depth source for the same story:
[https://arstechnica.com/security/2017/04/brickerbot-the-
perm...](https://arstechnica.com/security/2017/04/brickerbot-the-permanent-
denial-of-service-botnet-is-back-with-a-vengeance/)

------
yumaikas
After doing a little research it's worth noting a few key things:

1) This attack is _not_ using 0-days. It's using vulnerabilities that have
been in the wild for almost 6 months now, and are so trivial to exploit that
some security researchers called the exploits "amaturish". These types of
devices have been used to DDoS _lots_ of internet infrastructure. What, short
of something like this, is going to get those devices and their manufacturers
to secure their hardware, given that Mirai wasn't enough to convince them?

2) I honestly think that finding/making a legal means for this sort of scan
(specifically, scanning to check for trivially insecure devices, and bricking
them if cannot be patched) to happen on a consistent basis is something that
the EFF or the like might want to look into. The problem with a vigilantes is
that they lack accountability, so while I might personally approve of the
current approach from what I can see (even as I recognize it as illegal), it
could take easily take a turn for the worse. I think having a standard around
need to survive X number of hours connected to the internet and that a certain
number of devices (say 10) need to survive 6/12/18/24 months down the road or
face recall would be starting point. There are a lot of contingencies to work
out for this, such as personal DIY projects and the like, it's not 100%
fleshed out.

3) As far as I can tell, the analogy is more along the lines of a bunch people
buying a bunch of stereos and/or loudspeakers that are trivially hackable (but
the consumers aren't aware of that), and then putting them everywhere. If
those loudspeakers and/or steroes started disturbing the peace, or getting
used in ultrasonic attacks on power lines or water mains, you can bet that
police would be destroying them, and/or allowing others to do the same.

------
Analemma_
Uh-oh. Did somebody take my advice?
[https://news.ycombinator.com/item?id=12612539#12612809](https://news.ycombinator.com/item?id=12612539#12612809)

------
dec0dedab0de
I see a lot of people blaming the manufacturers, or blaming the hacker. Then
coming up with analogies to support their point of view. I blame the users and
don't feel bad for them at all. The analogy I'm going with is if one of your
neighbors bought a canon as a piece of art, and left it pointed at your house.
Ignorance is not an excuse.

~~~
frgtpsswrdlame
These users don't think they're buying a cannon, they think they're buying a
lightbulb which will mimic the sun or a blender which will automatically make
a smoothie for them every morning.

------
pavel_lishin
> _if somebody launched a car or power tool with a safety feature that failed
> 9 times out of 10 it would be pulled off the market immediately. I don’t see
> why dangerously designed IoT devices should be treated any differently_

Really? He doesn't see how a car is different from a webcam? And why there are
different safety standards for each?

Their goal is laudable, but this seems like a fun way to engage in vandalism
while hiding behind an ideological aegis. The sort of thing I'd do when I was
15.

~~~
nickpsecurity
I think he believes Internet-connected devices need at least basic security to
reduce damage they can cause other systems. A problem long illustrated in the
Windows market and recently IoT.

------
orng
Slightly OT, but not too long ago I read that it is not uncommon for viruses
to remove other known, competing, malware. Does anyone know if anyone has ever
made a virus who's only purpose is to remove other malware? Perhaps the same
aggressive approach used by Janit0r is needed to stop the spread of worms,
kill off botnets etc.?

~~~
seob
> Does anyone know if anyone has ever made a virus who's only purpose is to
> remove other malware?

The first computer virus was an experimental self-replicating program called
Creeper.

And the second computer virus was Reaper, a similar program created for the
sole purpose of deleting Creeper.

[http://corewar.co.uk/creeper.htm](http://corewar.co.uk/creeper.htm)

------
lend000
I toyed with a similar idea that would be limited to subnets or non-routable
IP space, and open-source/community-driven, but I had to take it down almost
immediately due to bad press/backlash. There's really no way to address this
without government regulation on ISP's to assume the external cost of botnets
coming from devices on their networks. And the only way to justify that is to
modify our computer crime laws to allow them to scan, patch, maybe even brick
(or just turn off the customer's Internet and notify them) when vulnerable
devices are found.

~~~
Neliquat
Links to the press? Always interested in how these things are handled.

------
fruzz
It takes a special kind of entitled to destroy people's things and to then
blame others (the manufacturers) for it.

~~~
fredley
I think it's rather brilliant. It _is_ the manufacturer's responsibility to
ship secure products. Here a consumer with a bricked product will demand a
replacement/refund, putting pressure on the manufacturers to not ship shitty
products. It's directly applying market pressure to sellers of insecure
hardware, and that's a great thing.

~~~
thomble
Yes. In fact, I'm going to start stealing bikes that have insecure locks.

~~~
badosu
What kind of stupid person would think that we could have a cooperative,
functional society where I can just be careless with my bike, right?

What's the problem with these people?

Sarcasm aside, I live in Brazil, ask any Brazilian who stayed on an European
country what was the biggest difference: "I could feel safe anytime, without
worrying about my stuff".

That really shapes the mind and behaviour of people.

~~~
Bartweiss
> What kind of stupid person would think that we could have a cooperative,
> functional society where I can just be careless with my bike, right?

Isn't this actually a really common sentiment, though? I've lived in several
places where leaving a bike unlocked for 5 minutes, or sloppily locked for an
hour, means you're going to lose it.

That doesn't make the theft acceptable, but if a friend borrowed your bike and
left it unlocked you'd still get mad at them.

Reshaping society so this stuff doesn't happen is great, but on an inside-view
level we treat crime as sort of an inevitable "someone will do it" force.

~~~
badosu
> Reshaping society so this stuff doesn't happen is great, but on an inside-
> view level we treat crime as sort of an inevitable "someone will do it"
> force.

I don't disagree with you, however I think there are some levels to this
concept, e.g. how two different locations would differ if it was: a lost
wallet, a somewhat clear opportunity for embezzlement, a bike stopped in front
of a coffee shop?

------
brudgers
"Something Wonderful has Happened"

[https://en.wikipedia.org/wiki/SCA_(computer_virus)](https://en.wikipedia.org/wiki/SCA_\(computer_virus\))

------
jahbrewski
As someone who works as a software consultant for many IoT and connected
device companies, how can I increase my understanding of IoT security? How can
I ensure the devices I work with are secure?

~~~
jahbrewski
Since posting this, I did some research, and it looks like the biggest
security problem (currently) is manufacturers hardcoding default passwords
into the firmware. Here I am thinking I need to become an expert in security
to help my clients secure their devices, but is it really as simple as
encouraging clients to set secure, default passwords?

~~~
extrapickles
Unique passwords for each device, some form of auto-updating so the OS and any
webservers don't get too old and making sure the developers know about the
OWASP Top 10 should go a long way to making the devices secure.

Anything else would be dependent on what the device is for and how it does it.

------
draw_down
That's terrible but also kind of awesome. Remember, these things are unsecured
and they're going to get owned anyway, it's just a matter of time. That
doesn't make this right, but it is important context to keep in mind.

------
zitterbewegung
The writer of the story really tries hard to make vigelante justice narrative
and glorify someone who is causing real damage to computer systems. We saw the
same thing with the hack of Ashley Madison . They make the original vendors
out to be scumbags. Things are much more complicated . Yes vendors and
websites should keep things more secure. If you really want iot to be more
secure I don't believe that large or small hacks is the best way to do this.
The consumer is really the one that loses here.

~~~
eximius
Well, yea, thats half the point. The point is manufacturers can't be bothered
because it doesn't hurt them. There isn't a way to hurt them short of lawsuit
or legislation. We don't really have the standing or power to effect change,
so they hurt the consumers who complain to the manufacturers. Nobody thinks
this is a _nice_ solution, but is there a better alternative?

------
nickpsecurity
It's what I said people should do. Kind of like 2nd Amendment taken against
3rd-party devices that nobody will do anything about. It might also generate
demand for more secure devices on consumer side or liability on supplier side
for same. Good to see someone is doing it. There were quite a few other people
wanting to see these bricked on last HN thread about it:

[https://news.ycombinator.com/item?id=12771067](https://news.ycombinator.com/item?id=12771067)

------
WalterBright
It's simple for manufacturers to make their devices secure from corruption.
Put the firmware in ROM. Malware will not survive rebooting the device.

If you really must be able to update the firmware, add a physical "write
enable" switch, not a software enabled one.

------
general_pizza
The method they're describing is only permanent for devices without a
removable startup disk, right? If they run this on my raspberry pi, for
example, just reformatting the sd card and following the same process as when
I first got it should immediately fix this.

~~~
cakeface
Yes, it makes every effort to corrupt the filesystem that the operating system
is stored on and mess up the networking before shutting down the device or
rebooting. If the device has its' OS on readonly media then this won't do
much. Maybe it will turn off until someone cycles it. If you can reformat or
reflash the disk then you can recover. For a raspberry pi that's cool. For an
IP camera it's generally a problem.

------
NicoJuicy
This is perhaps the only way. Get the customer to irritate security exploits.

Nice thinking though

------
intrasight
I am fascinated by the somewhat Darwinian trajectory that this might take.
Let's project forward ten or twenty year to when that smart lighbulb has the
computing power of 1990s era supercomputer. Might all the lighbulbs in my
neighborhood form an intelligent swarm? Will the be engaged in inter-swarm
battles? It's not like there's an "off" button. Has any good sci-fi explored
this topic?

------
tunap
Didn't a grey hat similarly flash a ton of old routers following heartbleed?
Search isn't providing results atm, but I do recall an uptick in retail
routers failing post HB news wave, with little mentioned as to the "why". If
memory serves, it didn't "brick" them, it broke DHCP(no longer assigned
dynamic addressing; WAN or LAN).

------
Pica_soO
Shouldn't be so merciful to brick it. Should have taken over some garage door
openers, measured the average time between open and closing, and then close it
suddenly after t == t_Signal+(t_Average)*1/3\. Security is when your door is
not trying to get into your car. The carcrackodile would raise awareness.

------
flukus
Is this how we solve security? An army of white botnets in a never ending war
with an army of black botnets?

------
hyperhypersuper
Can somebody add "brickerbot author" to the title to have at least a bit of
information.

~~~
sctb
Thanks, we did update the title from the original “This Hacker Is My New
Hero”.

------
grzm
Actual article title: "This Hacker Is My New Hero"

