Internet of Things (IoT) devices gained infamy almost overnight for their lack of security. This led to their participation in a Thingbot (a botnet built out of IoT devices) named Mirai1 that launched massive distributed denial-of-service (DDoS) attacks against a handful of victims, including Dyn, OVH, KrebsOnSecurity, and Rutgers University2 in late 2016. As a result of these attacks, a project dubbed Internet Chemotherapy, also known as BrickerBot, allegedly started in November 2016 with the intention of cleaning the Internet of the vulnerable IoT devices that were low-hanging, infectible hosts for bot herders. The author of the Internet Chemotherapy project, The Janit0r, a.k.a. The Doctor, claims to have “bricked” (cyber-attacked electronic devices to cause permanent damage) 10 million devices with BrickerBot.3The Janit0r accomplished this by overwriting the firmware of the IoT devices he targeted.
The ethics of this attack are unquestionably wrong. Although members of the information security community understand this type of vigilante mindset, the best intentions cannot justify breaking the law to prove a point. However “noble” the intention might be, obtaining unauthorized access to devices and making them unusable, whether temporarily or permanently, is still illegal, and it undermines the work of ethical researchers. It is also understandably frustrating to the consumer, government, or business owner who then must replace that device. Those efforts could ultimately be useless if the owner replaces the destroyed device with one that’s just as insecure.
On December 10, 2017, the alleged individual behind the moniker The Janit0r and The Doctor announced his/her retirement in a 3,000-word declaration4 consisting of three primary sections: Internet Chemotherapy, Timeline, and Parting Thoughts.
Internet Vigilantism as Self-Prescribed Chemotherapy
Beyond the situational context around why The Janit0r took it upon himself to destroy IoT devices so they couldn’t become infected by Mirai, this section provides a bit of insight into the cause and effect of some events and their role in the author’s decision to go “all in” starting with the “colossally dangerous CVE-2016-103725 situation.” The situation referenced was considered dangerous because it allowed attackers to send remote commands to affected devices from anywhere on the Internet (WAN port) and then reconfigure the devices to allow further remote access.6 The CVE referenced is not a unique situation. This easily exploitable vulnerability is one of many in a vast and growing sea of flaws within an overwhelming count of IOT devices.
The Janit0r’s claim to have disabled more than 10 million vulnerable IoT devices in a little over a year might seem astonishing, but when compared to the 8.4 billion IoT devices Gartner forecasted to be in-use in 2017,7 10 million devices is barely a blip on the proverbial industry radar.
“Bad guys are getting more sophisticated, the number of potentially vulnerable devices keep increasing, and it’s only a matter of time before a large-scale Internet-disrupting event will occur,” wrote The Janit0r in his retirement essay. This is no profound revelation—it’s a widely-held sentiment among most of the security community that continues to be proven correct. The fact that sizeable thingbots like Mirai and BrickerBot were able to be created in the first place is proof of this statement. The difference between vigilante activists like The Janit0r and the rest of the security community is our approach to fixing the problem. A great number of researchers and industry peers would agree an effective strategy for tackling the problem is to continually work to increase the true cost to the attacker. IoT manufacturers can do this by following industry standard security controls (ones that most currently do not implement during development) that make these devices harder to compromise—so much so that it’s not worth it to the attacker to even try.
The Janit0r also references an earlier “non-destructive ISP network cleanup project” from 2015 that seems to have provided some useful data points that allowed for a better reaction to the initial threats of Mirai. The section does not further elaborate on any details about that earlier project. I wish the details of that 2015 project had been shared as it could prove quite useful for correlating against other activity. Data that we at F5 Labs have, for example, could be compared to data that might exist about disabled devices. This would allow us to come up with better processes for identifying the popularity of a given vulnerability among manufacturers.
I would love to have an opportunity to review any available data from the Internet Chemotherapy project and that earlier ISP analysis project The Janit0r referenced. This data would enable researchers to limit speculation about events and begin to understand more about underlying infrastructure and the networks hosting the dreaded thingbots that are plaguing the Internet.
The end of this section includes some very sound advice for actions that individual users can take—actions that mirror what we at F5 Labs have been saying for over a year in our Hunt for IoT reports. We agree that spending your hard-earned money only with manufacturers who have a track record for patching vulnerabilities is a great way to indirectly force vendors to do the right thing security-wise when developing IoT products. Only by purchasing devices developed with functionality that allows for timely updates will the market be forced to change over time.
The BrickerBot Timeline
In the second section, The Janit0r lays out the chronological record of the Internet Chemotherapy project, detailing more than twenty instances of attacks, vulnerabilities, and press events that provide insight into BrickerBot’s ongoing “sanitation” objective. The Janit0r includes commentary and claims of BrickerBot’s role and participation in a number of publicized events. One was the mass disruption of Deutsche Telekom in November 2016,8 which at the time was believed to have been an attempt by attackers to exploit equipment of their users to grow Mirai. The author elaborates on BrickerBot’s involvement in propagating across these devices, claiming that it infected vulnerable devices and removed the default route for communications, which temporarily removed these devices from further infection by Mirai. At least eight other documented events are similar cases. Organizations believed their attackers were attempting to extend the capabilities of a DDoS botnet, but The Janit0r claims they were being disabled by BrickerBot.
We would love to believe these claims because they would confirm our own data. The Janit0r references our August 2017 report, The Hunt for IoT: The Rise of Thingbots. In it, we identified a lull in IoT attack activity and speculated that it might have been the result of vigilante bots like BrickerBot (or Hajime). The Janit0r confirms this hypothesis but goes on to provide a bit of criticism, perhaps for us not drawing more definitive conclusions. If data had existed that modestly allowed us to further expand on our hypothesis, then we could have given more credit to the Internet Chemotherapy project. The reality is that without more data, the only responsible thing we can do is speculate. Which The Janit0r obviously understood as he defended this point when referring to researchers tracking the Reaper thingbot: “I know some of you will eventually ridicule those who estimated its size at 1-2 million but you should understand that security researchers have very limited knowledge of what’s happening on networks and hardware that they don’t control.”
Parting Thoughts (or Parting Shots?)
The Janit0r’s retirement seems entirely appropriate for more reasons than one—threat of death, according to him/her, being the biggest. But, methodology and ethics count, too. It’s a good thing to be able to decrease the available pool of devices bot herders could potentially use to advance their networks of minions that launch unwanted attacks, but the methodology and practice adopted by the Internet Chemotherapy project is unquestionably illegal. Once you cross that line, is there any turning back? Is there a justifiable ethical argument for The Janit0r’s activities?
The industry continues to evolve, and perhaps manufacturers of devices will agree to the new Digital Millennium Copyright Act (DMCA)9 proposed regulations that provide safeguards, albeit modest ones, to protect researchers that actively exercise their minds by attacking IOT devices. Just remember, it won’t provide protection if you are attacking equipment you do not own and operate.