When William Shakespeare penned Julius Caesar, not even the great bard himself could have imagined how many phrases would fall into common use for so long that they would become cliché. Phrases like ‘Et tu, Brute?’ is as recognizable today as a euphemism for dismay at the betrayal by a friend as offering someone thirty pieces of silver for their treachery.
One of those phrases is, of course, “Cry ‘Havoc’, and let slip the dogs of war.” When it was imagined by Mark Antony coming from the spirit of the just-murdered Caesar, it was meant quite literally. Dogs of war really existed, and “let slip” meant to release their leashes. Over time, the phrase has come to be a rallying cry to action in which “dogs of war” are mercenaries.
Which makes it perfectly applicable to the current state of the Internet of Things (IoT) with respect to the rising threat of “thingbots” and how some are answering that threat.
When F5 Labs and Loryka started their Hunt for IoT, they did so with a focus on the attacks that come before The Attack. These are the attacks on vulnerable “things” (IoT devices) that then make them compromised things. Once compromised, (often through an open Telnet port) they are assimilated into the collective and become a thingbot—a botnet built exclusively from compromised devices. This process is actually pretty straightforward as illustrated by our researchers in “The Hunt for IoT Volume 3: The Rise of Thingbots:”
What’s interesting (and disturbing) is the appearance of vigilante thingbots on the scene. Frustrated by an inability (or willingness) to address the issue of potentially billions of vulnerable devices available for the picking, some gray hats have taken matters into their own hands. They are crying "havoc" and letting loose the Thingbots of War.
The Thingbots of War, specifically, BrickerBot and Hajime, were launched with the intention to take out vulnerable IoT devices before attackers could weaponize them with Mirai. And these Thingbots of War can be quite mercenary in their behavior1. From the report:
“BrickerBot is a Permanent Denial-of-Service (PDoS) thingbot that destroys the IoT device permanently. The device will no longer function, let alone become infected again. Hajime infects an IoT device and blocks it from a Mirai infection but, like Mirai, a simple reboot is all that’s needed to reset the device to factory default settings, making it infectible again.”
Because a vigilante thingbot often uses the same recon phase to compromise a vulnerable device, it can appear to be just another attack. Existentially, it is. While the intentions of those deploying the Thingbots of War may be good, there’s a reason their creators are called “gray hats.” It’s hard to argue that preventing IoT devices from becoming thingbot #5,435,786 in the latest botnet collective isn’t good, but that responsibility lies on the shoulders of those who build them and deploy them. The fact is that Telnet port 23 should not be open to the Internet in the first place, and default credentials should be changed.