Brickerbot is mysterious antimalware that nukes badly secured Internet of Shit gadgets

Schopenhauer was right, don't you think?
"Life without pain is meaningless"
Permit me to give your lives ... meaning
3 Likes

Releasing worms is illegal, and it fixes the problem, n’est-ce pas?

Vigilante justice is a single player or group taking responsibility for fixing a problem, typically destructively or violently, and always in violation of due process and the rule of law.

2 Likes

Want me to slow down your power cycles for you?

I fundamentally question that description of vigilante justice, though.

 I *need* those
1 Like

The handy thing about this instance of vigilante justice is that the ‘trial’ portion is effectively automatic and more or less foolproof.

Presumably deliberately, this ‘brickerbot’ uses only the (utterly pitiful) telnet brute force attacks to gain access to devices. Not even script-kiddie-with metasploit level stuff; so it will just bounce right off even slightly secure devices.

Therefore, if brickerbot gains access to a device; that device was clearly too insecure to be allowed on the internet.
If a device denies brickerbot access, brickerbot has no effect other than to waste a few KB of bandwidth.

6 Likes

I apologize if I’m misunderstanding what you seek; but if I’m understanding it right we really have a wealth of options.

If you want to keep an application in line at the OS level, SELinux, OpenBSD systrace; or Mandatory Integrity Control all let you ruin its day with aggressive granularity.

If you are more interested in just keeping an untrusted application away from your OS; VMs can be spun up from templates in a matter of seconds; and breaking out of one(while not impossible, several exploits have been discovered and fixed over the years) isn’t clearly easier than scribbling malice into the assorted upgradeable firmware in motherboards and some peripherals.

Some of the really cool, old school paranoia systems done in near-complete isolation from commercial pressure for DoD contracts are, indeed, pretty much unavailable; but anything that actually fits on your desk and/or could be purchased by a mere mortal was never in that class.

4 Likes

I agree that if you’re a system administrator, and you want to lock down one piece of code for one particular scenario, then SELinux, etc… can do that, by setting the access control lists on everything not to be allowed to the program, and going from there. Those approaches don’t help much with confused deputy situations, and aren’t applicable to interactive use.

I could be wrong, but I think we took a premature optimization turn somewhere around the time that Unix was born, and it was decided that multilevel secure systems wouldn’t be needed by the masses.

Thanks for the feedback!

3 Likes

Well, we once had far more advanced systems than *nix - I was coding for 64-bit machines in the early 1980s that had fine-grained capability models - but when unix clones became available for the cost of hardware, commodity economics blew away everything better. That trend started with Sun and Apollo and ended with linux.

As Jamie Zwarinski once said, “If I’d known in 1979 that unix was the future of computing, I’d probably have cut my throat.”

3 Likes

Knock Knock?
IOT shitware: who’s there?
THE ABYSS: THE ABYSS
IOTSW: {offline}

2 Likes

This’ll be great till it bricks someone’s dialysis machine.

5 Likes

Non. It doesn’t fix the problem*, it “fixes” symptoms. Which is at best a short term thing that gives you time to think, but that’s about it. To use a crude and ill-fitting analogy, a bit like taking pain killers when you’ve got a brain tumor.

*Which is a combination of operating systems never designed with the need for security in mind, really bad application coding, uncaring manufacturers, ignorant customers and probably another handful of reasons.

1 Like

And if someone dies? Is this temporary victory worth killing for? Actual, not rhetorical question.

I will say though that if it is worth killing people for, the least people could do is not insult the victims with empty condolences. You can’t stay alive on sorry feelings.

Unfortunately, the coders who make these scorched IoT weapons are extremely unlikely to ever know or meet anyone they indirectly murder, and humans are notoriously more willing to kill when the act is impersonal.

1 Like

That seems a little hysterical to me. The devices vulnerable to this type of thing are those that open up an outside port using UPNP or some other sort of NAT traversal. Certain webcams, DVRs, etc. that have remotely accessible functions. Hospital equipment and other life-critical devices are not going to be doing this, and most probably don’t speak TCP/IP at all.

1 Like

I wish I could share your confidence in the medtech industry’s security.

https://groups.csail.mit.edu/netmit/IMDShield/

6 Likes

My point is that anyone unleashing this (anti)malware can know that it’s not going to kill anyone. Not that everything is hunky dory with information security in that industry.

That’s all.

My dishwasher does not connect to the internet. Its front panel communicates by flashing its status lights. If I need to adjust how much rinse agent it uses, I have to look in the manual and study it very carefully.

If I could control it with an app (which would imply IoT), I could adjust its operation by pressing a well labeled button and checking a well labeled box. It could even email when it was done with the cycle (so that I could reload the dishwasher in timely fashion.) I could do all sorts of mildly complicated things, such as scheduling. more easily. And the cost of this humane interface would be much less than putting in a touchscreen or adding half a dozen new buttons and a multiline segmented display.

The internet of things comes about because most people don’t have household servers, and must rely on an outside server to essentially pass messages between household devices. The local infrastructure simply isn’t there, and manufacturers have kludged together a ludicrously insecure solution.

1 Like

I just don’t see how implanted medical devices are going to connect to control equipment without using NAT-T.

And it’s not as if they can encrypt them, they’d be useless as emergency life-saving devices if technicians and doctors couldn’t get into them without pass codes. And even if the control equipment is firewalled, a big assumption given the security failures of hospitals, the worm’s developers would be banking on the firewall working and being properly enabled. I’m also highly skeptical these devices aren’t using TCP/IP, but I’m open to the possibility that I’m wrong.

Targeting insecure IoT devices while being sure medical IoT devices are using a different protocol seems like a significant gamble. And maybe I am wrong, but the worm’s developers better be damn sure about it, which presupposes significant knowledge about medtech, and if they’re just assuming those aren’t vulnerable, people’s lives hang in the balance.

4 Likes

Can’t make an omelette without bricking some eggs?

4 Likes

I think a more apt analogy would be that it exacerbates the symptoms, to the point that the body has to start paying attention to the ailment. Like a fever that finally makes you take a day off from work, lie, down and take a tylenol, and given high enough temperatures, call your doctor to see if you have Zika virus…

[ETA: and to extend the analogy, hopefully the doctor takes a culture, finds out you have a bug that has been catalogued with the CDC for a decade, and then roundly scolds the NIH for not putting more funding into a vaccine…]

3 Likes