During the news round-up on the 20 April 2017 edition of Paul’s Security Weekly, the crew were discussing the Hajime IoT worm, as discussed in a BBC article. Many other news outlets and podcasts discussed this worm. Graham Curley’s write-up did a better description then the BBC.
The worm blocks access to ports 23, 7547, 5555, and 5358, services that are commonly targeted by Mirai and other threats to IoT devices. It also leaves a note behind that reads:
Just a white hat, securing some systems.
Important messages will be signed like this!
What got me interested was when Carlos jumped in to point out that this “white hat” hacker could be doing a lot of damage. What if it hits a medical device, or takes out a security camera and then there’s a robbery?
These concerns are completely founded. Those things will happen. But their conversation left that as the conclusion, which raised an interesting point – how does one balance that potential negative consequence against the potential benefit of something like this?
Time for a disclaimer – this kind of activity is illegal. It should not be carried out, and this post is not an endorsement of this kind of activity.
The upside for this kind of worm is exactly the same as that downside. Someone’s camera could be taken out allowing a robbery to go unnoticed, or a medical device’s being exploited could lead to serious health problems. How is that upside? It makes people care about the security of their devices, which is something that cannot be said today.
As Bruce Schneier lays out quite nicely, there is currently no incentive for people to secure these devices. The developers are racing to market as cheaply as possible. The owners don’t care if their IoT device is infected, as long as it functions, and isn’t stealing or spying on them. That leaves a huge gap where no one cares if the Mirai botnet is out there DDOSing Dyn, taking half the internet offline. Bruce suggests that regulation is the solution when two parties are undertaking some action that negatively impacts others but not necessarily themselves. However, Hajime (and the nematode worm before it) might suggest another way out of this equilibrium.
If people start to feel some pain for their devices lack of security, they are not going to know that something stopped working because of a worm. They are just going to call and complain. And when people complain, manufacturers will have to do something about it.
This is not an argument that people should create more “white hat” worms to break IoT devices. Again, that’s illegal. But there are interesting upsides to the havoc that could follow, and those upsides are difficult to weigh against the downsides, but make for an interesting thought experiment.