There’s a vigilante out there and he never sleeps. This crimefighter isn’t really a “he,” but an “it,” a piece of software that’s looking for devices connected to the internet that haven’t changed their default usernames and passwords. It hijacks them and runs code that wrecks their hardware. It’s called “Brickerbot.”
It’s not here to make friends.
Brickerbot was built, according to reporting from Bleeping Computer, by a greyhat hacker going by “Janitor” who wanted to do something about botnets that attack websites and hold them for ransom. We recently reported on one that knocked the hugely trafficked Drudge Report offline. These attacks hijack networked devices to run distributed denial-of-service (or DDOS) attacks. The vigilante decided to counter them by destroying their weaponry, even though those weapons belong neither to the attackers nor the vigilante.
Janitor has taken an extreme approach to dealing with one of the bleeding edge problems created by the internet of things, a problem that isn’t especially hard to solve. All we need to do is sell IoT devices that won’t work until the new owner puts a new password on them. Done. But there may well be many more harms to come when everything from automobiles to blenders has been connected to the internet (even if they all have very good passwords), at least according to a panel organized by the Mozilla Foundation and the Netgain Partnership at the New York Public Library today.
“The internet of things is a monster riding an asteroid,” said Matt Mitchell, the founder of CryptoHarlem, an organization that equips regular people to protect their privacy. Old school hacker Dark Tangent made a very similar case to us this time last year.
Without endorsing Brickerbot’s methods, Mitchell expressed sympathy for its creator’s impatience with the obvious flaws in the first generation of connected products. On the other hand, he also had little sympathy for “50 Things You Can Do To Protect Everyone’s Internet Security” approaches to addressing the IoT threat.
“Can the public be responsible?” Mitchell asked. “We can’t trust the public with getting vaccinated and washing their hands.”
In order to protect people from wide failures of networked devices, the solutions need to be structural and universal, because networked devices don’t break the way normal products do.
“Computers fail in a different way,” said Bruce Schneier, an author and computer security professional said. “They all work perfectly until none of them do. That’s unique in the world of consumer products.”
Here’s a scenario: imagine a future city that has made progress reducing crime and saving money on policing by patrolling with robots in order to deploy humans only in places where crime is actually occurring or an investigation is needed. Setting aside the dystopian Robocop-esque issues that kind of scenario raises, think about this: what happens when all those robots tank at once in a city that only has enough human police to respond?
Digital technology’s power lies in how quickly it scales. Once a piece of software is made, it costs almost nothing to make millions of copies. Its benefits quickly scale, but so do its failures.
But these technologies are so seductive. Marek Tuszynski, creative director at the Tactical Techology Collective, gave an example of an art project we’ve written about here before, “Smell Dating.” In short, it is blind matchmaking by smell. Pretty funny, but when Tactical Tech set up a demo of project samples at its Glass Room art installation in New York City, visitors were happy to fill out questionnaires indicating their reaction to B.O. in jars on site.
It illustrates how eager people are to turn experiences into data. We naturally put the usefulness of generating data far, far ahead of that data’s implications.
“I think what we have is government abdicating,” Schneier said, but the tech industry makes too much money for the government to do anything about it yet. Government won’t step in to regulate pervasive data collection and the internet of everything until people start to die. As long as the internet was a virtual world, that couldn’t really happen directly.
When the day comes that cars are guided by internet-connected guidance systems, health diagnoses are made by robot brains in the cloud and robot custodians do heavy maintenance on buildings we work in, the safety model will change. One way or another, someone will die and then the government will act. The government acts when people start to die, Schneier said.
So, cross your fingers. It shouldn’t be long.