Stories of vigilante justice during the “wild, wild west” period in US history are legendary. According to legend, outlaws roamed cattle towns and remote settlements overwhelming law enforcement and thriving wherever law enforcement was lax. Whenever things got too bad, citizens would sometimes band together and try to take matters into their own hands, dishing out retribution in a way that sometimes served justice and at other times, resulted in new crimes more heinous than the original offense.
Recently, with a lax environment for IoT device cyber-security, a hacker, self-proclaimed as “The Janitor,” launched his or her own vigilante style cyber-attack. The attack targeted devices that failed to meet basic cyber-security requirements, such as not requiring end users to change default passwords. The attack modified critical code and/or data stored on these devices to “brick” the devices thereby rendering them unusable.
The Janitor, in a manifesto released accompanying the cyber-attack, said he likes to think of himself as “The Doctor” and described the attack as a sort of “cyber-chemotherapy.” Just as chemotherapy is an extreme action taken to rid the body of harmful cells, his cyber-attack would rid the Internet of IoT devices he felt contributed to the Internet becoming “seriously ill.”
The recent Mirai attack, in which thousands of insecure IoT devices were used to create a botnet that launched cyberattacks, was cited as justification. His rationale was that these unprotected devices leave us all vulnerable to cyber-attacks that could inflict serious damage on us as a society. As you may recall, last year’s Mirai DDoS attack shut down the websites of major companies, bringing e-commerce to a halt in some locations. The Doctor wants to prevent these types of attacks from happening again.
The Doctor’s actions, while clearly illegal, highlight an important issue. Despite the growing threat of attack, companies are not adequately investing in security.
And until companies appreciate the risk involved in distributing unsecured devices, cyber-attacks will continue to occur. Regardless of the motivation behind the attack, ultimately, it is those OEMs that produce products lacking security that are mostly to blame. Just as societies without strong law enforcement result in higher crime rates and vigilante justice, lax security results in increased cybercrime.
by Alan Grau, president and co-founder of Icon Labs.