by Dan Moren
Hajime, the grayhat botnet “securing” IoT devices
Fascinating story from Dan Goodin at Ars Technica about Hajime, a worm that infects Internet of Things devices and…apparently secures them?
Another sign Hajime is a vigilante-style project intended to disrupt Mirai and similar IoT botnets: It blocks access to four ports known to be vectors used to attack many IoT device. Hajime also lacks distributed denial-of-service capabilities or any other attacking code except for the propagation code that allows one infected device to seek out and infect other vulnerable devices.
That sounds great, though Goodin links to a blog post by a Symantec engineer pointing out why this is, at best, a Band-Aid. Long story short: most of these “fixes” only last until the device is rebooted. Which leads to this imagination-sparking scenario:
One day a device may belong to the Mirai botnet, after the next reboot it could belong to Hajime, then the next, any of the many other IoT malware/worms that are out there scanning for devices with hardcoded passwords. This cycle will continue with each reboot until the device is updated with a newer, more secure firmware.
Annnnd I think I’ve got the premise for my next novel…