I wonder, does doing something like this for the greater good make it the right choice in the long term? Creating a bot that enforces good security by bricking your devices would be a really bad experience for the users affected now, but if it finally gets these IoT companies to be serious about security it might be the right move in the long term.
That said, I'd imagine this is still very much illegal, and am not saying I'd advocate anyone writing bots like this.
I'm not sure that's true. Class action lawsuits will probably crop up pretty quickly, with people making warranty demands. I think it'll be a net negative for anyone who is liable for these devices and their security.
I 100% advocate people writing bots like this. I don't support vigilante justice in the real world because police are more effective and vigilantes get in the way and cause unrest, but there's no effective equivalent online so vigilantes are the best of a set of bad options.
I would rather this happen now, peicemeal, so vendors can respond, than 5 years later as part of a coordinated attack. State sponsored actors are on the rise, and industrial IoT has always been a juicy unsecured target.
I agree with the Radware researcher. This seemed to be a preventative measure against devices that would not get fixed, as Schneier's articles have been suggesting.
And in my head I see the equivalent of XKCD's Devotion to Duty comic: https://xkcd.com/705/ - Maybe someone is taking it upon themselves to solve the perceived problem, for better or for worse (potentially far worse).
This might not be a popular opinion -- or the "right" one -- but, personally, I'm glad to see this happening (and I hope it happens more) if it has the effect of getting folks to pay attention and address the underlying problem.
I'm surprisingly okay with this. We all know the IoT hype has given rise to many, many incredibly insecure, often non-GPL compliant slapped together Linux SoC's hooked up to whatever IO a regular appliance could have.
The manufacturers and developers have not given any consideration for real security because they haven't had a reason to yet. Sure, every other week a security researcher pwns another device and leaves a random manufacturer I've never heard of with egg on its face but unfortunately that doesn't seem to stop the global trend. This might.
11 comments
[ 2.7 ms ] story [ 46.6 ms ] threadThat said, I'd imagine this is still very much illegal, and am not saying I'd advocate anyone writing bots like this.
Sadly the law would punish them, not the manufacturers pushing out broken product.
And in my head I see the equivalent of XKCD's Devotion to Duty comic: https://xkcd.com/705/ - Maybe someone is taking it upon themselves to solve the perceived problem, for better or for worse (potentially far worse).
I wonder if anything similar has happened before.