The media has been reporting on the spread of the “Benevolent Malware” called Wifatch that is said to be infecting over 10,000 home routers worldwide. Wifatch was discovered by security researchers at Symantec and “attacks” home routers it finds that are running the telnet protocol in an unsecured way. Wifatch then installs itself into that router and proceeds to disable telnet on the device, thereby making the router more secure. This is so unusual because while it acts like malware in the way it spreads without any permission, it also performs beneficial services of making its host more secure. It is important to recognize that there are skeptics who fear that Wifatch may be poised to perform some sort of malicious behavior at a later time.
Everyone will agree that what Wifatch does is illegal in most countries (e.g. CFAA in the US, Computer Misuse Act 1990 in the UK, etc.). But that isn’t what’s really interesting here. What is interesting is whether what it does is ethical.
We now know that Wifatch was written by the White Team, a group(?) of anonymous hackers that pulled the whole thing off and claim that they were just trying to help. The leader of the group even spoke to Forbes where he claims:
“this is a truly altruistic project, and no malicious actions are planned.”
On the other hand, when asked if they could be trusted not to turn this work into a platform to launch malicious attacks (which they certainly could do) he said
“Of course not, you should secure your device.”
Many people believe that what Wifatch does is benevolent. They say that even if there is malicious intent, the device was completely unsecured to begin with, so there’s no loss there in adding more malware. On the other hand if it’s only trying to do good, then turning off telnet was beneficial. We disagree with this position as we feel that there are more issues to consider.
Who’s responsible in the case of a failure?
When we deal with computers, it’s important to consider: What happens when something goes wrong? Remember, this is an automated process trying to modify the configuration of a remote device. Something is bound to fail here at some point.
Why do we believe that? Well to start with, there are so many different varieties and flavors of consumer routers. There are many vendors each selling several models. Each model has different hardware revisions (e.g. the very popular Linksys WRT54G has over 50 different hardware variations) and each revision has several different firmwares. On top of all of these variations, each firmware has its own set of bugs. Some don’t properly implement standard protocols. If someone believes that they can write an automated process to modify a random router on the internet without ever having anything go wrong, they’re fooling themselves.
So let’s just agree that things are going to fail. Unfortunately, it’s going to happen on a device that’s thousands of miles away from the White Team’s lab. They may not even be capable of determining that something has gone wrong in the first place. In this situation, who’s responsible for fixing the problem? The guy who owns the router will just see this as an example of “The internet stopped working”. Many calls to the ISP will ensue. Perhaps he’ll even take his laptop to the Geek Squad to remove viruses. At some point someone will have the idea to reboot or swap out the router and only then will things begin to work again. Lots of time and money wasted, and the people responsible are nowhere to be found.
“Benevolent Malware” simply creates confusion for everyone
A bigger problem is that this type of malware is going to lead to a whole lot of confusion.
Here’s what we know about the routers that were infected:
- They were running some distribution of Linux.
- They had default or trivial passwords.
- They had telnet running on an internet-facing port.
Let’s start with #3 first: Who runs telnet on an internet-facing port on their home router? To help answer this question we looked through the data that’s been aggregated from thousands of RouterCheck runs. And the answer is: not many people do this. The data suggests that it’s about 3%.
And who are these 3%? A reasonable guess is that they’re either (1) sophisticated users who want to get the most out of their equipment or (2) neophytes who don’t know that they’re running telnet (or even what telnet is). The fact that trivial passwords were in use tells us that people who know what they’re doing were not involved. No, most of the routers involved were probably owned by people who didn’t even know that telnet was enabled. It probably became enabled by:
- The user accidentally clicked the wrong button on the router’s web interface.
- Malware running somewhere on the local network
- This is the vendor’s default configuration (Oh, please tell me that this can’t be true)
The bottom line is that most of the routers that the White Team “infected” were owned by people who weren’t even aware that there was a problem. To this the White Team would say “AHA, that’s why we left a note in the telnet banner telling the poor user that we’ve modified his equipment.”
And it’s true. If you try to telnet into an infected router you’ll see the following message:
Your device has been infected by REINCARNA / Linux.Wifatch.
We have no intent of damaging your device or harm your privacy in any way.
Telnet and other backdoors have been closed to avoid further infection of
this device. Please disable telnet, change root/admin passwords, and/or
update the firmware.
This software can be removed by rebooting your device, but unless you take
steps to secure it, it will be infected again by REINCARNA, or more harmful
This remote disinfection bot is free software. The source code
is currently available at https://gitlab.com/rav7teif/linux.wifatch
Team White <email@example.com>
But there’s a problem here. How does the guy who doesn’t even know that his router was running telnet even get to see this banner to know that someone has modified his equipment? The simple answer is that there’s no way for him to know. He’d have to use telnet and Windows doesn’t even ship with a telnet client installed. Even if it did, most people would have a difficult time knowing what to do with it. The message is good but the intended audience will never see it.
This means that we have a dangerous situation:
- Malware that’s all over the media which claims to be good but could possibly be used for evil
- A large population of people who are incapable of determining whether their router is infected with this malware
This is dangerous because people often get the “The computer is broken” syndrome and then latch onto the first ridiculous thought that they can’t disprove. We see this sometimes at RouterCheck – we’ll get a random email that says something like:
“Something funny is happening on my computer screen. Do I have the Moon Worm?”
While I’m sure that something is wrong with their computer (whether it be hardware/software/malware), it most certainly isn’t the Moon Worm. But, someone used Google and stumbled onto “Moon Worm” and learned that it could potentially cause problems. Having no way to check whether their router was indeed infected with the Moon Worm, he starts to see it as the leading candidate for his real problem.
And that’s a real concern. Knowing that there’s (possibly) something installed on your router that could start behaving badly without any way to verify is a recipe for trouble. And the biggest problem is that this confusion will affect people who shouldn’t be affected at all.
Specific Examples of Ethical Violations
When it comes to saying what is and isn’t ethical behavior for computer equipment and software, the Code of Ethics of the ACM is probably a good place to start. Here are the specific guidelines in the code that we believe Wifatch has violated.
Avoid harm to others
In particular, the ACM Code contains the following:
Well-intended actions, including those that accomplish assigned duties, may lead to harm unexpectedly. In such an event the responsible person or persons are obligated to undo or mitigate the negative consequences as much as possible.
Because of the difficulty involved in controlling what happens to a misconfigured device from across the internet, we don’t think that this goal can be achieved. And what about the guy who set up telnet on his router on purpose only to find it no longer works when he needs it. If he’s not sitting next to his router at that moment, he’s out of luck.
Be honest and trustworthy
The fact that the author of this code continues to hide in the shadows (even after publicly releasing his code) does not scream out “honest and trustworthy”. The presence of backdoors in the code which could be used in the future for mischief also does not help out.
Improve public understanding of computing and its consequences
The methods chosen by the Wifatch author do nothing to improve the public’s understanding of the problem they’re addressing. Our belief is that this solution will simply cause confusion.
He even tells users that instead of trusting him “you should secure your device”. Unfortunately, for a large population of users, this is beyond their capability and a sarcastic answer does nothing to help.
Access computing and communication resources only when authorized to do so
Okay, this is an easy one, it goes without saying.
A Message to the White Team
First and foremost, regardless of your ultimate agenda we’ve been quite impressed with the way that you’ve successfully brought the problem of unsecured home routers to the forefront. There’s been more media attention paid to this issue from your actions than from anyone else’s and that’s a good thing. This problem is real and pervasive and needs to be dealt with and we applaud you for addressing it.
But the problem is hard. It involves router vendors, Telcos, ISPs, and worst of all user behavior (and ignorance). Building RouterCheck gives us an opportunity to see the problem from high up and the view ain’t pretty. Properly addressing all of the issues is the only way to truly make things better. Check out what the SOHOpelessly Broken team is doing for some inspiration.
We’ve focused on Ethics here, but a better thing to focus on might be whether Wifatch is effective in addressing the entire unsecured router problem. Because here’s the truth: turning off telnet on people’s routers is not only ethically problematic, it won’t even put a tiny dent in the overall problem. There will still be web-based administrator passwords that remain set to the default, unnecessary open ports, remote admin enabled, wireless security disabled, and the list goes on. And of course there will also be those bugs in the firmware that allow attackers to have free reign over the devices. Putting a strong lock on the front door becomes meaningless if several other doors are left wide open. And to top it off, Wifatch is really only able to address a tiny fraction of the deployed home routers.
So if you truly want to be altruistic and make an impact on the security of home routers (which benefits us all), please reevaluate how to go about it. You’ve already shown great engineering talent and have our attention. It’s up to you to make a meaningful impact.