lolloj - Fotolia

Hajime IoT worm: Is it pure malware or vigilante malware?

The Hajime IoT worm aims to help users tighten up security, whether they want to or not, but it's probably not a good security strategy. Expert Nick Lewis explains the risks.

The Hajime internet of things worm, which uses techniques similar to the Mirai botnet malware, apparently attempts to improve the security of the devices it infects -- rather than trying to damage or exploit them. It does not have any attack capabilities and instead displays a message from the author, who claims to be a non-malicious white hat hacker. How effective are vigilante malware efforts such as this? Could the Hajime IoT worm turn out to be malicious or have potential negative side effects?

Nick Lewis: At this point, it may seem that the only hope for securing IoT devices is to rely on cybervigilantes. The security industry seems to have little effect, at least so far. While regulation may help, there are still many questions about who should be responsible. Should enterprises that buy and deploy insecure IoT devices be held responsible? What about the manufacturers that made the devices, or the software developers who coded them? And what about the software development educators who failed to emphasize the importance of security? Don't forget the standards developers and industry consortia that should have been looking out for users. Aside from the ethical issues, questionable precedence and the many things that could go wrong if cybervigilantes are our only option, we need to think creatively about finding another solution.

That said, the Hajime IoT worm does appear to be capable of securing certain IoT devices. For example, it can disable the default ports used for remote control, which could improve the security of the devices, but it still leaves behind some of its own functionality that is capable of remotely controlling the device.

While the Hajime IoT worm attempts to ensure that only the worm's author can issue commands, by requiring all commands be signed with the author's private key, the remote control functionality could still be abused and used just like the Mirai botnet or worse. If the author hadn't included this functionality or had just coded the Hajime IoT worm to notify the vendor or the end user of the insecure device, rather modifying the device without permission, that might make it easier to see the benefit from the worm.

The key difference between the Hajime IoT worm and a legitimate remote administration tool that an enterprise might use is that an enterprise would want to control their own devices rather than the third party. Enterprises could then secure these devices and avoid most of the ethical issues.

Next Steps

Learn why IoT devices can be big business for cybercriminals

Read about Bricker bot, another IoT worm that attempts to do good

Find out about Wifatch, another piece of vigilanteware, and why it is risky

This was last published in September 2017

Dig Deeper on Threats and vulnerabilities