On the dark web and in the deeper corners of the public Internet, hackers tell stories of a vigilante who scoured the Internet for insecure devices, hacked into them, and disabled them so that other hackers couldn’t use them to launch attacks from.
One of those stories is of how this hacker exploited vulnerabilities in the Aztech and D-Link ADSL routers Telkom sold to its customers.
The hacker went by the moniker “Dr Cyborkian a.k.a. janit0r” and claimed to be the same hacker who created the infamous BrickerBot malware in 2017.
Although the BrickerBot part of the story is relatively well known, less well-known is the fact that Janit0r wrote detailed reports about what they did after the success of BrickerBot.
Part memoir and part technical guide aimed at fellow hackers who would like to try their hand at cleaning up the Internet by euthanising insecure devices, Janit0r posted nine reports on the dark web over several months.
In an interview with Bleeping Computer in April 2017, Janit0r described their work as “Internet Chemotherapy”.
I consider my project a form of “Internet Chemotherapy”. I sometimes jokingly think of myself as The Doctor.
Chemotherapy is a harsh treatment that nobody in their right mind would administer to a healthy patient, but the Internet was becoming seriously ill in Q3 and Q4/2016 and the moderate remedies were ineffective. The side effects of the treatment were harmful but the alternative (DDoS botnet sizes numbering in the millions) would have been worse.
I can only hope hope that when the IoT relapse comes we’ll have better ways to deal with it. Besides getting the number of IoT DDoS bots to a manageable level, my other key goal has been to raise awareness.
The IoT problem is much worse than most people think, and I have some alarming stories to tell.
Janit0r’s memoir is also titled “Internet Chemotherapy”. The first nine parts of the memoir were published between 10 December 2017 and 7 July 2018.
After a long hiatus, Janit0r returned to the dark web and started posting updates again on 22 June 2020. The latest instalment was published on 31 July 2020.
The hacker stated that the intention behind BrickerBot and their subsequent hacks on ISPs and telecommunications service providers was to make the Internet a safer place.
With so many vulnerable Internet-of-Things devices online that could be turned into “bots”, Janit0r said that there was a serious risk should these devices continue to be left online in their insecure states.
The dirty case of Telkom South Africa
On 2 February 2018, Janit0r published the fourth instalment of “Internet Chemotherapy” which was subtitled “The dirty case of Telkom South Africa”.
In it, Janit0r explained how they used the TR069/64 SOAP vulnerability (CVE-2016-10372) to hack into insecure Telkom-branded Aztech routers and render them inoperable.
While going through the device pool on the Telkom network, Janit0r said they noticed a large number of D-Link devices that you could log into with default passwords and reconfigure over the Internet.
MyBroadband reported about vulnerabilities in Telkom-deployed D-Link routers as early as May 2013, but the problem was never fully addressed.
In addition to hacking and “soft bricking” the exposed Aztech routers on Telkom’s network, Janit0r said that they also targeted some D-Link and Huawei routers.
Janit0r’s hope was that the disruption would cause Telkom to realise that there was a significant security problem on its network and fix it. However, that is not what happened.
Since Janit0r did not leave the routers in a state where they were permanently destroyed, Telkom simply advised customers to restore them to factory default settings.
Janit0r executed his attacks against the vulnerable routers frequently, which means that even if Telkom subscribers factory reset their routers, they would soon find themselves disconnected from the Internet again.
If subscribers complained about the repeated problems with their router, Telkom’s support staff would advise that customers buy a new router.
The hacker broke down the effect of their attacks on a daily and monthly basis. The following table shows how, according to Janit0r, the number of vulnerable devices on Telkom’s network declined between July 2017 and January 2018:
|Month||Aztech (TR069 exploit)||D-Link (default password)||Huawei (MediaTek RPC exploit)||Other|
“Although you might call the 94% reduction in vulnerable devices between August and January a big improvement, it should be noted that it took 6 months to realize this result,” Janit0r stated.
In contrast, Janit0r reported that they saw Rogers in Canada respond decisively to similar attacks within 48 hours, while Infostrada Italy had a five-day turnaround.
“Based on the social media record Telkom simply took a ‘not our problem, buy a new modem’ approach to any Telkom-supplied device that was out of warranty, and the mitigations were left to the user community to figure out on their own,” Janit0r reported.
Complaints on social media
Many of the social media posts from 2017 which Janit0r refers to in the original dark web post are still online to serve as proof of the Telkom hack.
“It seems that we have been picking up some issues with the Aztech routers that we have in the field. We are busy investigating the cause of the problem, but in the meantime it seems that resetting your router to the Factory Defaults and then reconfiguring it will solve most, if not all the issues,” a Telkom community manager said on the company’s support forum.
In response, several users continued to complain. One reported: “I’ve done the factory reset as per the instructions a few times already. It only lasts for an hour or two, and then the same problem rears its ugly head…no internet.”
In a different thread on the same forum, another user posted that a support desk agent informed them that 80% of the complaints Telkom was getting related to Aztech routers, and 20% to Huawei routers.
On MyBroadband, one of the forum members posted about how they solved a problem with a D-Link router during the attacks:
Client complained about no internet. Went to site to find SSID changed to TELKOMHACKED, password still the same, and the Internet Connection (pppoe under WAN connection) completely gone.
Router’s admin password wasn’t on default. Support user’s password however was still on TelkomDlink12345. Suppose that’s how they got in. Telkom as ISP.
Just FYI to change support password as well when configuring these modems.
Telkom, Aztech, D-Link, Huawei router vulnerabilities not unique
Janit0r noted that the situation on Telkom’s network was, unfortunately, not isolated or unusual.
“Admittedly the case of Telkom of South Africa isn’t that unique or even interesting, but it’s a story that has to be told in order to give you a better perspective of the complexities involved in forcing negligent ISPs to correct their security problems,” stated Janit0r.
“The problems involving Telkom are representative of the issues with many large ISPs outside the US and RIPE network space.”
Last year South African ISPs faced multiple waves of devastating distributed denial of service (DDoS) attacks. Cool Ideas was especially hard hit, with subscribers left unable to connect to the Internet for days at a time.
These attacks were enabled by poorly configured MiktoTiK routers on entirely different networks than the ISPs who were targeted.
In an unrelated matter, the Hawks also investigated cryptojacking attacks last year that were perpetrated through MikroTik routers that were not properly secured.
The DDoS and cryptojacking attacks in South Africa happened despite the fact that MikroTik offers excellent support and timely security patches for its devices, unlike some other Internet router manufacturers.
The issue was therefore not the MikroTik devices themselves, but the fact that Internet service providers and network operators had not configured them correctly or kept them properly updated.
The retirement of Janit0r
Janit0r announced their retirement from hacking and bricking IoT devices at the end of 2017.
They stopped posting updates on the dark web in July 2018 and, after a long hiatus, Janit0r returned and started posting again on 22 June 2020. The latest instalment of “Internet Chemotherapy” was published on 31 July 2020.
MyBroadband asked Telkom how it has secured its network against hacks such as the one Janit0r launched on vulnerable routers, but the company did not respond by the time of publication.
Thanks to Defplex for the tip.