It's important to note though that if you quietly (or even publicly) patch 600k devices to fix a bug, nobody cares. Plus, doing so is still a crime: it's 600k instances of accessing a computer system without permission. It's also far, FAR easier to write a stream of 0s to the bootloader than it is to decompile and debug bad firmware.

Now if you brick the 600k devices, it gets attention. I'm NOT saying this is the appropriate or morally righteous thing to do, but like any other form of protest, the point is not to solve a single instance of a problem, it's to draw attention to the wider systemic issue: some ISPs not patching or life-cycling their CPEs.

Depriving access to the Internet (and potentially 911) to 600k households is still wrong, no matter the intent.

-Matt

On Mon, Jun 3, 2024 at 11:10 AM Matthew Petach <mpetach@netflight.com> wrote:

I'm sorry, but if you have the wherewithal to commandeer 600,000 devices well enough to permanantly brick them, you have the wherewithal to commandeer them and load a patched version of software on them closing up the vulnerability.

If there's no fixed version of software available for the platform, then you cannot fault the ISP for not patching the devices.

If there IS a fixed version of the software available, this person should have used the botnet c2 to distribute and apply the fixed firmware, thus solving the problem while not killing connectivity for innocent end users.

The decision to take destructive action is indefensible.  The right choice should been to update the devices with patched software if it was available, and if it wasn't, to leave them alone and instead focus on trying to develop a fixed version of software.

Now, if they were simply inept, and were trying to load fixed software onto the devices but failed to test their process adequately first, then at least their heart was in the right place, even if their understanding of how to do large-scale firmware upgrades safely wasn't. 

But that's certainly not what that article would lead us to suspect was the intended outcome.

Matt




--
Matt Erculiani