How a High-School Dropout Hacked a Million Devices
The unemployed high-school dropout who hacked nearly one million Internet routers, DVRs, and video cameras didn’t look particularly formidable in his pajamas.
Kenneth Currin Schuchman, 21, who pleaded guilty Tuesday to aiding and abetting computer intrusion in a federal court in Anchorage, Alaska, admitted that he co-created the Satori botnet and at least four others that ripped through the Swiss cheese security surrounding the so-called Internet of Things (IoT) in 2017 and 2018.
He met with The Daily Beast last year, about two months after his indictment, on condition that our story was only published after his guilty plea. At the time, he was free on bail and under house arrest. Largely confined to his father’s Vancouver, Washington, apartment, he longer bothered getting dressed for the day.
But Schuchman was still allowed computer access, and he was keeping busy, trash-talking with other IoT hackers in the online chat room they all frequent, and discovering still more vulnerabilities in the growing menagerie of devices entering a dangerous 21st-century Internet with 20th-century security.
“It’s terrible and it’s going to get worse,” he said, speaking at a rapid clip that breaks only for intermittent drags from an e-cig. “I think anybody that would get into this could find the same thing… And I don’t presume it’s going to get any better any time soon.”
Intelligence officials increasingly view the Internet of Things’ insecurity as a national-security issue. In a Senate hearing last year, Defense Intelligence Agency Director Lt. General Robert Ashley called insecure mobile and IoT devices “the most important emerging cyberthreats to our national security.” In 2018 the FBI disrupted an IoT botnet linked to Russia’s GRU military intelligence agency that had gained control of some 500,000 home and office routers.
Earlier botnets built from Windows PCs had myriad purposes in the computer underground, including sending spam and stealing financial data. But so far IoT botnets are mostly used to launch distributed denial-of-service attacks. A hacker in control of 100,000 network-connected surveillance cameras, for example, can command some or all of them to simultaneously flood a target server with traffic, slowing it down or rendering it completely unreachable.
That power is prized by a delinquent faction of the online gaming community that uses DDoS attacks to cripple rival gamers or entire game servers. Schuchman came to that community (described by federal prosecutors as “socially immature young men living with their parents in relative obscurity”) when he was a 16-year-old Xbox player, he said. He called himself “Nexus Zeta.” “I didn’t really know much back then,” he said. “I started meeting people on Skype.”
Over time, he became friendly with a core group of DDoS artists locked in endless competition for better and more powerful weaponry. One of them, a student at Rutgers University in New Jersey named Paras Jha, co-developed a new breed of malware called Mirai.
Mirai worked by rapidly scanning large swaths of the Internet for routers configured to allow remote logins. The hacking component of the code was crude—it connected to each router and started trying common hard-coded and default passwords. But as the first large-scale IoT botnet, Mirai was a spark in a forest never before touched by fire. It quickly accumulated enough bots to level record-breaking attacks, and Jha and his confederates built out a thriving DDoS-for-hire service.
The Mirai source code leaked, immediately spawning a plethora of remixes by other hackers who tweaked the malware to target different devices using the same elementary methods.
Schuchman did them all one better. Unlike most of his competitors, he had a knack for reverse-engineering the code powering IoT devices, allowing him to suss out security holes no one else knew about—so-called “zero-day” bugs with no ready fix. One was a vulnerability in a line of routers made by the Chinese electronics company Huawei. “I decided to add the Huawei zero-day to Mirai,” he said.
His intent, he told The Daily Beast, was to replace Mirai’s noisy brute-force scanning with a measured, discreet infection of vulnerable Huawei devices, building a formidable botnet without anyone discovering the security hole that made it possible. But the moment he launched his bot, which he dubbed Satori, he quickly realized he’d made a blunder.
“I forgot to disable the [original] scanner, so everyone saw their honeypots blow up, and I was like, ‘Oh shit, I screwed up,’” he said. “People are going to figure out what device it is. So that’s when I decided to just infect them all.”
Schuchman’s plea agreement filed Tuesday puts the number of Satori infections at 100,000, but security experts say the actual number easily tops half-a-million, outstripping even Mirai in its reach and potential fire power.
In his interview with The Daily Beast, Schuchman said he had no financial motive, but he admitted in his plea deal that he conspired with two other IoT hackers, known as Vamp and Drake, to rent out Satori for use in DDoS attacks. According to the document, the three went on to amass several more botnets. One, Masuta, seized control of 700,000 Huawei devices and fiber optic routers. Other hackers took over 30,000 GoAhead IP cameras, and 35,000 Chinese DVRs. Vamp served as lead developer, Drake handled sales, and Schuchman did what he does best: finding new security holes and weaponizing them into “exploits.”
“I was the one who started the whole exploit thing,” he said. “Now everyone’s putting exploits on a bot all of a sudden.”
But Troy Mursch, security researcher at Bad Packets, said nothing quite like Schuchman’s bots have shown up in the wild since his arrest. “The big one was the exploitation of the zero-day, the one that targeted the Huawei,” he said. “In regard to seeing zero-days in the IoT realm, that has largely not happened since his case. But all the Mirai-like botnets are still raging… There’s still a lot of flaws in these devices that will never be patched.”
Schuchman struggles with drug addiction, and he said some of his hacking came in 24-hour methamphetamine-fueled bursts. “I would be up all the time on my computer 24/7 running nets,” he said. He also has Asperger’s syndrome. He speaks fast and clear, but in a steady, near-monotone pitch. “It’s always affected me,” he said. “I try to work with it… Be more aware of my surroundings, just stay away from things that cause me stress.”
For all of his skill, Schuchman never worked hard to cover his tracks, and computer-security experts investigating Satori knew Schuchman’s name and address months before the FBI moved in. That was in late July 2018, when Jha showed up in Vancouver for what he said was a job interview.
The Mirai author invited Schuchman to a nearby hotel so the two botmasters could hang out and drink vodka. He even booked him an Uber. They chatted for about two hours in the room, then went out to a liquor store. When they got back, FBI agents were waiting in the alley. “Kenneth, we want to talk to you and ask about Masuta and Satori,” one said, according to Schuchman.
“And I was like, you’ve got to be fucking kidding me,” Schuchman recalled. “I knew right then and there that most likely it had something to do with Paras.”
Jha and two co-defendants had pleaded guilty months earlier to computer crime charges. The case was handled out of Anchorage by FBI agents and a prosecutor with unusually deep knowledge of IoT botnets and the culture surrounding them, and an equally unusual tendency to try and rehabilitate young hackers instead of sending them to prison. To that end, and unbeknownst to Schuchman, the FBI had put Jha to work.
Schuchman was indicted soon after. Even on home detention, though, he was still looking at IoT code and finding new vulnerabilities—he has to do something, after all. But he told The Daily Beast he’d given up creating botnets, and said he was thinking about reporting his finds to the manufacturers like a legitimate security researcher.
The botnet scene was getting old anyway, he said. “With everybody right now making these little crappy Mirai variants and putting all these exploits into them, it’s gotten kind of big again,” he said. “Nobody has any bots though.”
Nobody has bots?
“They probably have a few thousand, but I don't consider that to be any bots,” he said.
Less than two weeks after the interview, Schuchman was taken into custody for violating his pre-trial release conditions. The details were held under seal until Tuesday, when Schuchman’s plea agreement revealed he’d been committing new crimes from his father’s apartment, including using information from his legal discovery to target a rival IoT hacker with a SWAT team, and working on a new and improved version of his botnet.
Schuchman’s sentencing is set for November.
Gloss