Decoded: IoT botnets

The rise of the Internet of Things combined with the evolution of botnets poses an increasingly significant threat to businesses and service providers

By Tim Ferguson

Fri 14 Dec 2018 @ 15:03

IoT botnets? Sounds a bit sci-fi..

There’s definitely a hint of Battlestar Galactica to the name, but they’re actually the coming together of a well-established cyberthreat (botnets) with an emerging area of technology (Internet of Things). Together, they represent a growing threat that businesses must contend with.

Tell me more about IoT

By now, you’ll probably be familiar with the Internet of Things, which is seeing millions of devices connecting to the internet, from smartphones, tablets and wearable devices, to smart meters and autonomous cars.

The benefits to go beyond accessing email or YouTube from your phone. In manufacturing, for example, connected sensors on production lines will enable predictive maintenance and increased efficiencies and productivity.

But in the context of security, the huge increase in devices connected to the internet represents a new route into corporate networks that cybercriminals can use to cause havoc.

Analyst house Gartner expects there to be 20.4 billion ‘things’ connected to the internet by 2020, showing the potential scale of risk posed by cyberthreats that exploit IoT devices.

What about botnets?

These groups of connected bots can take control of your computer via malicious code, direct hacking or spider code that trawls the internet and automatically hacks computers with security vulnerabilities.

These hacked computers are then used for various purposes, including sending spam, mining cryptocurrency, or conducting denial of service (DDoS) attacks that bombard webpages to take the services they support offline.

How do they pose a threat together?

The danger is that if botnets launch DDoS attacks or take control of connected devices, the impact and scale could potentially be huge.

In late 2016, a huge DDoS attack hit the web domain registration provider Dyn. The attack was launched at a huge number of IoT devices, including CCTV cameras, and was orchestrated by the Mirai botnet.

Mirai exploited insecure IoT devices by scanning big blocks of the internet for open Telnet ports, then attempted to log in using default passwords. It then gained control of a huge number of computers.

The attack on internet infrastructure generated traffic volumes of more than 1Tbps, and took a significant number of internet services offline, including parts of Twitter, Github, Box and the PlayStation Network.

Was this a one off?

Mirai isn’t the only IoT botnet by any means.

Linux.Aidra was discovered in 2012 after researchers witnessed a large number of Telnet-based attacks on IoT devices, while Bashlite was discovered in 2014 with the source code published 2015. Some Bashlite variants reached more than 100,000 devices, serving as the precursor to Mirai. And the Linux/IRCTelnet botnet, which targets routers, DVRs and IP cameras, was discovered in 2016.

The latest IoT botnet to be identified is Torii. Researchers suggest Torii is an example of an evolution of IoT malware and that it is more sophisticated than anything seen previously. So far though, it has no clear purpose.

What can organisation do to protect themselves?

Businesses do seem to be getting more aware of the threat posed by IoT devices, but Mirai attack in 2016 demonstrated the lack of preparedness by service providers for an attack of this scale.

The fact that the code for IoT botnets is made available in the wild also means anyone can use the original code or tweak it to launch further attacks. Combined with the surge in volume of connected ‘things’, IoT botnets are likely to become an increasingly problematic threat for the cybersecurity industry to deal with.

It’s therefore crucial that organisations pay close attention to the devices being introduced to their networks and how they interact with the internet.

In addition to making sure IoT devices are secured as much as possible, organisations should also implement the latest network and user monitoring and threat detection technology to flag network activity that suggests a botnet is active.

If these steps are taken, the ability for organisations to limit the impact of this growing threat will be much improved.