Eric Watkins, senior malicious detection researcher at zvelo, discusses the rise of IoT botnet attacks and how to mitigate the threat they pose.
The meteoric growth of the IoT industry has forced vendors to prioritize impressive top line features and cost efficiency, leaving security as an un-sexy afterthought. This has left countless IoT devices on the market today rife with vulnerabilities: comically weak default passwords, poor patching systems, and the use of telnet, FTP and other services that run a precipitously high risk of data exposure.
Whereas the average IoT device user sees an opportunity to adjust their thermostat from an app without getting out of bed, hackers see a largely unguarded opportunity to introduce malware that locates IoT devices, takes control of them, and turns the scantily-secured devices into mindless soldiers ready to cause mayhem.
Recent distributed denial of service (DDoS) attacks have demonstrated the dangers of a vulnerable IoT ecosystem. In October of 2016, the highly publicized attack on DNS provider Dyn resulted in the unavailability of many major websites and applications most of us would never imagine going offline, including Amazon, Twitter, Spotify, and GitHub. Dyn’s findings indicate that the attack utilized a botnet comprised of IoT connected devices and may have involved 10 million different IP addresses.
Soon after, another attack using the same botnet attempted to take the entire country of Liberia offline. Each strike delivered 500 Gbps of disruptive data for several minutes, enough to make affected sites unavailable. But this is not an outlier or a one-off issue.
It’s anticipated that the world will tally 200 billion connected devices by 2020 – more than 26 IoT connections for every person on earth. At the pace the IoT is growing, predictions are that future DDoS attacks could reach a magnitude of 10 Tbps, which should be plenty enough to render any targeted site or country unavailable.
While it’s still more common to think of website security issues in terms of passwords and hacking, DDoS attacks are just as effective at sidelining a site – and they don’t require the sophistication of an attack that can overcome security measures. Rather, a DDoS attack is a war of attrition against network infrastructure. All one needs to succeed is enough distributed connected devices to overwhelm systems with requests, and to stop some or all legitimate users from having their site requests successfully completed.
The IoT age is just dawning, but already next-generation botnets made of IoT devices have emerged as a potent conduit for these attacks. IoT botnets will only increase in their effectiveness and in the danger they represent – until vendors take a much more serious approach to securing their devices.
Securing personal devices from botnet attacks
In today’s IoT, it can be challenging to manage and patch smart home devices. They can be hacked in minutes. Malware can even introduce a permanent backdoor to many devices, allowing hackers to add them to a botnet whenever they wish. Worse, the functionality of many IoT devices adds the potential for “creepy” attacks that take advantage of gathered data, special functionality, and even surveillance. For example, hackers with control over a data center’s IoT climate control devices could turn the temperature up to its maximum, taking computing resources offline by causing them to overheat. Nor would it be at all far-fetched to see hackers using IoT video conferencing equipment to spy on personnel at an enterprise, learning the optimal time to deliver an attack.
Preventing your own IoT devices from contributing to botnets – and/or exposing your home or enterprise to more nefarious dangers – requires diligence. Research any IoT devices ahead of making a purchase to ensure they aren’t known to be susceptible to malware, and that it’s possible to customize the login credentials to avoid using the default settings.
The Shodan Database is a useful tool for checking if a particular connected device is vulnerable. Beyond this, make sure to regularly change device passwords at least every 90 days, and use strong authentication (credentials like admin/admin are a recipe for disaster). Disable non-essential services as well – devices that have telnet, FTP or similar services exposed are easy recruits for botnets. Also, enable protocols like HTTPS and SSH to support encryption and strong authentication. Deploy security gateways to inspect, audit, and control network communications, and check the integrity of data transfers. Make sure that any IoT management hubs and services are secure. Importantly, update your devices whenever possible to guard against any critical vulnerabilities that arise.
If the presence of malware is suspected in a device, disconnect, reset it to factory settings, and install the latest patch before reconnecting. It is worth noting, however, that some devices are simply unpatchable and should be discarded entirely (in these cases a recall and refund may be available). With the wide array of useful functions that IoT devices deliver, security is essential to making sure these capabilities remain firmly in your own hands, and no one else’s.
Eric Watkins is senior malicious detection researcher at zvelo, a provider of content and device categorization, as well as malicious botnet detection services.