beebright - stock.adobe.com

How botnets pose a threat to the IoT ecosystem

While connected devices are transforming our personal and working lives in a multitude of ways, they are also a growing security risk – attackers are hijacking these devices and turning them into internet of things botnets

Connected technology already plays a dominant role in our daily lives. From mobile phones to tablet PCs, smart devices allow us to communicate with friends and family, keep up to date with what is happening in the world, stay entertained, accelerate productivity in the workplace, and much more.

But although the connected ecosystem is pretty expansive in 2019, it is about to get even bigger in coming years. We are on the cusp of an era when nearly everything around us has some form of internet ability, such as home appliances, cars, office equipment, city infrastructure and healthcare devices.

For many, the internet of things (IoT) will mark the next major revolution for mankind. According to figures from Statista, there will be 31 billion devices connected to the internet by 2025, and Gartner predicts that the average family home will have 500 smart devices by 2022. Meanwhile, IDC claims that spending on the IoT will reach $745bn in 2019.

However, while IoT technology offers a great deal of opportunity, it is also causing a major security epidemic. Hackers are increasingly exploiting connected devices to harvest sensitive data, send spam, take control of networks and launch cyber attacks around the world.

Botnet attacks have become commonplace, with CenturyLink Threat Research Lab estimating that 195,000 such attacks take place every day and Accenture putting the average cost at $390,752. It is clear that the continued expansion of the IoT ecosystem means more potential access points and weak areas that need to be mitigated. But how can that be achieved?

A growing crisis

Traditionally, criminals have used malware to infect devices. However, as the connected ecosystem expands and new technologies enter the market, they are finding different ways to launch more complex and devastating attacks. Botnets are a good example of this.

Mike Benjamin, head of Black Lotus Labs at CenturyLink, says botnets are becoming a pervasive problem across the internet and attackers are increasingly using IoT devices building their botnets. This, he claims, is creating a big security problem for consumers and businesses.

Botnets are particularly challenging because they evolve over time and new forms constantly emerge, one of which is TheMoon. Benjamin tells Computer Weekly: “Threat researchers at CenturyLink’s Black Lotus Labs recently discovered a new module of IoT botnet called TheMoon, which targets vulnerabilities in routers within broadband networks.”

Benjamin explains that a previously undocumented module, deployed on MIPS devices, turns the infected device into a Socks proxy that can be sold as a service. “This service can be used to circumnavigate internet filtering or obscure the source of internet traffic as a part of other malicious actions,” he says.  

Attackers are using botnets such as TheMoon for a range of crimes, including credential brute forcing, video advertisement fraud and general traffic obfuscation. “For example, our team observed a video ad fraud operator using TheMoon as a proxy service, impacting 19,000 unique URLs on 2,700 unique domains from a single server over a six-hour period,” says Benjamin. “TheMoon is a stark reminder that the threat from IoT botnets continues to evolve. They are becoming more sophisticated and capable of more significant damage.”

Botnets are always advancing

Like Benjamin, 451 Research IoT analyst Ian Hughes believes botnets are a prevalent security risk because they are always changing. He says that over the past few years, many forms of botnet have been created in line with the evolution of the technology industry and with advances in software engineering.

“Pre-cloud, the target would be viral infection on PCs through installation of patches to programs, usually accidentally by the user,” says Hughes. “With the increase in connectivity, and the use of the internet and the web in a cloud era, the options for nefarious code to be run on machines increased.

“Not only did the technology introduce more potential holes, but the ability for individual and groups to share information with one another, such as code, made weaknesses in systems much more well-known. Systems have also evolved from specific hardware and software combinations, which, when bespoke, are harder to gain control of en masse, to ones running general-purpose virtual machines, containers or services.”

And as more devices connect to the internet, this challenge will only grow, says Hughes. “We have an increasing number of devices with relatively cheap compute power on board, all connected to the internet and able to run any form of software, and be managed remotely,” he says.

“We also have a growing and eager market to instrument areas such as industrial manufacture, as well as the consumer space with IoT, which offers great benefits, but also increases the attack surface and options for bad actors to engage with. With an ever-more connected environment, a device such a simple surveillance video camera, in the case of the Mirai botnet, can have some of its processing hijacked and directed at almost anything else.”

To tackle botnets, Hughes says all networks and all devices need not only high levels of security monitoring and regular updates, but also known levels of trust within a system. “These levels of trust are starting to be built upwards from the chip manufacturers as well as the device and software industry,” he says. “Of course, it only takes one release of a product at any level cutting some corners to get to market, to leave something wide open for hackers.”

Poor security

It is clear that the continued adoption of IoT devices is creating a unique opportunity for attackers. Steven Furnell, senior IEEE member and professor of information security at Plymouth University, notes how poorly secured connected devices can be exploited.

“We’ve seen numerous reports of individual devices being exploited, we’ve seen a growth in malware, and we’ve had the Mirai botnet already demonstrating the significant potential to harness vulnerable devices,” he says.

“What this clearly illustrates is that we’ve failed to learn from the past. Around 15 years ago, we had wireless access points being sold without encryption enabled and with default passwords. Security was available, but it required users to be aware enough to switch it on and change from the defaults.

“Unsurprisingly, many didn’t do so, and exploitation of unprotected access points was commonplace as a result.  It was only once that wireless networks had become synonymous with vulnerability that the position ultimately changed, and manufacturers moved to enabling security out-of-the-box by default.”

Furnell believes the IoT ecosystem is experiencing a similar situation, putting pressure on manufacturers to develop more robust security mechanisms to protect users. “We have since seen the same sort of thing happen with IoT devices,” he says. “Devices have shipped either without security, without it enabled, or with universal defaults – all of which render them vulnerable to misuse, including the potential for enlistment within botnets.

“Moving forward, the fundamental point is that IoT devices need to have security available and we cannot leave it to individual users’ discretion about whether to enable it. There have been some positive moves. Last year, the Department for Digital, Culture, Media and Sport and the National Cyber Security Centre issued a code of practice for the security of consumer IoT devices.

“This proposes a set of 13 practices that developers, manufacturers and retailers could adopt to improve security, with the first of these being the elimination of universal defaults for usernames and passwords.”   

Cracking down on botnets

Although there is no silver bullet solution for mitigating the risk of botnets, there are a number of helpful best practices. “When deploying an IoT device of any type, the three most important questions need to be: Have we configured strong credential access? What is our update strategy for firmware changes? What URLs and IP address does the device need for its operation?” says Tim Mackey, senior technical evangelist at Synopsys.

“When IoT devices are deployed within a business environment, best practice dictates that a separate network segment known as a VLAN should be used. This then allows for IT teams to monitor for both known and unknown traffic impacting the devices. It also allows teams to ensure that network traffic originates from known locations.

“For example, if a conference room projector is accessible via Wi-Fi, the network the device uses should be restricted to only internal and authenticated users. Public access to the device should always be restricted. Following this model, exploitation of the device would then require a malicious actor to first compromise a computer belonging to an authenticated user.”

Mackey says regular IT audits of IoT networks should then be performed to ensure only known devices are present, with the device identification mapped back to an asset inventory containing a current list of firmware versions and a list of open source components used within that firmware.

“This open source inventory can then be used to understand when an open source vulnerability impacting a library used within the firmware has a published vulnerability,” he says. “Armed with this information, a proactive update and patching model can be created for corporate IoT devices.

“Also, inspection of the firmware should identify what external APIs (application programming interfaces), URLs and services the firmware is configured to operate against.

“These endpoints should be confirmed with the supplier as legitimate with confirmation of their function. Once confirmed, the IoT network that the device associated with the firmware is configured for can then have firewall restrictions defined, allowing the IoT devices access only to their known API dependencies. These tasks should be considered part of an overall device access model consistent with the principles of zero trust.

Read more about IoT security

Spencer Young, regional vice-president  for Europe, the Middle East and Africa at security firm Imperva, says the best way to discover and mitigate a botnet is to find its command and control (CnC) server.  “The most effective way is to look into the communication between the CnC and its bots,” he says. “Once you start searching for exploit attempts, you can start to pick up possible indicators of a botnet.

“For example, if the same IPs attack the same sites at the same time while simultaneously using the same payloads and attack pattern, it is fairly likely that they’re part of the same botnet.

“However, all initiatives to combat the growth of botnets through industry standards and legislation are likely to continue to occur only on a regional or country level. As far as industry-wide efforts go, it is hard to imagine a scenario in which a global security standard for botnet detection and defence could be agreed upon, applied and enforced.”

Given the regulatory challenges and continued rise in the number of connected devices, botnet attacks are likely to keep increasing. Young says that as our devices evolve, both in terms of sophistication and connectivity, so will botnets. This, he believes, will mean that operators will be provided with more capacity and new, more advanced attack options.

So preparation is key, says Young. “To mitigate future attacks, all businesses must be prepared to defend against an attack when it arises,” he says. “Investing in the ability to parse your cyber threatscape, successfully identify botnet attacks and build an intelligent defence is not just a security concern – it’s a frontline business issue.”

If one thing is certain, it is that the threat of botnets will only increase as the connected ecosystem rapidly expands and new connected technologies enter the market. And while attackers will continue to find new ways to take control of networks and leverage botnets, there are clear ways in which IT practitioners and organisations can mitigate the risk here – most notably the issue of improving weak security mechanisms.

It may be that attackers are often one step ahead, but by being more proactive, security teams can also leapfrog ahead on occasions.

Read more on Hackers and cybercrime prevention