Botnet Invasion: Its Security Implications to the IoT
By Sylvia He
Introduction
After breaking into a computer or a computer system, a hacker can spy on the victim,
hold the victim’s data hostage for a ransom, or scare the victim into downloading
dangerous software. But they can also do something much more sinister. They can turn
the hacked server into a bot they can access and activate later. Furthermore, linking
many such bots together will give the hacker a botnet, an army of hacked servers.
Botnets are great at brute-force tasks like hacking into more targets and turning them
into bots or overwhelm a system with requests and causing distributed denial of service
(DDoS), which blocks legitimate users like customers and employees from accessing it.
DDoS is one of the most popular and damaging cyber weapons and the cause of a third
of IT-related downtime incidents. They cost billions each year due to revenue loss from
failed business transactions, data loss, system repair costs, as well as lost public trust.
DDoS attacks on service providers and large enterprises are frequent and large-scale,
endangering every commercial and government entity that relies on a service provider
for data management.
Botnets are just about as hard to kill as bedbugs. The server requests from many
different bots help DDoS attacks blend into legitimate traffic, delaying detection and
response time. Because the attackers use a network of proxies to hide the location of
their command and control servers, it is incredibly hard to identify the botnet or track its
activity. Furthermore, if the command-and-control servers directing the botnet are
hosted by providers that do not honor takedown requests, they get to survive even after
they are caught.
History of Botnet
The first botnet attack, which occurred in 2001, was used to send out spam. Since then,
the use of botnets has diversified with increasing sophistication. In 2012, six US banks,
including Bank of America, JP Morgan Chase, U.S. Bankcorp, Citigroup, and PNC
Bank, were attacked by a botnet with multiple methods simultaneously at 60 gigabits
per second. By 2014, the botnet attack on PopVote, a website sympathetic to Hong
Kong’s pro-democracy grassroots movement, had increased to five botnets and a peak
traffic level of 500 gigabits per second.
While recent notable botnet attacks include the Marriott and the WordPress, the biggest
and most infamous botnet attack was the Mirai in 2016, which demonstrated how
connected devices or the Internet of Things (IoT) could be weaponized.
1
� Geolocation of the Mirai botnets. Image courtesy of wired.com
The Mirai botnet was co-created by Paras Jha, a university undergraduate and a
Minecraft enthusiast, who wanted to profit from hosting Minecraft games by using DDoS
attacks to knock out rival hosts temporarily.
Mirai exploited insecure IoT devices in a simple but ingenious way. Instead of tracking down
IoT gadgets, it scanned big blocks of the Internet for open Telnet ports that still use one of
the 61 factory default username/password combos. Also, Mirai searches for and wipes out
other malware on the hacked device. As a result, it recruited an army of compromised
closed-circuit TV cameras and routers and was observed to associate with tens of millions of
discrete IP addresses.
First, Jha and his accomplices targeted the French telecom host OVH, which also hosted
Minecraft games, hitting it with record-breaking traffic of 1.5 terabits per second. Next,
Mirai directed over 1.5 million connected cameras to bring down a prominent
cybersecurity blog. The subsequent publication of Mirai’s source code effectively
enabled anyone to build his own botnet. Finally came the major attack on Dyn at 1.2
Tbps, forcing the temporary shutoff of access to Twitter, Netflix, Spotify, Box, GitHub,
Airbnb, Reddit, Etsy, SoundCloud, and other sites. The FBI believes that this attack
ultimately targeted Microsoft game servers, which Jha considered a competitor in Minecraft
game hosting.
Even after the arrest, plea, and sentencing of Jha and company, Mirai is still causing
problems across the web. For example, almost a million German telecom customers
and thousands of routers in the UK were later affected, and 80 models of Sony cameras
have been found to be vulnerable to a Mirai takeover. In addition, while Mirai is not
particularly novel, it is very flexible and adaptable, so hackers can adapt its published
source code to different and new IoT devices; the recent Satori and Reaper botnets are
believed to descend from Mirai.
2
�Lessons Learned
In the aftermath, some security experts, such as Morey Haber (vice president of
technology at BeyondTrust, an identity and vulnerability management firm), advocated
for stronger laws to protect IoT devices before they are produced and shipped overseas
for stronger international cooperation. However, other experts, such as Chester
Wisniewski (the principal research scientist in the office of the chief technology officer at
cybersecurity firm Sophos), considered such legislation as merely preventative and
insufficient in stopping the spread of Mirai. Both camps pushed for minimum safety
standards and best practices, such as constant system patching, password cycling, and
restricting privileges for IoT devices, to increase system security and the public’s trust.
Meanwhile, Dyn advised other companies to diversify their Internet infrastructure
partners to lessen the impact of DDoS attacks. Lastly, a related lesson from a similar
attack on the Marriott database was that internal encryption of important data, such as
customer’s passport information, may serve to protect the data even after a system was
successfully hacked.
Trends
The Internet of Things (IoT) is a boon for cybercriminals. By 2017, there
were 8.4 billion IoTs ripe for the plucking, and Gartner expects 20.8 billion IoTs in use by
2020.
While there has been more vigilance over desktops, PCs or even mobile phones over
the years, people are still paying little attention to devices with some computing power
and an Internet connection—such as home routers, security cameras, and baby
monitors—that have a stripped-down Linus system, have no built-in ability to be patched
remotely, or are in physically inaccessible locations. In the face of high-volume,
technically sophisticated, and continuously evolving DDoS attacks, such legacy
defenses of these devices are sitting ducks.
According to the Nokia Threat Intelligence Report 2019, in 2018, IoT bots made up 16%
of the infected devices, which is up from 3.5% in 2017, and 78% of detected malware
was related to IoT botnets, a double of the statistics from 2016 (33%). The botnet
attacks were likely to worsen in 2019, as the expansion of 5G will make more
unsecured devices, including smart home security systems, vehicles, drones, and
medical devices, into IoTs. This development will only serve to scale up the attack and
lower the barrier for cybercriminals. For example, once they hack into a few cameras,
they may easily access all the cameras in all the homes under a company’s control.
Such a scenario is already a reality in Japan, where 50,000 surveillance cameras were
recruited for a DDoS attack.
3
�What the Government Can Do
A recent report by the Department of Homeland Security and the Department of
Commerce states that “DDoS attacks have grown in size to more than one Tbps, far
outstripping expected size and excess capacity. As a result, recovery time from these
types of attacks may be too slow, particularly when mission-critical services are
involved.” Furthermore, traditional DDoS mitigation techniques, such as network
providers building in excess capacity to absorb the effects of botnets, “were not
designed to remedy other classes of malicious activities facilitated by botnets, such as
ransomware or computational propaganda.”
The Defense Advanced Research Projects Agency, which is within the Department of
Defense, is investing in systems that identify botnets, tools that can hack into botnets
without disrupting them, and tools to neutralize a botnet once they have hacked into the
network. Also, recently, a joint report by the Department of Homeland Security and
Commerce offers agencies guidance on how agencies can collaborate in their efforts to
combat DDoS and botnet attacks.
What Businesses Can Do
“First of all, devices have to be securely managed,” said Kevin McNamee, the director
of Nokia’s Threat Intelligence Lab and lead author of Nokia’s Threat Intelligence Report
2019, and that such effort will involve software, firmware, and patching. “Service
providers and enterprises deploying IoT at any scale should make sure they are doing it
by a managed mechanism, so those devices can be managed, patched, and make sure
any security flaw is addressed.”
Also, carriers should monitor their network traffic for anomalies and “identify any IoT
devices in their network that are misbehaving and that have been compromised,”
McNamee said, preferably with automated, rapid response. Compromised devices must
be isolated from the rest of the network. In addition, IoT devices must have secure
communication, i.e., authentication, integrity, and confidentiality. Lastly, depending on
the business’s goals, there are benefits to both proactive and reactive DDoS
deployment modes.
What Individuals Can Do
• Assess the IoT devices in your home and eliminate superfluous ones to reduce
exposure to attack. For the remaining IoT devices, change default passwords
and download firmware updates to increase protection.
• Purchase IoT devices that have gone through several generations, have name-
brand recognition or have a lot of online reviews so that they will have higher
security standards.
4
� • Change default passwords in the new device into something stronger, because
cybercriminals can often access your device at their default settings. Use the
advanced security options on the device if they are available.
• Keep IoT devices’ software up-to-date to protect against potential vulnerabilities.
Set your device to auto-update, if that option is available, to always have the
latest software from the manufacturer.
• Note that there are IoT devices outside the home, including mobile devices like
smartwatches and children’s devices. Be aware of the need and occasions to
connect to an unsecured public network, such as the public Wi-Fi in an airport.
