Botnet invasion: Examining security implications to the IoT
Author : By Mark Patrick, Mouser
15 August 2019
Figure 1: Regions Most Heavily Impacted by Mirai Botnet Attack
Distributed denial of service (DDoS) is now one of the most popular and damaging cyberweapons available to hackers, causing approximately a third of IT downtime. So, what can be done? Here are a few simple steps that we can all do to safeguard ourselves from botnet attacks.
After breaking into a computer or a computer system, a hacker can spy on the victim, hold the victim’s data hostage for a ransom, or potentially scare the victim into downloading dangerous software. The hacker can also turn the hacked server into a bot that they can access and activate later. Linking many such bots together will give the hacker a ‘botnet’ – effectively an army of hacked servers. Botnets are great at brute force tasks – like hacking into more targets and subsequently turning them into bots or overwhelming a system with requests through initiating distributed denial of service (DDoS) attacks in order to block legitimate usage.
DDoS is now one of the most popular and damaging cyberweapons available to hackers, causing approximately a third of IT downtime. Attacks of this kind cost billions each year, due to revenue shortfall from failed business transactions, data loss and system repair, as well as impacting upon trust in the brand. The DDoS attacks made on service providers and major enterprises are frequent and generally implemented on a large scale. They have the scope to endanger every commercial and government entity that relies on a service provider for its data management.
Botnets are just about as hard-to-kill as bedbugs. The server requests from many different bots help DDoS attacks blend in with everyday legitimate traffic, thereby delaying detection and response time. Because the attackers use a network of proxies to hide the location of their command and control servers, it is incredibly hard to identify the botnet or track its activity. Furthermore, if the command-and-control servers directing the botnet are hosted on providers that do not honour takedown requests, they will survive even after they are caught. So, what can be done?
The history of botnets
The first botnet attack, which occurred in 2001, was involved in simply sending out spam. Since then the use of botnets has diversified with increasing sophistication. In 2012, six US banks (including Bank of America, JP Morgan Chase and Citigroup) were attacked by a botnet via multiple methods simultaneously at 60Gbps. Two years later, the attack on PopVote (a website that was sympathetic to Hong Kong’s pro-democracy grassroots movement) comprised five botnets with a peak traffic level of 500Gbps. While recent notable attacks include the Marriott and WordPress, the biggest and most infamous botnet incident to date was the Mirai in 2016, which demonstrated how connected devices or the Internet of Things (IoT) could be weaponised.
Mirai was co-created by Paras Jha, a university undergraduate and a Minecraft enthusiast, who wanted to profit from hosting Minecraft games by using DDoS attacks to knock out rival hosts temporarily. It exploited insecure IoT devices in a simple but ingenious way. Instead of tracking down IoT gadgets, it scanned big blocks of the Internet for open Telnet ports still using one of the factory default username/password combos. As a result, it successfully recruited a legion of compromised closed-circuit TV cameras and routers.
First, Jha and his accomplices targeted the French telecom host OVH, which also hosted Minecraft games, hitting it with record-breaking traffic level of 1.5Tbps. Next, they directed more than 1.5 million connected cameras to bring down a prominent cybersecurity blog. The subsequent publication of Mirai’s source code effectively enabled anyone to build their own botnet. Finally came the major attack on Dyn at 1.2Tbps, forcing the temporary shut-off of access to Twitter, Netflix, Spotify, Box, GitHub, Airbnb, SoundCloud and numerous other sites.
Even after the arrest and sentencing of Jha and his associates, Mirai is still causing problems across the web. For example, almost a million German telecom customers and thousands of routers in the UK were later affected, and various Sony camera models have been found to be vulnerable to a Mirai takeover. In addition, while Mirai was not particularly novel, it was very flexible and adaptable, so that hackers could alter published source code to target new IoT devices as they began to emerge; the recent Satori and Reaper botnets are believed to be descendants of Mirai.
Lessons learnt
In the aftermath, some security experts such as Morey Haber, vice president of technology at BeyondTrust, an identity and vulnerability management firm, advocated for stronger laws to protect IoT devices before they are produced and shipped overseas, so that there will be stronger international cooperation. However, other experts like Chester Wisniewski, the principal research scientist at cybersecurity firm Sophos, considered such legislation insufficient for stopping future botnet incidents occurring. Both camps have pushed for minimum safety standards and the defining of best practices (such as constant system patching, password cycling and restricting privilege for IoT devices) to increase system security and regain public trust. Meanwhile, Dyn has advised other companies to diversify their Internet infrastructure partners, so as to lessen the impact of a DDoS attack. Lastly, a related lesson from an attack similar to the one on the Marriott database was that internal encryption of important data (such as customer’s passport records) may serve to protect the data even after a system has been hacked.
Key trends & their implications for botnets
The IoT is a boon for cybercriminals. According to Gartner, by 2017 there were 8.4 billion IoT nodes in operation and the analyst firm expects there to be a staggering 20.8 billion nodes by 2020 – all ripe for the plucking. While there has been more vigilance over desktops, PCs or even mobile phones over the years, people are still paying little attention to other devices that have computing power and an Internet connection – such as home routers, security cameras, baby monitors, etc. In the face of high-volume, technically sophisticated, and continuously evolving DDoS threats, the legacy defences found on these devices are mean they are extremely vulnerable.
According to the Nokia Threat Intelligence Report 2019, in 2018, IoT bots made up 16% of the infected devices, which is a 3.5% increase on 2017. Furthermore, 78% of detected malware relates to IoT botnets. Botnet attacks are likely to worsen in 2019, as the expansion of 5G will mean there are more unsecured devices out there – including smart home security systems, vehicles, drones and health monitoring equipment. This will only serve to scale up attack regularity and lower the barrier for cybercriminals. For example, once they manage to hack into a few cameras, they may easily gain access to all the cameras in every home under a company’s control. Such a scenario is already a reality in Japan, where 50,000 surveillance cameras were manipulated by an unauthorised party in a DDoS attack.
What can governments do?
A recent report by the US Department of Homeland Security stated that; “DDoS attacks have grown in size to more than 1Tbps, far outstripping expected size and excess capacity. As a result, recovery time from these types of attacks may be too slow, particularly when mission-critical services are involved.” Furthermore, traditional DDoS mitigation techniques, such as network providers building in excess capacity to absorb the effects of botnets, “were not designed to remedy other classes of malicious activities facilitated by botnets, such as ransomware or computational propaganda.” The Defence Advanced Research Projects Agency is investing in systems that can identify botnets, as well as tools that can hack into such botnets without disrupting them. Other Western governments are looking into mechanisms to neutralise botnets once they have hacked into the network.
What can businesses do?
“First of all, devices have to be securely managed,” states Kevin McNamee, Director of Nokia’s Threat Intelligence Lab and lead author of Nokia’s Threat Intelligence Report 2019, and this will involve software, firmware and patching. “Service providers and enterprises deploying IoT at any scale should make sure they are doing it by a managed mechanism” so that “any security flaw is addressed.” Also, carriers should monitor their network traffic for anomalies and “identify any IoT devices in their network that are misbehaving and that have been compromised.” All this should preferably be done with an automated, rapid response. Compromised devices must be isolated from the rest of the network. In addition, IoT devices must have secure communication – i.e. authentication, integrity and confidentiality. Lastly, depending on the business’ goals, there are benefits to both proactive and reactive DDoS deployment modes.
What can individuals do?
Here are a few simple steps that we can all do to safeguard ourselves from botnet attacks. Firstly, you should assess the IoT nodes in your home and eliminate superfluous ones to reduce exposure to attack. Then, for the remaining nodes, change the default passwords and download firmware updates to increase protection. Purchase IoT devices that have gone through several generations, come from an established brand or have a lot of online reviews – as these will tend to offer higher levels of security. Change the default passwords of the new device into something stronger, because cybercriminals can often infiltrate devices while they still have their default settings. Use the advanced security options on the device, if they are available. Keep the IoT node’s software up-to-date to protect against potential vulnerabilities. Set your device to auto-update, if that option is available, so you always have the latest software from the manufacturer installed. Note that there are IoT devices outside of the home, so include mobile equipment like smartwatches and even children’s devices in these activities. Be particularly aware on the occasions that you connect to an unsecured public network – say an airport with public Wi-Fi.
In summary, the prevalence of botnets, in similar fashion to any other form of cyberattack, is destined to only get greater. In much the same way as we cannot get rid of flu outbreaks entirely, so we take flu shots, we need to protect ourselves as best we can from the threat posed. In the case of botnet attack, we can work together to give ourselves a better fighting chance. Collectively, governments, businesses and individuals can all play their part in helping combat the botnet scourge. With all the preventive measures that are now available, the hope will be to keep the damage done by them to the minimum.
Contact Details and Archive...