iconimage - Fotolia

Learn the IoT botnets basics every IT expert should know

The threat of IoT botnets continues to grow with the number of deployed IoT devices. IT experts must understand and guard against the inherent risk of an expanding attack surface.

With the distribution and number of devices, IoT constitutes a particularly large attack surface, with every device representing a possible point of entry for hackers to exploit.

"IoT is ultimately another attack surface and another risk to the enterprise. There are threat actors, nation-states and criminal groups that will compromise whatever they can, and IoT devices have vulnerabilities that make them easier targets," said Kayne McGladrey, an IEEE member and chief information security officer (CISO) at Pensar Development until May 2020.

Kayne McGladreyKayne McGladrey

Some organizations already have hundreds, thousands and even tens of thousands of IoT devices in their enterprise, and each one presents a risk that must be protected against various cyberthreats as hackers seize the opportune entry points in IoT devices. Worldwide, there will be an estimated 35.8 billion devices in service this year, according to Statista's report titled "Internet of Things (IoT) connected devices installed base worldwide from 2015 to 2025." Statista estimates that number will more than double in the next five years, hitting 75.4 billion by 2025.

One of the biggest opportunities for bad actors? Taking advantage of IoT deployment weaknesses to turn connected devices into botnets to use in cyberattacks.

What is an IoT botnet?

A botnet is a collection of hijacked computers that the attacker can control. An attacker uses a device's weakness, such as an unprotected network port, to install malware that can then be used to hijack and control the computer, or bot.

The attacker -- whether a single hacker, a collection of hackers or an organized entity such as a hostile nation-state -- then combines the hijacked computers together to create a botnet capable of launching massive attacks.

Botnet architecture

An IoT botnet specifically targets IoT devices to create the hijacked network but serves the same function as traditional botnets. IoT devices are particularly attractive to hackers, Gartner senior director and analyst Ruggero Contu said.

Ruggero ContuRuggero Contu

"It is easier to compromise IoT devices given the low security configuration, and the firepower tends to be greater given the millions of available IoT devices that can be utilized," he said.

Hackers most frequently use IoT botnets to launch distributed denial of service (DDoS) attacks, but they could use them for other types of attacks, said Matthew D. Ferrante, a partner and head of the cyber and information security services at Withum, an advisory firm.

"It depends on the threat actors' motives, as they can have different motives," he said. "[Hackers] are smart, and they'll look for ways to exploit systems. So, if they want to cause an organization to burn, they will."

Examples of IoT botnet attacks

The world has already experienced notable IoT botnet attacks.

In fall 2016, the Mirai virus infected a reported 600,000 IoT devices, using them to launch a massive DDoS attack that took down the internet in much of the eastern U.S. The Mirai botnet remains one of the biggest threats to IoT deployments.

Security leaders in 2017 highlighted the emergence of the Hajime botnet, with some security officials estimating hundreds of thousands of IoT bots in its network, although it has yet to inflict any damage on the scale of the Mirai botnet.

Similarly, security officials in 2017 identified the ominously named Reaper botnet, which targets known vulnerabilities in wireless IP-based cameras and other IoT devices, but, like the Hajime botnet, has not launched attacks on the scale and scope of the Mirai botnet.

In 2018, the Mirai-based Satori botnet emerged, infecting thousands of IoT devices at the outset with the reported goal of enabling its operator to launch DDoS attacks. In September 2019, a Washington state man -- then 21 -- pleaded guilty to running the botnet.

Why IoT devices are vulnerable

Security leaders continually stress that there's no such thing as 100% secure, yet several experts said IoT devices tend to be particularly vulnerable to attacks, especially when compared to other computer devices.

Unlike regular devices that are regularly patched and recognized, IoT devices are commonly overlooked.
Matthew D. FerrantePartner and head of cyber and information security services, Withum

Some IoT devices -- and more specifically early models -- are insecure by design with vendors neglecting to implement standards that allow them to be secured and updated over time, McGladrey said. Organizations also share blame for the lower security, as they often deploy IoT devices at a rapid pace without involving their security teams in the evaluation, installation or even ongoing maintenance.

"Unlike regular devices that are regularly patched and recognized, IoT devices are commonly overlooked. They've been a red flag for quite some time," Ferrante said. "And they could someday cause catastrophic damage because the number of these devices is growing exponentially."

Countering the threat to IoT devices

Although experts say CISOs have no way to stop the creation of IoT botnets, they can take these steps to guard IoT devices against being compromised by botnet malware or any other type of malware:

  1. Vet IoT devices before purchasing and ensure they meet emerging security standards and protocols. Confirm the vendor included security in the design of the device itself for patching and security updates throughout the device's lifecycle.
  2. Keep an inventory of IoT devices and where they're located.
  3. Develop a plan for managing and securing the IoT devices, similar to plans used to manage and secure other technology within the organization. The lifecycle plan should include an end of life for all devices.
  4. Consider network segmentation to wall off IoT devices as untrusted. Segmentation from the critical parts of the network could help prevent a compromised device from being used to infiltrate the enterprise's core systems.

Dig Deeper on Internet of things security

Data Center
Data Management