All you need to know about IoT Botnets [Q&A]
Connected devices like smart TVs and webcams aren't new -- but since their inception 30 years ago, the number of humans connected to the internet has been surpassed by the number of devices connected to it.
In fact, industry analysts estimate the number of connected devices will reach 50 billion by 2020. And as the number of connected devices increases exponentially, so the number of security risks grows as well.
We spoke with Steinthor Bjarnason, network security research engineer for DDoS and advanced threat protection provider Arbor Networks' Security Engineering and Response Team (ASERT), to get a clear understanding of IoT devices and botnets, and to find out how to prevent the risks that come with these threats.
BN: Why are IoT devices so prevalent today?
SB: The reason why IoT devices are being deployed at such large scale is because they are used to control, monitor and manage almost every piece of technology which we use in our daily lives. As the typical IoT device has limited capabilities, it will however have to interact with, and be controlled and monitored by, external solutions. To minimize deployment costs, IoT devices are often purposely designed to be simple to install and deploy. Unfortunately, this often results in devices that have limited security capabilities, or in some extreme cases, no security capabilities whatsoever.
BN: Just what is a botnet?
SB: At first, bots were simply computer programs developed to enable the automation of routine tasks. However, at the hands of attackers who also want to profit from their malfeasance, overlays of bots that work together, or botnets, have enabled the creation of a thriving Digital Underground Economy. With botnets, a perpetrator can remotely commandeer an amazingly large collection of computer systems globally on the internet, almost always unbeknownst to the owners of those systems. From the attacker's vantage point, DDoS attacks are just the tip of the iceberg for botnets. Compromised systems can be used for a multitude of functions, including:
- click fraud
- attack sites that produce anti-spam solutions
- open proxies for anonymous Internet access
- brute-force cracking attempting on other Internet systems
- hosting phishing web sites
- lifting CD keys or other software license data
- theft or personal ID information, enabling ID theft
- lifting credit cards and other account information, including PIN numbers or 'secret' passcodes
- installing keyloggers to capture all user input to a system
Given the ease with which botnets are assembled and traded and the far-from-complete list of 'monetizable' functions above, plus the ability to anonymize yourself one the global internet, it's easy to see why botnets are the platform of choice for an array of miscreants, from organized crime to cyber terrorists, to your average street criminal.
BN: What makes IoT devices especially vulnerable?
SB: IoT devices are attractive to attackers because so many of these devices are shipped with insecure defaults, including default administrative credentials, open access to management systems via the Internet-facing interfaces on these devices, and shipping with insecure, remotely exploitable code. A large proportion of embedded systems are rarely if ever updated in order to patch against security vulnerabilities -- indeed, many vendors of such devices do not provide security updates at all.
BN: What can businesses do to protect themselves?
SB: As the situation is today, IoT devices are more unsecure and more dangerous than any other device in the past, this includes generic purpose PCs and laptops. That said, the situation is not hopeless.
As the attackers now have the capability to infect IoT devices inside organizations, it is vital to monitor and control all IoT activity to avoid security incidents. IoT devices should always be isolated from other devices and measures should be put in place to control the activities of these devices. For example, a webcam inside an organization should not be allowed to contact applications servers inside the data center or to access the internet directly. The software controlling the IoT devices should also be patched and updated according to the manufacturers requirements, similarly as any other network attached device like PCs and other computers.