Bad Marriage: Botnets and the IoT Spell Big Danger

Carl Weinschenk
Toy robots
Beginning a post on cyber security with the observation that the threat being discussed is frightening is a bit redundant. They all are frightening. 

Very often, today’s threats are more dangerous because they are a mix of multiple things that, when combined, are more potent than the sum of their parts. In this case, four elements are present: botnets, DDoS attacks, the internet of things (IoT) and connected consumer electronics equipment. Put together, these inexpensive ingredients are enough to threaten the internet.

Crackers (malevolent hackers; “hackers” is a neutral term often misused) are an evil bunch. One of their favorite weapons are botnets. These are armies of innocent people’s online devices that are infected with malware. This malware enrolls them into massive gangs of computers, often without the owner even knowing that anything is amiss. 

These enormous armies – think computer versions of the Walking Dead – are instructed to send messages to a targeted server. Lots of messages – enough to make the server buckle. This is a denial of service attack. Since it’s mounted from many different directions, it’s further defined as a distributed denial of service (DDoS) attack.

This is old stuff. The security industry has been dealing with DDoS for years and years. The new element is the IoT. IoT sensors and end points are proliferating and now are in millions of devices. Many of these are in connected consumer devices such as surveillance cameras, baby monitors and cars. 

This is where the economies of scale work against honest folks. Margins are thin in electronics, so the IoT sensors must be inexpensive and can’t use much of the devices’ computing resources. They therefore generally have a shallow level of security. Add to this the sad reality that consumers have a dreadful track record when it comes to basic security hygiene such as changing passwords from “1234” or “admin” to something difficult to crack.  

Put it all together and the result is a big problem: Crackers see these devices as great recruits for botnets.

This issue came to a head during the latter half of last year. In September, a botnet named “Mirai” attacked the website of Brian Krebs, a well-known security expert. Mirai also caused a widespread brownout on the internet in October by attacking servers at Dyn, a key cog in the internet machine (actually, a domain name server). It even threatened online connectivity for an entire country – Liberia – though there’s some confusion about the causes of the outage.

A more general evolution of malware and cracking is exacerbating the situation. Years ago, cracking was the territory of lone wolves, oddballs, precocious kids or people making political statements. During the past decade or so, however, cracking has become the purview of criminal gangs and, as we saw during the election, governments. 

This means that a world has emerged that is as sophisticated as legitimate commerce. Users can pay to use botnets, sort of like an evil timeshare. Actual knowledge of cracking is unnecessary. For the more knowledgeable folks, the source code – the electronic blueprints – are available online. There also are ways in which those interested can learn to be a bad guy.

And there are variants of all malware. Mirai isn’t one malware but a family, and therefore more difficult to defeat. At the end of the year, according to Security Week, another botnet – Leet – has emerged. The story says that it probably uses IoT devices as well. It’s credited with attacking security firm Imperva’s Incapsula network. What’s certain is that the problem isn’t going away.

Related articles