With the exponential growth of the Internet of Things, hackers are now able to create an IoT botnet capable of carrying out a massive Distributed Denial of Service (DDoS) attack, potentially bringing elements of mission-critical infrastructure to a grinding halt. Instead of targeting computers hooked up to the Internet, this type of botnet targets everyday digital devices, including DVRs, routers and IP cameras.
Researchers have recently uncovered an IoT botnet that has infected more than one million organizations and has millions of devices under its control. We’ve already had a preview of what may come next with the Mirai botnet attack in 2016, which knocked parts of the Internet offline in the United States for hours. Experts now fear that whatever IoT botnet comes next could bring down the entire Internet. In a worst-case scenario, a botnet attack might cripple a nation’s entire power or transportation grid.
Mirai IoT botnet attack could foreshadow future cyber attacks
Without a doubt, the Mirai IoT botnet attack was a wake-up call for cybersecurity experts. It proved that any digital device – even something as simple as an IP camera or internet router – could be compromised and then turned into a weapon. As part of that IoT botnet attack, more than 2.5 million connected devices – mostly IP cameras and internet routers – were combined into a massive zombie botnet led by a command and control server that attacked DNS provider Dyn with massive amounts of traffic, effectively knocking parts of the Internet offline in the United States.
The Mirai IoT botnet attack was so successful because it was able to take advantage of default passwords on routine digital devices that most people never even think about securing. Cyber experts have compared the attack methodology of these botnets to a neighborhood burglar going house to house, seeing if the front door happened to be open by mistake. If the door was open, then the device could easily be added to the vast network. Taking orders from a hacker running a centralized command-and-control server, this device became part of a larger network.
Why the next DDoS attack will be even more dangerous
Cybersecurity experts have now raised the issue of a potentially more severe botnet attack methodology that would build upon the Mirai DDoS attack approach and be even more massive in its scale. For example, Internet security researchers at the Chinese security firm Qihoo 360 and the Israeli security firm Check Point have identified a new botnet threat codenamed IoT Reaper.
Unlike the Mirai DDoS attack, which merely looked for devices with default passwords (or easy-to-guess passwords), Reaper goes one step further: it hacks devices with known security flaws. In other words, you can’t protect your devices simply by changing your password – you have to update your software, a process that most consumers and device owners aren’t in the habit of doing. Most likely, they simply aren’t aware of the types of DDoS attacks that are possible using a simple Internet connection.
Using the burglar analogy again, this prelude to a DDoS attack is similar to a burglar not just going door-to-door to see which homes are wide open, but also fiddling with the lock to break into a home. It means botnets are becoming much more aggressive and much more resourceful in how they can attack, especially when targets are running open source code and when application layer attacks are so easy.
Commenting on the new botnet, Robert Hamilton, Director of Marketing at security firm Imperva, notes the need to take active measures sooner rather than later, “Mirai was a wake-up call to the IoT device makers to improve their security by making it more difficult to turn their devices into botnet recruits.”
The scale of the problem, suggests Hamilton, is just now being realized: “There remain tens of millions of devices that are still vulnerable to being turned into DDoS zombies, and attackers have figured out how to rapidly expand IoT botnets that can wage large-scale attacks. Consumers need to check their IoT device passwords, and organizations need to be prepared with a strong DDoS defense to thwart any possible strike.”
The Reaper IoT botnet scenario
At a time when people are starting to have a whole range of Internet-connected devices in their homes, it’s easy to see how the Reaper botnet could grow exponentially with little or no effort. Those same researchers have found that this botnet appears to be propagated by other IoT devices, meaning that an “infection” is easy to spread.
As of now, the security researchers estimate that Reaper has infected at least one million networks globally. Even worse, those same researchers have found that the Reaper botnet is depositing source code into devices that have not yet been activated, potentially making them the equivalent of “sleeper cells” that can be activated at any time for a DDoS attack.
Right now, Reaper has not yet attempted a massive DDoS attack, so the motives are not yet clear. The consensus appears to be that Reaper is trying to grow to a large enough size where it can do more than just knock parts of the Internet offline – it could potentially use infected devices to take down the whole Internet with an unprecedented DDoS attack.