With the exponential growth of the Internet of Things, hackers are now able to create an IoT botnet capable of carrying out a massive Distributed Denial of Service (DDoS) attack, potentially bringing elements of mission-critical infrastructure to a grinding halt. Instead of targeting computers hooked up to the Internet, this type of botnet targets everyday digital devices, including DVRs, routers and IP cameras.
Researchers have recently uncovered an IoT botnet that has infected more than one million organizations and has millions of devices under its control. We’ve already had a preview of what may come next with the Mirai botnet attack in 2016, which knocked parts of the Internet offline in the United States for hours. Experts now fear that whatever IoT botnet comes next could bring down the entire Internet. In a worst-case scenario, a botnet attack might cripple a nation’s entire power or transportation grid.
Mirai IoT botnet attack could foreshadow future cyber attacks
Without a doubt, the Mirai IoT botnet attack was a wake-up call for cybersecurity experts. It proved that any digital device – even something as simple as an IP camera or internet router – could be compromised and then turned into a weapon. As part of that IoT botnet attack, more than 2.5 million connected devices – mostly IP cameras and internet routers – were combined into a massive zombie botnet led by a command and control server that attacked DNS provider Dyn with massive amounts of traffic, effectively knocking parts of the Internet offline in the United States.
The Mirai IoT botnet attack was so successful because it was able to take advantage of default passwords on routine digital devices that most people never even think about securing. Cyber experts have compared the attack methodology of these botnets to a neighborhood burglar going house to house, seeing if the front door happened to be open by mistake. If the door was open, then the device could easily be added to the vast network. Taking orders from a hacker running a centralized command-and-control server, this device became part of a larger network.
Why the next DDoS attack will be even more dangerous
Cybersecurity experts have now raised the issue of a potentially more severe botnet attack methodology that would build upon the Mirai DDoS attack approach and be even more massive in its scale. For example, Internet security researchers at the Chinese security firm Qihoo 360 and the Israeli security firm Check Point have identified a new botnet threat codenamed IoT Reaper.
Unlike the Mirai DDoS attack, which merely looked for devices with default passwords (or easy-to-guess passwords), Reaper goes one step further: it hacks devices with known security flaws. In other words, you can’t protect your devices simply by changing your password – you have to update your software, a process that most consumers and device owners aren’t in the habit of doing. Most likely, they simply aren’t aware of the types of DDoS attacks that are possible using a simple Internet connection.
Using the burglar analogy again, this prelude to a DDoS attack is similar to a burglar not just going door-to-door to see which homes are wide open, but also fiddling with the lock to break into a home. It means botnets are becoming much more aggressive and much more resourceful in how they can attack, especially when targets are running open source code and when application layer attacks are so easy.
Commenting on the new botnet, Robert Hamilton, Director of Marketing at security firm Imperva, notes the need to take active measures sooner rather than later, “Mirai was a wake-up call to the IoT device makers to improve their security by making it more difficult to turn their devices into botnet recruits.”
The scale of the problem, suggests Hamilton, is just now being realized: “There remain tens of millions of devices that are still vulnerable to being turned into DDoS zombies, and attackers have figured out how to rapidly expand IoT botnets that can wage large-scale attacks. Consumers need to check their IoT device passwords, and organizations need to be prepared with a strong DDoS defense to thwart any possible strike.”
The Reaper IoT botnet scenario
At a time when people are starting to have a whole range of Internet-connected devices in their homes, it’s easy to see how the Reaper botnet could grow exponentially with little or no effort. Those same researchers have found that this botnet appears to be propagated by other IoT devices, meaning that an “infection” is easy to spread.
As of now, the security researchers estimate that Reaper has infected at least one million networks globally. Even worse, those same researchers have found that the Reaper botnet is depositing source code into devices that have not yet been activated, potentially making them the equivalent of “sleeper cells” that can be activated at any time for a DDoS attack.
Right now, Reaper has not yet attempted a massive DDoS attack, so the motives are not yet clear. The consensus appears to be that Reaper is trying to grow to a large enough size where it can do more than just knock parts of the Internet offline – it could potentially use infected devices to take down the whole Internet with an unprecedented DDoS attack.
Sweden DDoS attack as a sign of what’s to come
One goal of a DDoS attack could be to take down a nation’s entire critical infrastructure and compromise a nation’s network security. Theoretically, this could be used as an act of war by a rogue state – or perhaps as just a way to sow global chaos. For an example of what’s possible with a malignant IoT botnet using IP based devices, consider the example of Sweden.
On October 11, a massive IoT botnet tried to crash Sweden’s transportation grid. The botnet attacked the Sweden Transportation Administration, which helps to run the nation’s trains. As a result of the attack, trains came to a halt. They had to be delayed until the main IT system, which tracks the location of each train, could be brought back online manually and Internet connectivity restored. In addition, the botnet took down the email system, website and road traffic map of Trafikverket. The next day, part two of the attack took place. This time, the botnet took down the Swedish Transport Agency.
Commenting on the scale of the Swedish transport authorities attack, Igal Zeifman, Incapsula Security Evangelist at cybersecurity firm Imperva, highlights what needs to happen next, “This attack really reinforces the need for rapid DDoS mitigation, like the one we now ensure with our new ten-second mitigation SLA.”
Zeifman also emphasizes the need for quick reaction time, “In this case, like in many others, allowing the attack to succeed – even for a relatively short while – created deep technical and operational issues that persisted after the assault had subsided. Put simply, slow time-to-mitigation leaves organizations’ assets exposed. Even a 1-minute attack can lead to hours of downtime.”
Extrapolating from these Swedish attacks, it’s possible to put together an even more frightening scenario: a botnet attack that takes down a nation’s entire transportation grid, including trains, road traffic signals and airplanes.
Possible solutions to prevent an IoT botnet apocalypse
Obviously, these are the types of scenarios that nobody could have contemplated just a few years ago. They are difficult to detect, especially when attackers target systems that were once thought to be completely secure. At a time when mission-critical computer systems are routinely protected behind a perimeter defense system, nobody could have expected that a target network would somehow be attacked by an IoT botnet.
There has been such a rush to bring Internet-connected devices to market that there has been relatively little consideration of how to protect and secure them from flood attacks. Even worse, many of them come with passwords right out of the box that are easy to guess. Sometimes, they are hiding right there in plain sight, since legitimate users won’t update them and service providers haven’t thought about ways to encrypt them.
The good news is that some Internet security firms, such as Imperva Incapsula, are thinking up new defenses for any target system that are just as clever and brilliant as the attacks they must face. Generally referred to as DDoS attack mitigation technologies, they help provide a DDoS protection security layer to devices that, until now, have been sorely lacking them.