6 min read

No End in Sight for IoT Botnet Growth

Ericka Chickowski

January 29, 2018

No End in Sight for IoT Botnet Growth

When the Mirai botnet first made waves back in 2016 taking down DynDNS services using an Internet of Things (IoT)-powered botnet, cybersecurity experts warned that this was just the warm-up act. Mirai marked the first splashy real-world example of the kind of attacks that the bad guys could carry out when harnessing the power of IoT devices in a well-controlled botnet. And as predicted by experts following the rollout of Mirai, the hits just keep coming via IoT botnets.

According to a report earlier this month by Spamhaus, botnet in general increased by a huge margin last year. The number of botnet controllers spotted by researchers increased by 32% year-over-year. More stunning, though, is the increase in IoT botnet controllers. Spamhaus reports that this category saw massive 140% growth over the course of the year--with no indication of any let-up coming soon.

"The big increase of IoT threats in 2017 is very likely to continue in 2018," Spamhaus researchers wrote. "We are sure that securing and protecting IoT devices will be a core topic in 2018."

Indeed, this is increasingly popping up on the radar of CISOs and other security managers as they examine emerging risks. According to the recent AT&T Cybersecurity Insights report, more than two in three executives say they expect IoT threats to increase in 2018 and close to one in three believe that DDoS attacks powered by IoT botnets are one of their biggest future security headaches.

Unfortunately, there's no simple enterprise fix to this problem as it involves security issues at multiple points in the IT ecosystem. IoT devices themselves are built notoriously insecure, with risky default network configurations and insecure code running rampant in the field, along with few sustainable patching procedures available. As a recent US National Institute of Science and Technology (NIST) report pointed out, IoT devices are about as security mature as PCs were back in the 1990s. "The vulnerability of new IOT devices is not a flaw inherent to the technology," the report explained, explaining it's just that the industry needs to develop security standards for IoT device development and vendors need time to mature their development practices to implement them.

Meantime, enterprises are caught in an interesting dynamic, because in many ways they are both victims of and contributors to the problem, NIST says.

"The large presence of enterprise networks connected to the Internet means that they are simultaneously a victim and source of risk. Automated, distributed threats present significant risks to enterprises and their operations," the report explained, saying that at the same time unsecured devices on enterprise networks are used as a part of the bad guys' botnets. "Devices at enterprises, ranging from IoT devices to data center servers, have been compromised and incorporated into botnets. Poorly administered enterprise resources, such as open DNS resolvers, are often leveraged to amplify attacks."

According to NIST enterprises play a significant role in building out an ecosystem more resilient to IoT botnet abuse by, among other actions:

  • securing their devices and replacing inherently insecure legacy devices with ones that can be secured,
  • by deploying better DDoS mitigation services and filtering in and out of the network, and
  • by establishing policies and procedures to address compromised devices in a timely fashion when detected.

Of course, that kind of advice is more simply said than it is to put into practice and for many enterprises it will likely still be a long time coming. In the interim, expect the problem to grow worse. Security leaders need only look at the trade press headlines of the last few weeks to see that the criminals will keep pressing their advantage when it comes to IoT. It's been two years and Mirai is still evolving into even scarier terrain.

The latest reports from security researchers is that the latest Mirai Okiru variant is targeting ARC embedded processors that are used in cars, mobile phones, TVs, cameras and what CSO Magazine calls "a nearly endless list of products" in the IoT space. The potential attack surface totals into the billions.

"If you think back on the havoc wreaked by 100,000 devices taken over by the Mirai botnet in 2016," writes Ms. Smith of CSO, "what hell can be unleashed in 2018 if attackers gain control of millions of ARC-based IoT devices for the Mirai Okiru DDoS botnet?"



Ericka Chickowski

An award-winning writer, Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. Chickowski’s perspectives on business and technology have also appeared in dozens of trade and consumer magazines, including Consumers Digest, Entrepreneur, Network Computing and InformationWeek.

View all posts

You might also like