IoТ Botnets: Predators of Those Innocent-looking Connected Devices

IoТ Botnets: Predators of Those Innocent-looking Connected Devices

IoT botnet FIResistance if Futile. Botnets are Assimilating your IoT Devices

The ever-expanding varieties of IoT devices continue to find their way into both the home and business. Unfortunately, these products have a track record of vulnerabilities that IoT botnets are known to exploit. Over the years, security reports, news stories, and conferences have continuously warned about IoT botnets and other dangers associated with leaving such devices without adequate protection. After all, these devices are on your network, expanding the attack surface and exposing more than just the IoT devices themselves.

Even though attacks designed to infiltrate IoT devices and assimilate them into a botnet happen via all sorts of mechanisms, there are network security measures that you can take to minimize the risk of your devices being compromised. We’ll get to that later. But first, let’s examine what makes IoT devices susceptible to botnet infections.

The Risks of IoT Botnet Infections

Among IoT-targeted attacks, the most devastating one appears to be the recruitment of a target device by a botnet. This means the IoT device will be used as a “slave” connected to a large hacker-controlled network. The botnet can then use the slave to hijack data in real-time from the impacted network and to carry out distributed denial-of-service (DDoS) attacks, which are designed to take down larger networks at companies and government agencies.

IoT devices are at risk of being the main targets of such campaigns because they are designed as “always on” and usually placed in the internal (private) network. This implementation allows them to access shared resources. With that in mind, every compromised IoT device gives hackers the ability to access shared files, credentials, and data.

There are three main sources of weaknesses that lead to the majority of IoT-related botnet infections:

  1. Unchanged Default Configuration Settings – If the owners do not change the default configuration options, the IoT devices can be easily hijacked by using automated scripts. The base settings are usually not configured with security in mind.
  2. Lack of Updates – For some products, vendors do not issue patches to the exploits that are discovered. This means that even properly secured devices can become hacked despite their proper setup and integration in the network. The other dangerous scenario is when owners do not apply patches even though vendors have released them.
  3. Insecure Policies – If the devices are not configured and implemented properly into the network, a malicious hacker on the local network can take down the IoT device as well.

As a result, one of the dangerous scenarios of which malicious actors can take advantage is when vulnerable consumer devices are introduced to private company networks. When used for recreation and when apps are downloaded to these devices, bad actors can capitalize on those deployments to plant malware. Such an infection is already inside network defenses, and it could lead to numerous other dangerous scenarios. As reported by Computer Weekly, these types of attacks have occurred on various enterprise networks as the result of attacks against a wide range of IoT products including fitness trackers, gaming consoles, and smart kitchen devices.

The Power of IoT Botnet Infections

Let’s examine a recent example — the Torii Botnet. This botnet is particularly known for silently infecting devices by making use of weak credentials. It infects a device by automatically testing the targets for default username and password combinations. As soon as the system is infected, the threat issues a complex set of commands, after which, the botnet’s infection engine analyzes the architecture of the infected IoT device and, based on those findings, downloads an optimized sequence of malware commands.

The botnet is not only capable of carrying out other attacks and constantly growing the number of recruited devices, but it’s also able to spy on victims, record their Internet traffic, and report all of their activity to the bad actors behind the attack. Given the Torii botnet’s ability to amass a large number of recruited hosts, it can become a very powerful weapon in the hands of a criminal collective that seeks to take down large enterprise targets or government agencies.

How Can You Defend Against IoT Botnet Attacks?

There are certain steps that every device owner can take in order to prevent IoT intrusions.

Change Default Credentials. The first and foremost action is to change the default credentials used to remotely login and administer each device. This is the most important step because most of the attackers choose to probe the devices with lists of common username and password combinations when they find a device that can be accessed from outside the internal network. Security best practices also suggest that device owners change the strings at regular intervals.

Check Vendor Patch History and Catch Up. Everyone advises to implement patches, and I’d be remiss if I didn’t include that. So, implement patches! But perhaps just as important, before even adding a new IoT device to your private network, research the model and check if the vendor regularly releases patches, and when given a choice, opt for the model where the vendor has a good track record. Additionally, always implement prior patches for exploits and vulnerabilities that are known to be used in IoT attacks.

Disconnect or Isolate Devices. We all know that IoT devices are designed to be left on, always running and available. However, during a suspected network attack, you always can disconnect your devices or shut them down to prevent possible abuse. If possible, I always recommend using a separate network to house them, isolating them from business-oriented systems and data. Such configurations allow the devices to continue operating normally while prohibiting its access to sensitive resources. Also disable unnecessary services and unused options, as such capabilities may send out information that can be hijacked and used to gain access into the systems.

Install the Latest Firmware Updates. It’s also a good idea to regularly check for new updates to the core firmware and all installed modules in a given IoT device. As every single day can present a new vulnerability or hacking technique, this is extremely important for all network devices, even those that are not exposed to the Internet. If possible, I recommend administrators use email notifications or patch management software to monitor for releases and apply them as soon as possible.

Limit Physical Access. Another important factor to consider is that physical access to a device is an open door to compromising it. When implementing IoT devices, especially security products such as cameras, make sure that they are secure against physical tampering.

Use Secure Networks Offsite. At the same time, when a mobile device may be used to transmit secure data offsite, always connect it to established, secure wireless networks. If possible, also encrypt all data to prevent eavesdropping.

Implement Network Traffic Analysis. As I said before, these devices are on your network, with access to systems and data. So, manage them as part of your network. I recommend implementing a network monitoring service. These are special applications that constantly monitor network devices and send real-time alerts if they detect any suspicious behavior. Combined with a network traffic analysis product that monitors for anomalous network activity that is typically caused by compromised devices attempting to move laterally, this type of service can allow administrators to respond quickly to possible attack.

IoT Devices Are Never Safe

The above-mentioned cases illustrate how IoT botnet infections can disrupt your network. The risks of having a single device hacked by malicious actors, expanding an IoT botnet, can lead to sabotage, information theft, and the taking down of entire networks. As such, it is necessary to follow a well-prepared plan of integration and security enforcement for every IoT device that is added to your network. This blog by no means presents an exhaustive or complete list of recommendations, as new methods and practices are developed every day. Nevertheless, I hope it serves as a starting point and provides added motivation for you to strengthen the security of your IoT devices.

Bert Rankin

Bert Rankin

Bert Rankin has been leading technology innovation for over 25 years including over 5 years in security solutions that prevent cybercrime. He is a frequent blogger and is often quoted in security-related articles. Bert earned his BA from Harvard University and an MBA at Stanford University.
Bert Rankin