IoT botnets – the landscape in 2019
Hardik Modi of Netscout
In August 2016, the Mirai botnet dramatically brought concerns around the security of Internet-of-Things (IoT) devices to centre stage. That botnet and associated malware family used devices such as home routers and IP-enabled video cameras to launch a series of high-profile distributed denial of service (DDoS) attacks globally.
While there had been concerns about such devices voiced previously, says Hardik Modi, AVP Engineering – Threat and Mitigation Products, Netscout, these attacks raised awareness on the topic, from security personnel in enterprises to policy makers and standards bodies representing the community at large. Considerable law enforcement focus on the authors of the botnet has resulted in the arrest and prosecutions of a number of actors.
For all that well-intentioned activity, the deployment of vulnerable devices continues in 2019 and many continue to be enrolled into botnets involving malware that are the contemporary successors of Mirai. The Netscout Threat Intelligence team continually monitors the landscape and this commentary is based on findings that we recently published in the Netscout Threat Intelligence Report H1’2019.
Broadly, the classes of devices we see being enrolled in such botnets today are the following: home routers, network attached storage, IP-enabled cameras, and home automation systems. Each of these classes of devices share a few characteristics that make them especially suitable targets:
- They have a need to be exposed to the Internet, typically enabling access to or from the Internet as part of its basic function. Think of how an IP-enabled camera is typically viewed from remote locations or how you need a router or similar gateway device for a home or small office to get to the Internet.
- The devices have a distributed manufacturing base, involving a large number of suppliers. There is a myriad of brands under which these devices are sold, with countless original equipment manufacturer (OEM) vendors involved.
- The core technologies are well understood – basic computing platforms, a software stack that is often based on open source packages, and peripherals that are sourced externally. However, core management of these devices – hardening of the software, provisions for software updates, etc – are left to each vendor to determine. As a result, the devices often ship insecure.
- These devices also tend to sit on a shelf for a considerable period of time before they are deployed. Even if they left the manufacturing facility with secure software deployed, there are few facilities to update them as they get deployed.
These are the core factors that we see enabling the landscape the we observe in 2019. Here are the key facts that best summarise the scene:
- Our research shows that brute force attacks using common usernames and passwords begin inside of five minutes of the device having been deployed. Within 24 hours, more targeted exploits are typically being used against these devices.
- Even as the original authors of Mirai have been apprehended, we see at least five variants that continue to operate to this day, each incorporating a different set of techniques and attack types.
- These variants include larger sets of common credentials and continually introduce newer exploit code for common vulnerabilities. We’re tracking upwards of 50 separate exploitation techniques being used against IoT devices.
- IoT devices are being used in every facet of the threat landscape – DDoS, ransomware, targeted intrusions, cryptomining etc.
The gravity of the situation has resulted in a number of initiatives across government, vendors, network operators, enterprises and groups representing civil society. From our vantage point, no single initiative has emerged that promises a systemic fix to the problem, but it’ll likely be a patchwork that provides us with the path forward. The classes of devices that get roped into such botnets and the volume of devices within those classes will only grow – the benefits we reap from these innovations depend on our ability to deploy them securely.
The author is Hardik Modi, AVP Engineering – Threat and Mitigation Products, Netscout.
Comment on this article below or via Twitter @IoTGN