Some of the most devastating hacks in recent years have involved huge numbers of computers linked together in botnets. Attacks using botnets have been around for years, but explosive growth in IoT devices has created millions (if not billions) of unsecured or poorly secured devices just waiting to be hijacked by a clever attacker.
When Bots Attack
While there are aboveboard uses of botnets, we’re going to focus on the more malicious varieties. When we talk about a malicious botnet, most of the time we’re talking about a number of different attacks rolled together. There are the attacks that commandeer devices in the first place, and then the larger attack that directs those zombified devices against an unsuspecting third party.
Unlike many other malicious attacks, when a hacker gains access to your device for the purpose of creating a botnet, they’re not necessarily interested in your data per se. Instead, they want your processing power and bandwidth. The point of a botnet is to create a kind of digital mob of devices that all spam the targeted website or service at once. Imagine an angry crowd protesting outside a building, preventing other people from entering and using the building’s services.
That’s exactly what happened during the massive Mirai botnet attack in October 2016. The attackers first compromised tens of thousands of devices by exploiting common security vulnerabilities. Once they had control of those devices, which included webcams and DVRs, the attackers directed them to send requests to Dyn, one of the companies that acts as a backbone of the Internet. The flood of requests overwhelmed Dyn’s servers, bringing down many major websites, including Reddit, Twitter, GitHub, AirBnb, and others.
Why IoT Devices Are So Vulnerable
The ease with which botnets can be created and unleashed is part of what makes them so hard to prevent. As long as there are poorly secured devices online, there’s a chance they’ll be commandeered by a botnet.
What makes IoT devices so susceptible to attack? It comes down to two simple facts: Device manufacturers don’t prioritize security and users don’t demand it. As growth in the IoT accelerates, manufacturers are under tremendous pressure to minimize cost and time-to-market. These twin pressures are the main drivers behind the poor security practices.
While IoT devices share certain characteristics with other devices like laptops and smartphones, including high-speed internet connectivity and processing functions, they also come with device constraints that make them harder to secure than other devices. Limited computational and storage capabilities and stripped-down operating systems can make it difficult or impossible to install anti-malware or firewall software the way you would to protect your laptop.
Beyond device limitations, poor security practices on the part of manufacturers and users also play a role. Manufacturers often ship devices that are unsecured and come with default passwords that are shared across thousands (or millions) of devices. What’s worse, manufacturers are often slow to release firmware updates that would actually patch these security vulnerabilities, and many users aren’t even aware that they may need to update their firmware in the first place.
Case in point: The devices hijacked by the Mirai botnet were using the Telnet protocol, an out-of-date communications protocol that actually transmits usernames and passwords as unencrypted text files. To make matters worse, many of these devices were using default passwords hardcoded into the firmware.
On the user end, many organizations don’t change the default device settings, update passwords, or search for updated firmware until after an attack has occurred. While IT practices are well established for other parts of the organization, they often lag when it comes to the IoT. Until that changes, poorly secured devices are going to represent a major security threat.
Nine Ways to Protect Your IoT Devices
Although the most high profile botnets to-date have been used to launch DDoS attacks, there’s no reason to think that in the future malicious actors won’t use the device’s functionality to their advantage. Internet-connected cameras and microphones can be turned on and used for surveillance, home thermostats can be turned up (or down) remotely and en masse. So how can you protect your IoT devices from attackers? We’ve put together some guidelines.
- Change Your Passwords! Your IT person says it all the time because it’s true. Default and common passwords are a huge security problem in general, but it’s especially true in the case of the IoT, when a single default password can grant a would-be attacker access to thousands or tens of thousands of devices – enough to create a sizeable botnet in no time. Change all default passwords, and enforce password policies that require passwords to be changed regularly.
- Authentication. Authentication ensures that your devices are connected to legitimate parties. Unfortunately, most implementations of Telnet don’t authenticate at all. (This means that when the Mirai botnet reached out to IoT devices, the devices themselves never checked to make sure the commands they received were coming from a legitimate source.) SSH and SSL are two common authentication protocols that rely on public-private keys to validate clients and servers. If you’ve ever used a remote login to access a network, you’ve probably used SSH.
- Encryption. Where authentication makes sure that the senders and recipients of messages are who they say they are, encryption protects the contents of the message itself. In the context of botnets, encryption prevents data from being accessed or altered while it’s being sent. (By default, Telnet doesn’t encrypt any data, meaning that it’s possible for anyone to intercept data sent over the connection.) TLS/SSL is the mostly widely used protocol for encrypting data in-transit and turns plaintext data into unreadable ciphertext.
- Chains of Trust. A chain of trust is a set of guarantees that a piece of hardware is operating in a secure state. It starts with a piece of hardware that boots from its own immutable (meaning unchangeable) memory, ensuring that the software stored in that memory can’t be modified. From there, this first piece of software validates the next piece of code using a public key. That piece of code may then validate the next piece of code, and so on. Once a piece of code has been validated, it can validate the next piece, forming a chain of trusted actions that ensures no piece of the software has been compromised.
- Turn Off Universal Plug-and-Play. UPnP is meant to make it easier to connect and set up devices by allowing them to discover one another over a local network. Unfortunately, vulnerabilities in the protocol can allow hackers to detect devices from outside your network.
- Firewalls. Use firewalls to isolate data so that one compromised machine doesn’t give an attacker access to your whole network. There are a number of so-called “smart firewalls” out there to protect both organizational and home networks (CUJO, RATtrap, and Dojo, to name just a few.) These devices act as a buffer between your devices and internet connection, monitoring incoming and outgoing traffic. They’re constantly updated to recognize incoming threats. Some also use machine learning to detect anomalous behavior.
- Put IoT devices on a separate network. Guest networks allow users to connect to your network without gaining access to shared data and devices. You can also use these networks to wall off devices from the rest of your network.
- Keep Firmware Up-to-Date. Many users install devices and then never update them. Sometimes it’s because updating devices can only be done through annoying web interfaces, but frequently it’s just because people don’t think to do it.
- Use Secure Devices. There’s only so much you can do to protect a poorly designed device. Inexpensive IoT devices may offer tantalizing savings when it comes to procurement, but remember that the cost of a data breach may be much higher than what you saved up front. Look for manufacturers that don’t cut corners when it comes to security.
Looking for more ways to protect your devices and data? A security expert can help identify weak points in your organization’s IT infrastructure and assist in designing a network that’s resilient against both the malware that creates botnets and the DDoS attacks they can be used to launch. To learn more about the basics of IT security, check out our article, “Inside IT Security: How to Protect Your Network from Every Angle.”