Botnets: A Major Issue in the IoT Ecosystem

IoT is a system of interconnected devices in which the devices can communicate and perform data transfer without any interference from humans. We can say without any human-machine communication, as IoT follows machine-to-machine communication. The rise in the number of devices connected to the internet has been significant. By the end of 2020, 31 billion devices connected to the internet will be installed at the 127 new IoT devices per second. As the number of devices increases at such an alarming rate, it becomes difficult to secure the IoT ecosystem from attacks. There are a lot of threats and vulnerabilities, but the one which has proven to be one of the worst is the presence of botnets in the IoT world.

What are Botnets?

A botnet is a network of devices in the IoT ecosystem, but the twist is that all the devices in this network are compromised or controlled by an adversary or intruder. These botnets work for objectives which are mostly illegal and used to harm some organization. However, there are some cases where botnets are correctly used, such as when they are used to keep unwanted users out of the internet relay chats. The devices in the botnet are also known as ‘zombies’ when they are compromised. These devices are infected/compromised with the help of malicious software, which has been put into them through various methods, like a virus delivered through an email attachment or by downloads. In most scenarios, the bot malware is not detectable because it works in the background, and then these bots work as slaves under the commands of the central server system.

How do these botnets contribute to attacks on the IoT Ecosystem?

A botnet is a network of compromised systems/devices. The purpose of making this network is to find as many vulnerabilities as possible in the IoT Ecosystem. A botnet doesn’t work in a manner to find some specific target or issue. Rather, it works in a way where the master of this whole network tries to add more and more devices to the botnet. Finding vulnerabilities in the network can be more effectively automated by using the strength of the compromised devices.

DDoS attacks are based on the principle of multiple infected systems/devices, which are used to send invalid inputs to the target systems. These inputs could lead to the malfunctioning of an entire network. This is how a botnet helps DDoS attacks by providing multiple infected systems to perform traffic flooding attacks.

Multiple attacks have happened in the IoT world, which has shown us how prone IoT is to attacks from a botnet. An example is the Mirai botnet, which was used to target devices using default weak passwords. The malware was injected into those devices, and a network of 6 million devices was made to initiate DDoS attacks against websites like Netflix, Twitter, GitHub, etc. Brickerbot is also a prime example. Brickerbot uses passive exploits to infect systems/devices, and it also launches a permanent DoS attack on those devices, eventually bricking them. Two other botnet examples are echo bot and IoTroop, which are active and are much more aggressive than other botnets because they directly destroy the devices.

Aidra was a botnet created way back in 2012 and was used to search open telnet ports and access the devices by using default credentials. Hydra was another botnet that was open-sourced. It was made in 2008 with the same capabilities as Aidra, attacking default or similar credentials freely available. Bashlite was malware that was used to compromise Linux-based IoT devices to launch a DDoS attack. Researchers found that, until 2016, Bashlite compromised almost 1 million devices. LuaBot - the first-ever malware written in LUA - was made to target servers running on Linux. Persirai, a botnet detected by a company called “Trend Micro,” was used to attack the plug-and-play protocol used in IP Cameras.

There are a lot of reasons hackers get lured to IoT devices. These reasons include the issue of device management (which is the presence of weak credentials), insecure settings of the devices, lack of maintenance, and use of old components. IoT devices are always on and connected to the internet because they are used for monitoring assets in various industries. This always-on aspect makes them easy targets. The lack of standards by regulatory bodies like IEEE, ISO for taking care of the data, privacy and security is also a reason which makes the IoT ecosystem an easy target for hackers and even the manufacturers only focus on the quantity of IoT devices instead of which they should focus on following baseline security measures while making IoT devices. This also makes the IoT ecosystem vulnerable. These issues make IoT devices susceptible to being compromised and becoming part of a botnet.

How to prevent the IoT Ecosystem from Botnet Attacks?

It is difficult to prevent attacks that are initiated with the help of botnets. There are many reasons for this difficulty, like companies neglecting to improve the security of their network due to cost, and many users are not aware of these attacks. A lack of communication between different organizations is also a problem because botnets don’t have specific targets. This is why all the organizations in the market need to come together to find a solution to this.

Still, there are preventive measures and methods which can save the IoT ecosystem from botnet attacks. Most of these methods are applicable only at the network level because, at the physical level, it is impossible to apply these methods to each device. Three ways to prevent these attacks are:

1. Secure the network with firewalls.
2. Update all software and firmware so that all the devices have the latest security patch updates.
3. And follow proper device management.

These steps are the primary steps to secure the network. These may not make the network foolproof but are important. Monitoring the traffic logs to find any malicious activity could help in finding the bots or the compromised devices. Keeping the IoT devices on separate networks could also help.

Along with this, the local network would require all the protections given to a normal network, like firewalls or IDS/IPS. There is also a technique called “fuzzing” to make the devices withstand the botnet attack. In this technique, devices are tested by sending constant invalid input until they reach a point where they start malfunctioning. This is done to check the level at which the device can withstand these DDoS attacks.

Conclusion

Nowadays, botnets are not only made by the central server master to perform attacks such as DDoS. Instead of this, hackers made a market out of it. They make botnets by compromising vulnerable devices, and then they sell that botnet. This indicates that there are people who want to attack organizations for specific purposes, such as financial growth. Organizations need to come together to confront this botnet problem. Going all alone for an organization is not useful against botnets. They could be distributed over a large geographical area, making it next to impossible for a single party to tackle it.

This makes it even more important for industries or organizations to focus on prevention methods. The number of devices is increasing day by day, along with their chances of getting compromised and becoming a part of a botnet.