IoT Botnets: A hacker’s paradise

Jack Sullivan
Sep 7, 2018 · 4 min read

Industry 4.0, this is the term that describes the next industrial revolution. It is focused on today’s trends of automation and data exchange technologies in machine-to-machine communication for manufacturing and other fields. It includes street cameras in smart cities, virtual assistants in smart homes, radar lasers in autonomous cars to sensors on machinery in smart factories, everything is becoming connected. It is estimated that there will be over 20 billion connected devices by 2020.

However one topic which is commonly brought up with IoT is security. Security is still very much an afterthought when it comes to IoT. One of the main reasons behind it is the idea of connecting constrained devices is relatively new. IoT products are sold with generic and unpatched operating systems, software and security bugs. Many devices come with default usernames and passwords. Oftentimes the consumer is not presented with the ability to change the defaults, therefore unsecured devices are out there, ready and available to participate in a botnet.

Before IoT systems were in place, SCADA systems dominated the market and are still widely present. SCADA is a control system of hardware and software elements for supervisory management and is subject to a malicious computer worm known as “stuxnet”. First discovered in 2010, it attacked programmable logic controllers (PLC’s) which automate critical parts of the industrial facility process. Iran’s nuclear program suffered the most from the stuxnet worm. The worm targeted the centrifuges causing them to overheat. The majority of SCADA systems are outdated now so incorporating an IoT system to work with them or replace them makes sense. Although IoT systems are also subject to malicious code themselves. They are easier to monitor and patch in an industrial setting. As the name implies, industrial IoT systems use Not applications in the manufacturing industry. Manufacturing companies are already benefiting from this by improved efficiency, reduced costs and improved security.

In the past a botnet was a network of computers infected and controlled as a group, but when you add all of these connected devices with default usernames and passwords, it’s a paradise for hackers and “Script Kiddies”. From this term “IoT botnets” was born. This includes consumer IoT devices like, cameras, routers, DVR’s, wearables, or any other device that can connect to the IoT network. Another reason IoT devices are easier to access is because they are always on and ready to go which means hackers can set up an IoT botnet in minutes and automate and attack.

Below are some of the largest hacks caused by IoT botnets in recent years:

Mirai Botnet

Mirai Botnet — 2016

This botnet infected numerous IoT devices, primarily older routers and IoT cameras and then used these devices to flood DNS provider Dyn with a DDoS attack. This attack took down massive sites like Etsy, Github, Netflix, Spotify, Twitter and many more. The reason the hackers were able to gain control of these devices was because the devices username and password had not changed from the default.

Bashlite Botnet — 2014

This botnet worked much like the Mirai botnet infecting old IoT devices with default usernames and passwords, the code was published in 2015 and variants of this botnet reached over 100,000 infected devices.

Since the introduction of IoT botnets, there have been vigilante hackers out there who also attempt to infect vulnerable IoT devices. Although instead of hacking these devices, they force owners to make them secure. One such case was called “Hijame botnet”, this worked much like the Mirai and Bashlite botnets in which it targeted unsecured IoT devices with default usernames and passwords. It secures the device by blocking access to four different ports (23, 7547, 5555, and 5358) taking the threat away from the Mirai and other botnets.

Solution?

In my opinion, educating consumers to change the username and password once an IoT device is purchased would be a short term solution, to prevent cases like those above happening in the future there needs to be a top down re-design of IoT devices for security. First of all, where is the demarcation? Who is responsible for the device security when it is sold? Is it the buyer or the seller? There are arguments for both sides. Something needs to be done and it needs to be done properly and coordinated by large bodies who can influence the change and define the standards for IoT security as the market for hackers is getting larger.

*views expressed here are personal and do not represent any company.

Thanks to Bart Ruairí

Jack Sullivan

Written by

Intern at Oracle & student at UCC

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade