Botnets Bring Battles In IoT: Revisiting Embedded Security

The rise of botnets targeting the Internet of Things (IoT) has emerged as a clear and present danger for rapidly growing new industries such as home automation, smart cities, and industrial networking. While botnets unleashing Distributed Denial-Of-Service (DDoS) attacks have been known for quite some time, botnets specific to the IoT aren't necessarily new either.

However, what is new about IoT botnets is the realization of how devastating they can be, and the fact that inadequate security can blow up the IoT party at a time when embedded systems are being hooked up to the Internet in droves. This article explores botnets in terms of IoT device security vulnerabilities, as well as identifies key ways to secure devices against them.

Botnets And Their Potential Exploits

A botnet is a collection of connected devices that have been infected with malware allowing an attacker to gain remote control and coordinate actions like launching a DDoS attack. Botnets, also known as zombie armies, can also be used to send spam emails, sniff out sensitive passwords, and spread ransomware.

The IoT botnets differ from their Windows-based counterparts in that they’re built from compromised IoT devices, and they can spread to a huge number of devices using the vast IoT network. Moreover, unlike common botnets, which are mostly used to spam, IoT botnets can cause far greater damage by impacting the physical environment around IoT devices.

For instance, an IoT botnet attack on traffic lights can create chaos across an entire town and ravage smart city infrastructure. Likewise, hackers can increase the heat levels in smart homes and artificially boost the demand for oil or gas.

Another stark difference is that unlike personal computers and servers, which are protected by safety features such as malware detection and firewall filtering, IoT devices are becoming attractive targets for botnets because they generally don't use such advanced security features.

The rise of IoT botnets was predicted to become a threatening cyber security trend in 2016, but the IT security community dismissed the threats posed by these IoT botnets. At that time, the threat was generally perceived as being fairly limited, though before long, toolkits became available that enabled botnets to take advantage of vulnerabilities in unsecured IoT devices. The Mirai attack in October 2016 was a key turning point.

Mirai—and another IoT botnet called Bashlight—exploited the vulnerability in a pared-down version of the Linux operating system used in embedded devices like IP cameras and Digital Video Recorders (DVRs). By doing so, these IoT botnets took advantage of a known vulnerability in devices such as webcams and then downloaded malware from a Command-and-Control(C&C) server.

Next, they began spreading this malware to other vulnerable devices by continuously scanning the default or hard-coded usernames and passwords. That’s how they launched DDoS attacks by infecting a vast number of connected devices. More than 150,000 IP cameras were used by the Mirai bot malware.

Botnets Highlight Flaws In Embedded System Design

Mirai delivered the wake-up call on the dangers of unsecured networked devices are at time when Internet-connected devices is at an all-time high and still growing. Market research firm Gartner predicts 20.8 billion connected objects joining the IoT bandwagon by 2020. Mirai also showed how hackers could take control of any vulnerable IoT device and enslave it into a botnet. Mirai and other IoT botnets raised the profile of embedded security and highlighted the key flaws in embedded systems design:

• The quest for simplistic IoT designs and the choice of low-cost components inevitably makes embedded security an afterthought.
• IoT devices have just enough processing power and memory space for the bare minimum functionality, thus pushing security considerations to the back seat.
• Strict deadlines and time-to-market pressures sometimes lead IoT developers to bypass security design components altogether.
• Many IoT designs are based on the reuse of software and hardware components to simplify design and lower cost. However, it also exposes default credentials in entirely different classes of IoT devices.
• Detecting infection of embedded devices is inherently difficult because they lack OS transparency and easy access; rather than accessing the OS itself, monitoring and detection are done through cumbersome access points like web browsers or smartphone apps.
• The majority of embedded systems run on some variant of Linux, which is not secure unless it’s properly patched, configured, and hardened. Hackers have mostly been exploiting Linux loopholes in routers and set-top boxes.

IoT botnets have already impacted IP cameras, Wi-Fi routers, webcams, and set-top boxes, and they have been used to launch DDoS attacks against online gaming services. Hackers have also unsuccessfully attempted to use Deutsche Telekom's routers as devices for a botnet.

What's next? Smart fridges, light bulbs, door locks, and connected cars? These botnets and their creators could cause devastation on a much larger scale when unleashed on banks, hospitals, and smart city infrastructure.

Robust, Multilayer Security Protection Is Key

So, how do we build robust levels of security in connected products against this wild card? How do we implement security at multiple levels—from sensors to IoT nodes all the way to the cloud—in order to secure multiple entry points in the IoT network? Cornerstones of secure embedded systems include:

• Developing multilayer security protection in embedded system design, including securing nodes, storage, the network, and the ecosystem as a whole.
• Designing secure embedded hardware.