When is an IoT Botnet not an IoT Botnet?
By Mychal McCabe
IoT botnets continue to make news, with new strains of malware infecting a range of internet-connected devices and then using those devices to participate in historically large distrubuted denial of service (DDoS) attacks.
By some estimates the Mirai strain of malware has infected over one million devices since it emerged, with more to come following its release to the public last month. If you are following this trend and haven’t heard of Bashlight or the Linux/IRCTelnet derivative of Aidra, give it time. Linux/IRCTelnet is said to have infected 3500 devices in the five days since it launched.
While the impact of these attacks and the challenges that they represent are very real, it’s worth asking if these attacks are actually leveraging the Internet of Things. Specifically: the IoT as we’ve come to understand it these last few years: a system of systems connecting edge and cloud, with northbound data and southbound control moving freely across the topology alongside virtualized applications and value added services.
The list of effected devices cited in coverage of the attacks is relatively small and includes wireless gateways, cellular routers, and internet-connected DVRs, printers, and web cameras. With few exceptions these devices have been around for a long time. To describe them as IoT devices is to miss the point of IoT in a rush for relevant headlines and the clicks that come with them. They are IoT devices only to the extent that long time embedded device developers will claim to have been doing IoT for decades.
The culprits responsible for compromising these devices are the usual ones: firmware that is either buggy, out of date, or both. Default device credentials that have not been reset by end users or operators. Ease of use or lack thereof is cited as a primary reason why non-expert users have not updated their firmware.
While this list is entirely familiar to people concerned with security, it should also give pause and prompt some genuine soul searching as embedded evolves toward its IoT future. With more of what we make becoming connected, with the drive to bring autonomy to more of what we make, the stakes for security will only become higher.
Alex Devries and Tim Skutt have posted two recent blogs on this threat and I encourage you to check them out:
IoT Zombies are Eating the Internet
Immunization Against the IoT Zombie Horde