In October, 2016 the Mirai malware made headlines for doing just that. Utilized in the attack on Dyn, a company that hosts, manages, and maintains a substantial part of the Internet’s infrastructure, Mirai operates by attacking Internet of Things devices, gradually forming a botnet of zombified smartwatches, printers, and other Internet-connected “smart” devices to fuel a Distributed Denial of Service attack. These attacks essentially function by assaulting their target with so much traffic that the target shuts down. This brought down dozens of sites including Twitter, Netflix, Reddit, CNN, and many more in one of the largest-scale cyber attacks to date.
These DDoS attacks were once primarily powered by the familiar desktop computer, but with the boom in popularity of IoT devices, these devices are becoming a much more popular vehicle for the attacks.
This rise in popularity is due to a few factors. Firstly, the use IoT devices has been spreading both in popularity and in implementation, as was mentioned above. Therefore, zombifying them to be a part of a botnet boils down to basic tactics–there’s strength in numbers, so it makes more sense to utilize as many devices as possible. So, if there are seven IoT devices in a household that share one laptop, a botnet that utilizes on of the IoT devices will have six more devices at its disposal than it would have otherwise.
Secondly, there’s the matter of the security built into the devices themselves. How much thought would you think a manufacturer would put into the cyber security of a refrigerator? However, with refrigerators that now have “smart” features through Wi-Fi connectivity, cyber security is something that needs to be considered, and too often isn’t.
As an example that’s tinged with just a bit of irony, a security researcher decided to put the security of a particular IoT device to the test by monitoring a newly-purchased security camera. It took less than two minutes (closer to a minute and a half) for Mirai to infect the camera, despite the researcher’s precautions.
Unfortunately, there’s little that a user can do to protect their IoT device from infection. However, the industry is gradually catching on and taking steps toward protecting these devices from external threats, so hopefully the trend of IoT botnets will be relatively short-lived.
How many IoT devices do you own; and, what precautions do you take to keep them from being a hindrance to your network security? Share your story with us in the comments.