Could an Internet of Things botnet army threaten the internet?

Deborah Salmi 3 Oct 2016

A botnet comprised of network-connected household devices took down a well known security blog. Does it have the potential to break the internet?

Last week, security blogger Brian Krebs' blog, KrebsOnSecurity.com, was taken offline with a massive distributed denial-of-service (DDoS) attack. The sustained attack threw upwards of 620 gigabits per second of junk data at his site – more than enough to take down a site of that size. 

For hours, data protection company Akamai, protected his site, at their own expense, stating that " … it was nearly double the size of the largest attack they’d seen previously, and was among the biggest assaults the Internet has ever witnessed."

After a futile defense, as Krebs put it in his follow-up blog, they “chose to unmoor my site from its protective harbor.” Now the site is being protected by Project Shield, a free program run by Google to help protect journalists from online censorship.

I was startled by the enormity of this attack and what Krebs wrote on his blog before the site went offline. There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked “internet of things,” (iot) devices – mainly routers, IP cameras, and digital video recorders (DVRs) that are exposed to the internet and protected with weak or hard-coded passwords. 

After the site was down and security journalists starting getting wind of it, Dan Goodin of arstechnica.com wrote, “Until recently, a DDoS attack in excess of 600Gb was nearly impossible for all but the most sophisticated and powerful actors to carry out.”

Apparently, those were the good ol’ days of easily fixed misconfigured domain name system servers. Factor in the method of attack – using household devices that all of us own – and Goodin's statement that this gives “ … relatively unsophisticated actors capabilities that were once reserved only for the most elite of attackers,” and we have a recipe for possible internet-breaking disaster.

In my nervous state, I reached out to Avast researcher Filip Chytry for comfort. Unfortunately, he had little to offer.

Journalists say that DDoS methods that used to be reserved only for nation-state level hacking was used by "quasi-hackers" because they employed internet-connected things like cameras, lightbulbs, and thermostats to build a botnet. How likely is this scenario to be repeated? 

Unfortunately, almost all devices have some backdoor. You have to remember that they are basically small computers – yes, they have low computing power but on a mass scale it creates a huge network capable of a variety of things. So, very likely.

Could this kind of botnet be disrupted by consumers changing their device's passwords or is this a burden for the manufacturers? 

Yes and no. Part of this problem might be fixed by consumers updating their devices with the latest firmware and changing the setup (eg. password, network protocols, etc). But some of these iot devices have no real user interface which the normal consumer would be able to control or update. In that case, it might be hard to change.

How would a person even know that a lightbulb could be an internet-connected thing and do consumers have the knowledge to secure it?

Let’s say you have light bulb you can control from your smart phone. In that case, there has to be some network protocol you use over the air (Wi-Fi) to control it. There have already been security flaws discovered in smart bulbs that could leave home users vulnerable to attacks.

(Filip, sensing my agitation, sent me a video clip from The Big Bang Theory to calm my nerves. My thoughts are aligned with Penny's. What do you think?)

We have seen that smaller sites are vulnerable. What would it take to cripple Google, for example?

This method of attack is effective at taking down smaller sites, but to take down Google, it’s hard to say. Generally, all big servers are able to distribute traffic, and if they see a direct attack they can block the traffic, too. If you have a big enough network then yes, but I don’t believe at this point they can take down Google or Facebook, etc.

Is the internet threatened by an iot-enabled attack?

We really need to ask: Do we do enough to secure all the devices we want to use? Since we do not, the answer is yes. The internet is threatened by this. There are no direct guidelines or generally used methods to protect the iot space these days.

Krebs’ site is back up under the protection of Google's Project Shield. What is their capacity if Akamai couldn't keep protecting the site?

Hard to answer. Shield from Google works generally as a firewall checking each connection and payload which tries to access web pages. I believe it’s a really powerful tool, but data on how effective it is has not been revealed, and nobody wants to reveal them due to security reasons

Is this type of dangerous code easily attainable on the dark web or somewhere?

Not for each type of device, but yes, there are some botnet source codes available on the dark web and elsewhere. From those places, amateur attackers can learn the basics.

Avast customers have the Home Network Security scan available to them, so they can scan the strength of their home router and strengthen its password. What else can they do? Like the lightbulb question: can every little iot thing be secured? 

Home Network Security (HNS) is the first step to securing your home, but at this point, we are not able to protect all those IoT devices. Let’s say my home stereo (Denon X2200) was never scanned by HNS since we are not able to access it. What I would recommend is to tune the local setting of the network. Set up the main access router properly with all passwords, limit network protocols, and enable the firewall. Then do the same for each separate device in your home network. There are tools which can create a VPN tunnel out of your home network completely, so that is another recommendation.

There needs to be standardization of all iot devices setting up general requirements of each device. For example, for the lightbulb, manufacturers would be required to pass security audits before delivering this technology to the market. That should exist for each iot device. That is the only way to keep track of all those devices. 

To scan your home router, make sure you install Avast Free Antivirus.

--> -->