Attackers demonstrated the power of an IoT-fueled botnet in 2016 when the Mirai botnet took down major websites like Reddit, Twitter and GitHub. Despite the damages, no significant changes to the IoT industry occurred. As a matter of fact, consumers continue to purchase and deploy IoT devices with little care outside the guarantee that the device works and the price tag is cheap. Manufacturers continue to pump out new IoT devices at a rapid pace, often trading security for usability and affordability.
Without any incentive for device manufacturers to spend valuable development resources securing their products, conditions remain ripe for new IoT-fueled botnet attacks in 2018. As hackers continue to refine and improve their botnet code, I predict the next attack will be even larger than the record-shattering DDoS attack caused by Mirai and that it will create enough impact to trigger government regulation of IoT.
IoT botnets earned notoriety in 2016 when Mirai successfully carried out a record 620Gbps DDoS attack against security researcher Brian Kreb’s blog. It’s reported that the French webhost company OVH suffered a 1Tbps DDoS attack from the botnet at around the same time. A month later, Mirai launched an even larger attack against DNS hosting provider Dyn, knocking many popular websites offline for several hours during the day.
Since the release of the Mirai source code, other malware authors have built on the original botnet to create even more effective variants. Despite its potency, the Mirai botnet malware was relatively simple in design. It used a hard-coded list of common IoT usernames and passwords, and scanned the internet for vulnerable devices with management access exposed.
Recently this year, security firms detected another IoT botnet malware named Reaper quietly infecting internet-accessible devices. They found that Reaper didn’t rely on hard-coded usernames and passwords, and instead attempts to actively exploit known vulnerabilities in common IoT devices. Attackers are adding similar improvements to IoT malware every day.
I expect that these improvements will eventually culminate in an extremely effective botnet attack sometime in 2018, capable of infecting many more devices than anything we’ve previously seen. Most estimates put the original Mirai botnet at around 200,000 active hosts at its peak (recent variants have increased that total slightly). A more sophisticated malware paired with the estimated 30 percent increase in IoT-connected devices from 2016 to 2018 (per Gartner) means Mirai’s 1Tbps throughput record could easily be broken.
A successful attack of this magnitude would cause massive downtime and damage to whatever target is in the crosshairs, whether it be a security blog or a government organization. It would also highlight the fact that current IoT security considerations are not good enough, most likely prompting regulatory action.
So, what kind of IoT regulation could we see? That’s hard to say with certainty, but the most likely scenario would involve minimum security requirements for IoT device manufacturers. Easy targets would be ensuring remote access through Telnet or SSH is disabled by default (or removed entirely), barring the use of hard-coded passwords (or at least requiring a password change during setup), and requiring security patches to remain up-to-date, at least when the device is first shipped.
These regulations would finally provide the missing incentive for manufacturers to secure their products before selling them to consumers. Security expert Bruce Schneier has suggested similar regulations in an essay published last year, where he compares IoT security to invisible pollution; something no one cares to spend money fixing because it primarily affects other people. Unfortunately, as we have seen in other industries, some government action is likely required to protect the masses since individual companies have no business incentive to do so.
There is obviously a fine line between regulations that improve security and those that stifle innovation with excessive red tape. Legislatures would need to include actual security experts when defining the new rules to avoid causing more damage than they fix.
The European Union is the more likely government body to implement IoT security laws considering their previous moves to adapt privacy and security protections to the modern technology age. But in the long run, it may not matter who is first. If a developer is required to spend time securing their product in order to sell in a major market, it is more economical for them to sell the same, more secured, product in all markets regardless of regulations. This means that if a major government organization like the United States, the EU, or any of its member nations creates IoT minimum-security standards, the rest of the world stands to benefit.
Don’t let the lack of a major, or at least newsworthy, IoT botnet-based attack in 2017 fool you – this threat has not been resolved. The next big attack will hopefully be the final wakeup call that we need for drastic changes to the IoT industry in the form of government regulation.