A massive botnet like IoTroop (aka Reaper) doesn’t coalesce overnight. Rather, botnets are formed over time, stealthily concealed from law enforcement officials and public attention. This is because botnets cannot be effectively exploited until they have reached critical mass by hijacking a substantial number of infected devices. Botnet recruitment efforts are always ongoing and have significantly increased in recent weeks — as illustrated by Check Point’s alarming discovery of IoTroop earlier this month.
The buildup of this massive and potentially dangerous IoT-based botnet should be a wake-up call to the industry, particularly in the aftermath of the crippling distributed denial-of-service (DDoS) attacks executed by the infamous Mirai botnet last year. Although the identity and intentions of IoTroop’s creators and operators remain unknown, over a million organizations worldwide have already been affected by IoTroop. As such, it is critical for companies to prepare for a potential DDoS onslaught by ensuring effective defensive mechanisms are put into place before attacks are launched.
Additionally, it is important to note that the industry must adopt a proactive approach to IoT security rather than simply react by triaging the latest symptom of a vulnerable ecosystem. Simply put, the bunker strategy of hunkering down to protect services from a formidable DDoS onslaught is no longer tenable or at all effective in the age of IoT. While it may not be possible or realistic to protect every single IoT device, the industry should work to deprive botnets of fresh recruits by protecting connected endpoints. By altering the benefit-cost ratio, the industry can potentially render the formation of large botnets impractical and costly.
This can be accomplished by:
- Reducing the IoT endpoint attack surface. Along with disabling extraneous remote communication protocols, robust authentication ensures that only authorized entities (services) can connect to IoT devices. In many cases, IoT devices run software originating from disparate sources, so it is not always practical for IoT OEMs to ensure that a particular software component is free of bugs and vulnerabilities that can be exploited if accessible. As such, disabling unused remote access protocols and blocking unauthorized access at the transport or network layer can help limit access to existing software vulnerabilities.
- Early detection. We know that no system is 100% secure. When it comes to IoT devices, cost restrictions and market considerations often result in limited security, which is incapable of protecting the device from remote attacks. Consequently, botnet operators take advantage of IoT security lapses by stealthily recruiting unprotected devices.
Real-time detection of infected devices is one way to help service providers address security issues at a relatively early stage, thereby reducing the number of endpoints targeted by botnets. Early detection can be effectively implemented by analyzing anomalous or suspicious device (edge) behavior within a cloud-based platform. Most IoT devices are designed to perform a single function, or a limited set of functions. Therefore, IoT device behavior tends to be more predictable than the behavior of multifunctional devices, such as smartphones. In addition, sophisticated machine learning techniques can be used to reduce false positives and automate the behavioral learning process.
- Recoverability. To avoid the recruitment of additional devices, quick action is required once suspicious or anomalous behavior is detected. In the event of a successful attack, recoverability can be achieved by physically servicing affected devices. However, this approach is costly, time-consuming and often impractical due to various constrains. Over-the-air recoverability, where security updates are pushed to the device via the internet, is the fastest and most efficient way to provide in-field recoverability. This approach is the most effective, because it immunizes (patches) devices than are not yet infected, while, in some cases, also fixing devices that have already been exploited.
There is no single solution capable of completely immunizing IoT devices against various attacks. Although connected endpoints will always be a target, the industry should collectively and proactively fight botnets rather than passively weathering a slew of destructive and costly DDoS offensives. By making devices more resistant to hijacking attempts, we can successfully deprive botnets of unprotected endpoints and effectively mitigate DDoS attacks.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.