Botnets made from the Internet of Things pose problems and present opportunities
Botnets are wrecking havoc in the Internet. And the primary enabler
of botnets is the Internet of Things (IoT). That enabler role must be tamed.
As the joke goes: in the Internet, no one knows you're a dog.
These days it should be reworded to say no one knows you're a bot.
Bots are nearly as old as the Internet itself. What's new about the IoT is that IoT
devices are essentially invisible to their owners and almost all of the owners are
ignorant about what IoT devices can do if compromised and how to prevent them from
being compromised. Billions of IoT devices are sold and installed each year. At present,
most are accessible to bot herders. The hardware industry has created a monster.
As of late 2018, bot herders' exploitation of IoT devices is largely confined to
using them for DDoS attacks, either directly from the bot herders themselves, or
"rented out" to wannabe attackers.
In 2016, unprecedented distributed denial-of-service (DDoS) attacks were launched by
a botnet named
"Mirai" that seeks out and enrolls
poorly-secured IoT devices such as security cameras, digital video recorders and
Internet routers. A derivative of the Mirai botnet then blackmailed at least three
large financial institutions. Another troublesome botnet, named "wireX" was
created for Android devices.
WireX first appeared August 2, 2017. Hacked Android devices conducted some relatively
small online attacks. "Less than two weeks later, however, the number of infected Android
devices enslaved by WireX had ballooned to the tens of thousands." Several large industry
players including Google, Akamai, Cloudflare, and Flashpoint, quickly combined forces to
take it down.
Highly visible botnets like Mirai and WireX generate immediate responses from
authorities and industry. A more subtle exploitation of botnets uses the idle
CPU cycles of captured IoT devices, Android devices, or other
numerous easily compromised computers, to
anonymously mine cryptocurrency.
The captured bot devices work silently and surrepticiously for a botnet owner
in the 99% of the time the IoT devices are otherwise idle, and send the valuable
resulting bitcoins to the bot herder as they are found. The same technique could be
applied to Machine Learning computations.
IoT devices are being inserted willy-nilly into hundreds of different products. Relatively
few purchasers are aware that the products contain a general-purpose computer that
can easily be hacked let alone how to secure the devices. Home
hubs and routers should, in any case, insulate them from the Internet at large.
Kaspersky labs has begun looking at
such issues in the IoT.
Their findings are startling, especially given Kaspersky's
relationship with Russian Intelligence.
What they are finding about American IoT vulnerabilities would be quite useful in a
Russian cyber-attack on US elections, electric power infrastructure, or commerce.
Best practices for end users to reduce the risk of being recruited into a botnet include:
regularly updating devices with the latest firmware; changing devices' default
credentials; using intrusion detection and prevention systems; and being wary of
known attack vectors, such as unsolicited emails. Needless to say, naive digitally
illiterate consumers do not follow such guidelines.
Therein lies an interesting opportunity for makers of IoT devices -- IoT as a service!
Manufacturers of IoT devices could take on the responsibility for keeping the devices safe,
and in return, use the idle time of the devices for money-making computing services such as
cryptocurrency mining. And they could rebate to the consumers a portion of the profits. This
business model would benefit everyone. The "first movers" into the business model might
very well become the giant corporations of the future cyber world.
A similar business model is already provided by
WinMiner.
To play the role proposed here, WinMiner would only need to take logical custody of your
IoT devices via the Internet, manage the Internet security of those devices, and also
ensure that they could play their designated IoT role when needed.
Last revised 9/4/2018