Vendors waiting to add effective security measures to their IoT devices may be too late--the Reaper is coming.
Also known as IoT Troop, the Reaper IoT botnet is already two million devices strong and growing, built using software that targets and exploits known IoT device security flaws. IoT botnets use the collected bandwidth of a vast number of compromised IoT devices is utilized by hackers for nefarious purposes that often include distributed denial-of-service (DDoS) attacks. They represent significant threats to the stability and safety of both the burgeoning IoT industry, even the Internet as we know it. We’ve already seen what IoT botnets are capable of, and Reaper has now become the largest of its kind.
The code at the heart of Reaper is a descendent of what was used by the Mirai IoT botnet, which amassed an army of compromised devices commandeering as many as 10 million IP addresses. Mirai wreaked havoc during two massive DDoS attacks last year. The first of these assailed the DNS provider Dyn and succeeded in taking 1,200 websites offline, including Amazon, Twitter, Spotify, and Github. The second Mirai attack managed to effectively deny Internet service to the entire country of Liberia.
To put these attacks in perspective, each delivered a steady 500 Gbits/second stream of disruptive data for a period of minutes. This was more than enough power to overwhelm their targets and render them unreachable.
Ominously, this disruptive power is limited only by the number of infected devices that attackers are able to command. Experts anticipate that if the IoT continues to grow as swiftly as expected (to 20 billion devices by 2020), IoT botnets will deliver DDoS attacks with a power of 10 Tbits/s – significantly elevating the consequences from what we’ve seen thus far.
Make no mistake about it: Reaper is simply the latest in what may be an escalating series of powerful botnets.
IoT devices could be inoculated against the Mirai botnet by addressing the weak default passwords that allowed those devices to be controlled. But Reaper presents a more sophisticated challenge. To stop Reaper from succeeding in recognizing and infecting devices with specific known vulnerabilities, those devices must be actively updated with security patches, and security must be vigilantly maintained for the long haul.
It’s important to acknowledge that security patches don’t just happen; they only become available when OEMs support their devices, and invest in security teams capable of responding effectively when exploits are discovered. Unfortunately, a great many OEMs produce IoT devices today that are rarely patched, or that simply are incapable of being patched. This renders them defenseless when a botnet like Reaper arrives.
Two other factors complicate IoT device security. First, even when patches are available and responsible end users apply them regularly (say, monthly), this still leaves gaps of time where devices with outdated security are vulnerable.
Second, attackers using Reaper may infect devices and then wait for a future moment to make use of them, thus making it unlikely that device owners will recognize anything out of the ordinary. If Mirai is any indication, the end user won’t know what their IoT devices have been involved in even after attacks.
An IoT ecosystem made up of devices prone to security failures isn’t good for customers, and ultimately isn’t good for manufacturers or the reputation of the emerging industry as a whole. OEMs need to take the rise of Reaper as a wake-up call, and make a much stronger commitment to providing devices capable of frequent, automatic security patching, along with built-in behavioral monitoring and alerting capabilities to recognize when attempts to compromise devices occur.
Yes, it’s possible the steps I recommend could slightly alter time-to-market, or add a couple dollars to a price tag. But it’s the best solution for all involved. And it really is the manufacturers of IoT devices themselves that are best positioned to recognize these issues and build products able to address them.
--Jeff Finn is CEO at zvelo, a provider of categorization services for Web content, Web traffic, and connected devices.