SecPoint Logo

Botnets via Internet of Things - IoT

A new wave of attacks on IoT devices to convert them to botnets are on the rise.

IoT Bonets is a powerful way for attackers to do large scale attacks easily.

Cyber attacks are now more than ever on increase impacting Internet users world wide.

Cyber crime and attacks are getting more sophisticated with clear goals to complete.

A popular way for attackers to attack large organizations can be via sophisticated Botnets from IoT devices all over the world.

Attackers take advantage of vulnerabilities in IoT devices such as DVRs, Home Cameras, Surveillance

cameras, Alarm systems, Switches, Routers, NAS, Cloud Drives, Smart TVs, Smart Appliances and more.

Once a vulnerability in a popular IoT has been exposed it allows attackers to infect and compromise very quickly thousands of devices.

When infected with by Cyber attackers they will install a bot on the IoT devices. By installing a bot it is possible to manipulate the firmware of the IoT device.

Via the bot a C&C Command and Control is given to the Cyber attacker.

IoT Botnets can then easily be operate by the Cyber attacker in a centralized management interface.

 What can Cyber criminals use an IoT botnet for?

The most used attack forms of a large Botnet can be

  • Brute/force Password cracking. The attackers will brute force CMS systems with large known passwords in hope to access database systems
  • Advanced SQL injection attacks. This way the IoT devices can be used to attack thousands of login systems in hope to bypass the login mechanism and obtain the entire SQL database of a given site. Afterwards it can be used in a ransomware blackmail attempt.
  • Distributed Denial of Service attacks DDoS. allow attackers to start large scale HTTP floods, GRE ETH and IP floods. Ack SYN floods. STOMP simple text oriented message protocol floods, DNS floods and UDP flood attacks.
  • Bricking of devices. Permanent Denial of Service PDoS attacks. Exploiting firmware vulnerabilities to brick specific devices.
  • Launch exploits to infect new systems with malware and bots to grow the botnet to even larger scale.
  •  IP spoofing attacks. Use the different IP addresses in specific spoofing attacks to avoid being blocked by firewall / IDS / IPS systems.
  • Vulnerability Scanning - Easily scan large network ranges for known vulnerabilities.

 The IoT botnets are often controlled via C&C Communication protocol, P2P, UPNP/SSDp/Custom HTTP, IRC, ToR, Telnet, SSH or IRC/HTTP.

Large botnets can also be deployed to overload webshops on key campaign seasons such as Christmas, Black Friday.

A hit can be ordered on the dark web by a competitor to shutdown competitor stores and get all the sales themself.

If an attacker feels they are being detected or exposed they can issue a kill switch to kill/brick the entire devices used in the botnet to hide all traces of their activity.

What can be the counter measures against IoT being compromised and used in Botnets?

A good counter measure is to make sure not to have any IoT devices with open access or port access to the internet.

Example can be open accessible Webcams, NAS, Cloud drives.

If a device must be accessible on the Internet the latest patches and firmware versions must be applied.

Next to that default user accounts such as admin must be renamed if possible to prevent brute force attacks.

And strong password mechanism must be set.

It is also recommended to enable 2FA to make it even more difficult for cyber attackers to gain access.

Block services such as FTP, SSH, Telnet, have restriction for only trusted IP addresses to be allowed to connect.

Be aware and prepare for a possible compromise in the future if Zero Days are detected in the IoT device.

Limit the amount of data the device has access to and could be leaking if a compromise is going to happen.

Have strong alert system set in place that will text or email when login attempts to aware the user of possible unauthorized access.

Scan your site for open vulnerable IoT devices with the Cloud Penetrator Web Vulnerability Scanner.