In a recent Slate editorial, tech academic Josephine Wolff compared a rapidly growing new bot made up of millions of compromised Internet of Things (IoT) devices to the frightening anticipation of a hurricane gathering strength.
Wolff said a similar sense of impending doom was evident in Check Point Research’s recent blog on the fast growing new Bot, which Check Point dubs “IoTroop”. IoTroop is apparently gathering IoT devices at a much faster pace and with far more possible imminent damage due than 2016’s Mirai botnet, which was used to initiate a huge denial-of-service (DDoS) attack launched by “enslaved” IoT devices such as security cameras, digital video recorders and wireless routers. As a result, many of the world’s top online websites were taken down for the day, including Twitter, SoundCloud and Reddit.
The Mirai botnet attack was made possible because Mirai’s makers compromised IoT devices (especially cameras and routers) by guessing default usernames and passwords. IoTroop, however, makes use of various technical vulnerabilities to infect devices made by multiple vendors, including Linksys, Synology and NETGEAR. According to the research company’s analysis, the new bot, “IoTroop” has already infected over 1 million organizations worldwide.
The Check Point researchers (based out of Israel) say that “technical aspects” lead them to suspect a possible connection to Mirai and its developers, but they believe this campaign is yet far more sophisticated and far-reaching. Warning signs started to be picked up via Check Point’s Intrusion Prevention System (IPS) at the end of September. A growing number of attempts by hackers to exploit vulnerabilities found in IoT devices have been rapidly seen since. It has become clear that the attempted attacks are emanating from a wide variety of sources and IoT devices, meaning that the IoT devices themselves are once again spreading the potential damages of any attack further.
To date, IoTroop hasn’t actually been used for an attack, but the researchers tracking it are greatly concerned about the harm it could present. Check Point warns: “The next cyber hurricane is about to come.” The form that cyber hurricane will take is hard to predict. As in the case of Mirai, IoTroop could be employed to launch a massive denial-of-service attack resulting in widespread Internet disruption. Alternatively, it could distribute ransomware to other vulnerable devices, send phishing messages or spam, or perhaps most worryingly, be rented out to anyone wanting to do any of those things. Hacked IoT devices can also be used as jumping-off points for exploiting other devices within compromised corporate networks.
As Wolff points out, unlike a hurricane, we’re not at the mercy of nature here—“we’re merely at the mercy of the devices that we ourselves have manufactured, purchased, and failed to protect.” Many of the vendors with compromised devices have issued software patches to repair the vulnerabilities that IoTroop is exploiting. For those concerned it might be affecting them, Check Point provides a list of all the vendors and products it has identified being recruited by IoTroop, here.
Chinese security firm Netlab 360, also recently wrote a blog post about their tracking of the new IoT botnet, which they are dramatically calling “IoT_reaper”. They note various similarities with the Mirai code, however, they also highlight several key differences, including the fact that “Repear” tries to more discretely enlist new recruits and thus fly under the radar of security tools looking for suspicious activity on local networks.
According to both Check Point and Netlab 360, the IoTroop malware is still in the process of being updated and revised by its authors. Patching existing vulnerabilities won’t stop the bot’s creators from exploiting new ones. Indeed, as Wolff points out, it’s difficult to get users of wireless IP cameras or routers to do updates at all, especially when there are no dramatic attacks to point out (yet).
One major solution to really stop IoTroop (or “Reaper”) in its tracks would be for all IoT devices to betaken offline before someone else does it for us. We could ask the Internet service providers that monitor traffic patterns to identify compromised machines reporting to bot command-and-control and ask them to cut off service to affected devices until they were patched. This would get people’s attention and force them to work out if they have infected devices in their homes and take action to fix them. While it’s unlikely anyone is going to do this right now; several attacks down the line, may ultimately prove such drastic solutions deeply necessary.