Column: The rise of IoT botnets

May 4, 2018

The rise of IoT botnets – why cyber hygiene remains an issue    
by Karine e Silva, PhD Candidate BotLeg Project/ TILT, TiUKarine%20e%20Silva_0.jpg

You may not be aware, but your device’s processing power could be launching an attack somewhere in the world right now. Put differently, your device could be part of a botnet, a network of compromised devices manipulated from a remote location. The interesting part is that, contrary to infections that bug the owner of the device, a botnet is almost unnoticeable to the host. The infection is made to run in the background, without hurting the normal functioning of the system. Sophisticated forms of botnets continue to be one of the most pervasive threats to the stability of the Internet and its spread to other areas of technology are worrisome.

The spread of Mirai, the first large-scale IoT botnet publicized, spawned a turmoil in the cybersecurity community. Although IoT devices had long been reported as a ticking bomb: the level of security embodied in the technology was questionable and a spur of threats against IoT was envisioned. In 2016, Mirai emerged as a powerful, remote network affecting cameras and routers, causing massive disruptions worldwide. The attacks emerging from Mirai paralyzed more than 900.000 Deutsche Telekom customers, a prominent cybersecurity website, and the telecommunications infrastructure of Liberia. Several developments made these outages possible, including the leaking of the Mirai source code, what allowed other cybercriminals to create powerful and resilient versions of the original botnet. By November 2016 Mirai had already compromised a total of 5 million devices and new forms of the botnet have emerged since. 

The IoT is part of our daily lives and is expected to become a natural, embedded infrastructure at the root of the simplest activities. Smart fridges, ovens, cars, wearables, etc., aim to minimize the burden of decision making and help us minimize the time we spent in repetitive tasks. The wonders (and pitfalls) of IoT come entrenched in the challenges that we have long faced in other connected environments. Various elements make the Internet a prolific environment for threats, but I will focus on two. One, cybersecurity standards, especially those practiced in the IoT, are criticized for being insufficiently low. Two, users make poor cybersecurity decisions in their work and home environments for lack of better understanding, training, and rational constraints. 

This brings me to the discussion of cybersecurity as a shared responsibility. The theory of cybersecurity is marked by the concept of shared responsibility. In cybersecurity literature, multistakeholderism is a pre-requisite for successful cybersecurity. This concept that cybersecurity is a collective effort is grounded on the fact that the functioning of the Internet is made possible by public and private infrastructures. The Internet is managed a large variety of actors, making it a special case when it comes to critical infrastructure. These multistakeholders, each at their own stance, can influence the outcome of a security threat based on the decisions made at their control level. When we think of digital environments, multiple actors perform both the role of regulator and regulated agent: they are at the same time managing a network and defining how the network will operate. This phenomenon has a unique potential: those who manage networks (such as Internet intermediaries) have an actual regulatory position and can influence how we experience cybersecurity (for the good and for the bad). 

Following the premise of multistakeholderism, States, businesses, and citizens alike are called upon to exercise their fair share of responsibility and will be held accountable (legally or morally) for failing to meet these standards. In the EU, States carry out the responsibility for implementing cybersecurity legislation and monitoring its application. Businesses are bound by national and EU regulation determining the technical standards of cybersecurity to be observed in the development of products. Likewise, procedures are responsible for reporting security incidents and respect the protection of our personal data. But it does not end here. We are reasonably expected to keep our devices up to date. Individuals must refrain from engaging in activities that undermine public security. The moment our personal devices become a host cell, we become a vector of cybercrime, and undermine the efforts made by other stakeholders in the chain. In sum, cybersecurity is a goal that is only achievable as long as all actors involved take ownership of their fair share (of the problem and the solution). 

The final question is: how are we, as a community, contributing to cybersecurity? As individuals, we may not have a direct legal obligation to update our devices, search for secure ways to transmit data, or invest in personal cybersecurity devices. But we still have the moral duty to make decisions that are in the benefit of our community and to avoid becoming a liability for others. So, what are you giving back to our Internet community?