Botnets: The Dangerous Downside of the Internet of Things

Written by Bernard Marr

The Internet of Things (IoT) is the name given to describe the relatively new technology that connects everyday objects and devices to the web to provide additional data or functionality. But in the race to create that next “it” product that no one can live without (smart fry pans anyone?), manufacturers and users are creating dangerous side effects known as botnets.

The term botnet simply means a group of internet-connected devices controlled by a central system. But the term is most often used in conjunction with a particular type of malicious hacking, especially Distributed Denial of Service Attacks (DDoS attacks). In this case, a hacker uses a large botnet group of internet-connected devices to flood a website or network resource with fake requests so that legitimate users cannot access it.

By using a botnet with hundreds or even thousands of devices, all with their own unique IP addresses, the hacker makes it almost impossible to stop the attack or distinguish legitimate users from fake ones.

Now, botnets are not new.  Since as early as 2000, hackers have been using botnets by gaining access to unsecured devices (usually computers then) in order to create these DDoS attacks. But the Internet of Things has made the problem much worse.

The market has been flooded with inexpensive devices — webcams, baby monitors, thermostats, and yes, even yoga mats and fry pans — that connect to the Internet, each of which has its own IP address. But these devices have little or no built-in security, and even when they do, users often neglect to even take the basic step of setting a password for them.

That makes them easy targets for hackers wanting to create and use a botnet.

Screed displaying activities of a ‘botnet’ attack (Photo BORIS ROESSLER/AFP/Getty Images)

 In October of 2016, a botnet comprised of an estimated 100,000 unsecured IoT devices took an integral Internet infrastructure provider, Dyn, partially offline. As a result, many high-profile and high-traffic websites, including Netflix and Twitter, disappeared from the Internet for a short time.

The botnet that accomplished this feat was created with malware called Mirai that automates the process of coopting these unsecured devices — and is publicly available. In other words, this wasn’t some genius hacker writing a new and innovative bit of code, but rather someone putting what already exists to new uses.  And all those many devices that were infected with Mirai? They will continue to be able to be used until the owners throw them out.

DDoS attacks like this aren’t the only ways in which botnets can be used by hackers.  They can be used to perpetrate click fraud (defrauding online advertising services which pay by the click), evade spam filters, speed up password guessing, mine Bitcoins, or really anything else that would require a large network of computers working together.

In fact, it’s something of an open secret that criminal organizations can rent time on a botnet to perform whatever task they like.

The best solution would be to ensure that all IoT devices run on secure software, but the likelihood of that is slim. Most IoT devices aren’t designed with security in mind (who cares if someone sees the data from your fry pan, right?) and have no way of being patched to add additional security. And there are millions of devices already in use and being made and sold.

Because the use and manufacture of IoT devices are expected to grow exponentially over the next few years, the problem of botnets is also likely to grow. And the security measures we have that are at least somewhat effective against them now, will quickly be outwitted and outmoded by the attackers.


Comments (2)

  • Avatar

    Jeff Greenwell


    The upside to IoT and a completely distributed network is that the government cannot control it. There is no on/off switch for a distributed network. The downside of it is that vulnerabilities can be exploited on a massive scale. I design and build software for embedded energy devices, some of which are IoT. As we work through our cyber security evaluations, it becomes more and more clear, IoT scares the hell out of me, and if I’m scared, others should be really concerned. I have been doing this stuff for a living for a very long time now.

    • Avatar

      Jeff Greenwell


      Oh, and by the way, on the Internet, there is no such thing as “secure”. Much like the complexities of climate, so are the layers of hardware and software, from the physical transport layers, to the microcoding, to the hardware design, up through the firmware, through the middleware and all the way through the HMI (machine human interface) layer, there are potentially infinite layers of vulnerability. It only takes a single pinhole in just one of those layers and the entire stack becomes vulnerable. “Security” is impossible in this realm.

Comments are closed