Botnets made from the Internet of Things pose problems and present opportunities

Botnets are wrecking havoc in the Internet. And the primary enabler of botnets is the Internet of Things (IoT). That enabler role must be tamed.


As the joke goes: in the Internet, no one knows you're a dog.
These days it should be reworded to say no one knows you're a bot.

Bots are nearly as old as the Internet itself. What's new about the IoT is that IoT devices are essentially invisible to their owners and almost all of the owners are ignorant about what IoT devices can do if compromised and how to prevent them from being compromised. Billions of IoT devices are sold and installed each year. At present, most are accessible to bot herders. The hardware industry has created a monster. As of late 2018, bot herders' exploitation of IoT devices is largely confined to using them for DDoS attacks, either directly from the bot herders themselves, or "rented out" to wannabe attackers.

In 2016, unprecedented distributed denial-of-service (DDoS) attacks were launched by a botnet named "Mirai" that seeks out and enrolls poorly-secured IoT devices such as security cameras, digital video recorders and Internet routers. A derivative of the Mirai botnet then blackmailed at least three large financial institutions. Another troublesome botnet, named "wireX" was created for Android devices. WireX first appeared August 2, 2017. Hacked Android devices conducted some relatively small online attacks. "Less than two weeks later, however, the number of infected Android devices enslaved by WireX had ballooned to the tens of thousands." Several large industry players including Google, Akamai, Cloudflare, and Flashpoint, quickly combined forces to take it down.

Highly visible botnets like Mirai and WireX generate immediate responses from authorities and industry. A more subtle exploitation of botnets uses the idle CPU cycles of captured IoT devices, Android devices, or other numerous easily compromised computers, to anonymously mine cryptocurrency. The captured bot devices work silently and surrepticiously for a botnet owner in the 99% of the time the IoT devices are otherwise idle, and send the valuable resulting bitcoins to the bot herder as they are found. The same technique could be applied to Machine Learning computations.

IoT devices are being inserted willy-nilly into hundreds of different products. Relatively few purchasers are aware that the products contain a general-purpose computer that can easily be hacked let alone how to secure the devices. Home hubs and routers should, in any case, insulate them from the Internet at large. Kaspersky labs has begun looking at such issues in the IoT. Their findings are startling, especially given Kaspersky's relationship with Russian Intelligence. What they are finding about American IoT vulnerabilities would be quite useful in a Russian cyber-attack on US elections, electric power infrastructure, or commerce.

Best practices for end users to reduce the risk of being recruited into a botnet include: regularly updating devices with the latest firmware; changing devices' default credentials; using intrusion detection and prevention systems; and being wary of known attack vectors, such as unsolicited emails. Needless to say, naive digitally illiterate consumers do not follow such guidelines. Therein lies an interesting opportunity for makers of IoT devices -- IoT as a service! Manufacturers of IoT devices could take on the responsibility for keeping the devices safe, and in return, use the idle time of the devices for money-making computing services such as cryptocurrency mining. And they could rebate to the consumers a portion of the profits. This business model would benefit everyone. The "first movers" into the business model might very well become the giant corporations of the future cyber world.

A similar business model is already provided by WinMiner. To play the role proposed here, WinMiner would only need to take logical custody of your IoT devices via the Internet, manage the Internet security of those devices, and also ensure that they could play their designated IoT role when needed.
Last revised 9/4/2018