A Future Ruled by the "Botnet of Things"?

In October of last year, botnets (an interconnected group of electronic devices under the control of a botmaster, or botherder, who can then use the bot army to steal information or carry out scams on a massive scale) made headlines as the instrument behind a distributed denial of service (DDoS) attack against domain name system (DNS) provider Dyn that took dozens of websites, including Amazon, Netflix, Spotify, Twitter, and even the Swedish government, offline for hours. The explosive growth of the Internet of Things (IoT) has been a boon to botnets. Over the past decade, the IoT industry has expanded dramatically, with the FTC predicting that there will be 50 billion connected “things” by 2020. The proliferation of IoT devices means that there are more potential victims for botmasters to infect. In response to a Request for Comment from the National Telecommunications and Information Administration (NTIA), OTI offered seven recommendations for addressing the threats posed by botnets:

1. Use bug bounty programs to reduce vulnerabilities in IoT products

Botnets spread by exploiting vulnerabilities in software and hardware, but many companies that are producing new IoT devices do not have the information security capabilities to find and address vulnerabilities in their products. Hundreds of companies, ranging from Microsoft to Uber, have turned to independent cybersecurity researchers via “Bug Bounty Programs” to help find more vulnerabilities, securing their products from botnet attacks. Some of these programs pay out cash rewards, but others just offer “swag” or recognition - making this valuable anti-botnet tool accessible for even small IoT companies without Microsoft-level capital.

2. Design devices such that they can be patched and updated

Vulnerabilities are to be expected in hardware and software development, and development and issuance of patches is key to maintaining secure products in the long term. However, low-power batteries in many inexpensive IoT devices are unable to support the demands of downloading an update through an encrypted link, meaning the device cannot be patched safely. Even when a device can be patched securely over Wi-Fi, users frequently neglect to do so for many reasons, sometimes because they were not aware that an update was available, or because they dislike other changes included in the update, such as a different user interface. Vendors should provide or recommend tools to IoT device owners that notifies them of updates and assists with their installation, such as those submitted to the FTC’s IoT Home Inspector Challenge, and should develop the ability to automatically push updates whenever possible.

3. Ship items with unique, random credentials, and let users customize login information

When you buy a new IoT device, it often comes with a common default password, making it easy to hack. Even worse, sometimes these default passwords are hardwired into the device, meaning that the user can’t change it to something unique after purchase. The Department of Homeland Security has recommended that devices be sold with “unique, hard to crack default usernames and passwords” in order to protect them from this type of attack. Vendors can also suggest or require users to create new passwords when setting up a device, or provide clear instructions on how to change credentials after setup.

4. Establish clear support windows and end-of-life procedures

In order to make IoT devices more secure against botnet attacks, vendors must establish end-of-life plans. This includes establishing the extent of the support window (if there is one) after which the device will no longer receive patches, and conveying that information to users so that they can decide how to proceed. A device like a fitness tracker can have a much shorter support window than a smart refrigerator, which should have security support for the lifespan of the appliance. Support windows, and clear consumer education about them, are crucial to protect all of these devices against botnet attacks.

5. Let users know which security features are available to them on a device—and which are not

In order to make IoT devices more secure against botnet attacks, users should be made aware of the security features are available to them on the device, including those enabled by default. They should also be provided with information that explains what these features are, and why they are important.  For example, if their data is transmitted with end-to-end encryption, and what this means, so that they may make educated decisions about how they share data.

6. Connect consciously

In order to make IoT devices more secure against botnet attacks, vendors should be conscious of the potential threats of connecting a device to the internet. Vendors should make clear which protocol a device uses, its security risks, and what data is stored or transferred. For devices that do not require internet connectivity for their core functionality, vendors should consider allowing users to selectively toggle the device’s connection on and off without powering down the device itself or utilizing a different method of connectivity. Vendors can also include instructions on how to enable AP Isolation mode on the guest network on a user's home network router, preventing a hacked IoT device from being able to infect other devices on that network.

7. Support the products that implement best practices

The federal government can commit itself to the use of secure IoT devices that meet certain security standards, and support states and municipalities that do the same. Experts estimate that 2.3 billion devices will be connected in “smart city” infrastructures by the end of 2017, and the smart city IoT market will reach $930 billion to $1.7 trillion by 2025. Giving lucrative government contracts only to vendors practicing effective security practices both protects government technology from attack and incentivizes companies who want to work with the government to improve the security of their products.

Secure endpoints—that is, IoT products and the company servers with which they communicate—are just one part of the solution. Mitigating the threat of botnets requires taking action at the technological and human level. Security needs to be a considered at all stages of product design and use, including when consumers are making decisions about how to use IoT products in their cars and kitchens, in their private life and in public spaces, whether it’s a simple sensor in a doorbell or the interconnected systems powering a smart city. Vendors need to make their products more secure by eliminating dangerous vulnerabilities, ensuring that devices can be patched and updated, and installing security features like encryption. Users need to be educated about which features exist, how they work, and why they are important. Governments need to model good security practices by purchasing IoT technology with the security features necessary to protect their networks, and to incentivize companies to improve the security of their products. Only when stakeholders work together can we address the threat of “botnets of things.”