IoT Botnets Are Growing—and Up for Hire
When anyone can make use of a burgeoning army of rogue connected devices for a fee, the threat of a crippled Internet is more real than ever.
The army of Internet-connected devices being corralled and controlled to take down online services is active, growing—and up for grabs.
Internet of things botnets—collections of devices hacked to work with one another to send debilitating surges of data to servers—have been blamed for several recent Internet failures. Most notably, the servers of domain name system host Dyn were taken down last month, affecting connectivity across large swaths of the East Coast of the U.S.
But hackers appear to be making attempts to swell the ranks of their botnet armies and offer their services for a fee, which could make future attacks far more serious.
The German telephone provider Deutsche Telekom has reported that nearly one million of its users suffered Internet outages this week as a result of a failed attempt to recruit the company's routers as devices for a botnet. According to an independent security researcher who spoke with Motherboard, the total number of devices employed in IoT botnets could now be in excess of 500,000.
Earlier this month, Ars Technica reported that a new piece of botnet software was able to commandeer 3,500 devices in the space of five days. It’s not clear, though, at what pace these systems will continue to grow. Most of the devices currently employed by hackers seem to be older, less secure hardware that’s easy to compromise. It may be harder, and take longer, to add your latest smart home hardware to the army—though it may not be impossible.
For now, though, some hackers appear to be trying to monetize their IoT botnets. Last month, Forbes reported that a 100,000-device system could be employed for $7,500. Now, another pair of hackers has put up the botnet that they control for hire, claiming to have as many as 400,000 devices to level at servers. Hiring 50,000 devices to perform an attack is reported to cost between $3,000 and $4,000, according to the site Bleeping Computer.
The same site reports that researchers have noticed that the latest version of the malware used to create the 400,000-device botnet, which is thought to be the same one used to try to take Liberia offline earlier this month, has a new trick up its sleeve. It seems able to provide fake IP addresses for the devices it’s using, which will make it substantially harder to block when used in the future.
Earlier this year, security expert Bruce Schneier argued that someone, somewhere was “learning how to take down the Internet” using these kinds of attacks. And this month at a Congressional hearing about the threat, he appealed to the government to intervene, explaining that “the market really can’t fix this ... the government has to get involved. [W]hat I need are some good regulations.”
With hackers realizing that other parties may be interested in taking advantage of their hard-won armies, the stakes ratchet up. If something isn’t done to stamp out these botnets, Schneier's apocalyptic predictions may yet come true.
(Read more: Reuters, Motherboard, Bleeping Computer, “The Internet of Things Goes Rogue,” “Massive Internet Outage Could Be a Sign of Things to Come,” “Smart Lightbulbs Could Plunge the Internet Into Darkness”)