The internet of things (IoT) has created a new domain for botnet developers to compete and thrive in. Already, there they battle one another for devices while their victims contend with persisting infections. But the involvement of a well-known file-sharing technology, peer-to-peer (P2P) networking, into the mix can further complicate matters.
A typical IoT botnet consists of numerous infected devices (bots) connected to a command-and-control (C&C) server from where cybercriminals run the entire botnet. This means that taking down the C&C server incapacitates the botnet, no matter how many devices it is made up of. The introduction of P2P networking into IoT botnets removes this solution.
P2P networking, after all, allows computers to connect to one another without the need for a central server. In practice, this means that to take down a P2P IoT botnet, defenders would have to clean each of the infected devices — a much more tedious and nearly impossible task since the best botnets are known for using thousands of devices.
In our technical brief, we discuss five P2P IoT botnet malware families that have been deployed in the past and compare the pace with which P2P networking has been developed into malware between Windows and IoT environments. Here we discuss the implications of P2P IoT botnets and the direction cybercriminals might continue to take with this threat.
Impact and future
You may be wondering: Why are there only five P2P IoT botnet malware families if they provide such a good way of keeping a botnet alive for a very long time? Let’s analyze for a moment what the purpose of an IoT botnet really is.
Monetization is the key to predict the path of P2P IoT botnets. For cybercriminals to continue developing and implementing more complex botnets, they need to find a way to make money out of their efforts. Based on today’s IoT botnets, the common way this threat is monetized is through the inclusion of third-party attacks — in the form of distributed denial-of-service (DDoS) attacks — and VPN services.
For P2P IoT botnets to become prevalent, cybercriminals would need to find an even better way of monetizing these infected routers. We surmise that cybercriminals will shift their focus to making money off the infected router’s network instead of using the router as a mere internet-connected device.
Infecting routers for other attacks
The chief target of IoT botnets are home routers. What makes routers a good target is their position as entryways into home networks. An infected router could allow cybercriminals to conduct more damaging activities, such as man-in-the-middle (MitM) attacks and information theft. Cybercriminals could also opt to inject malicious elements into the return traffic.
For example, the router could also serve as a foothold for cybercriminals to move laterally to other unsecure devices on the network. By using the router in this way, attackers would not need to intercept the traffic to conduct lateral movement and have to deal with the challenge brought by TLS (Transport Layer Security) encryption. This scheme is somewhat in line with modern ransomware approaches or advanced persistent threat (APT) intrusions.
Through lateral movement, a cybercriminal would not need to choose between infecting a router and infecting an individual computer. A compromised router could allow the attacker to take over other poorly secured devices in the network, including computers.
How possible are these scenarios?
Difficult though they may be to pull off, the point of discussing scenarios is that they are possible. Botnet malware would need to intercept traffic coming from inside the network and inject arbitrary elements into every webpage it returns. From a technical perspective, this entails tampering with a router’s protocol stack, which, while tricky, can be done. Cybercriminals could also opt to look at the webpage logs accessed by users for the valuable information they hold, which is relatively easier to do than tampering with a router’s protocol stack.
The past, the present, and the future of IoT botnets
P2P networking shows a glimpse of how IoT botnets can further evolve to become a truly formidable threat. This builds on research we previously did on the subject. In our paper “Worm Wars: The Botnet Battle for IoT Territory,” we went through the codebases from which most of today’s IoT botnet malware families originated. More importantly, we showed how active botnet developers had been in competition with one another over unsecure devices. Our case study on VPNFilter, meanwhile, highlighted how infections could not truly be cleaned as they could still exist in some way in the device and carry risks even as operations behind them had long been taken down.
Already from these previous studies, we can see the challenges posed by IoT botnets. P2P IoT botnets compound these characteristics by opening the possibility of an unkillable botnet, through the lack of a central server from which to take them down. The addition of the monetization techniques discussed here to uncleanable and unkillable botnets could radically change IoT malware.
While most of these attacks center on home routers or household devices, organizations should not fail to see the relevance to their own security. Nowadays, when remote work is the norm, it has become much harder to discern the line separating home networks from corporate networks, and therefore the line separating consumer attacks from attacks on organizations as well. Attackers could opt to target the often less secure home networks and routers as a way to reach higher, more valuable targets.
The aforementioned forward-looking scenarios perhaps may never come to happen, but what’s sure is that P2P IoT botnets are already here and pose a real danger to enterprises and home users alike. Organizations and individuals all need to shift their mindsets into believing that protecting their routers is as important as defending their desktop and laptop computers.
What should companies and home users do in the short term? How can they prevent their routers from getting infected? They can begin with these steps: