With very good comes a bad. True, I very well remember the early 2000s when a technology that connects everyday objects and devices to the web to provide additional data or functionality, named IoT was introduced and following it came its evil; botnet. Botnets are armies of computers that have been commanded by online criminals to steal information, spread malware, send spam or launch a distributed denial of services (DDoS)attacks. By now the botnet has grown for than 10 years and so are its number of attacks. The August 2017 Spamphus project report shows that China is the worst botnet infected country with around 16 lacs number of bots and following it is our India with approximately 15 lacs number of bots.
Ranging from light switches, smart home thermostats, connected tea pots to other everyday machines, the number of connected objects will soon reach to 20.8 billion by 2020 ( as predicted by Gartner) and if all these connected things suffer from the security flaw than an unmitigated disaster is soon waiting to happen. So, in order to avoid it, following precautions can be taken.
Bug bounty programs: Botnets spread by exploiting vulnerabilities in software and hardware and many companies producing IoT devices do not have the capabilities to find and address these vulnerabilities in their products. The Bug Bounty Programs help the companies to do independent cyber security research and finding out the vulnerabilities. The companies like Microsoft, Uber to small businesses, all can take advantage of this program to secure their products from botnet attacks.
Unique and hard passwords: Markets are being flooded with the devices which on connection with the internet increases your convenience manifold and all these devices have their own IP address with little or no in-built security. Even the users neglect the basic step of stepping up a password for the devices. Here, the hacker gets easy chance to create or use a botnet in your device. Sometimes, the companies hardwired the default passwords into the devices making it impossible for users to change into something unique after purchase. Therefore, it is advised to the sellers to always keep the flexibility to set a unique id and password for the devices bought by buyers and indeed, buyers should strictly do so.
Know your devices and security features in it: It becomes the duty of the seller to make their buyer know about the security features of the IoT devices they have bought. They must educate them about all the features enabled by default in it and how they work. For example; they should be told about how and from which all devices it is good or safe to share data. Vendors should include instructions on how to enable AP Isolation mode on the guest or user’s home network so that hacked IoT device can be kept away from other devices.
Establish a support window: The vendors of the IoT devices can actually gain the trust of their customers by establishing a life-long support window for their devices. Here, the buyers get information of how to proceed with their device and further protect it in case of any detection of a botnet attack.
Thus, we see mitigating the risk of botnets requires some basic action. It is more about being aware and keeps a check at all levels of the product development or use.