There’s something transfixing about the swirling animations of hurricanes gathering strength. Even for those of us who know nothing about weather science, a graphic from the National Hurricane Center can quickly convey a strong sense of impending doom: something big and dangerous is coming and there’s nothing any of us can do to stop it.
A similar sort of heat map emerged in cybersecurity last week when security firm Check Point posted about a rapidly growing new bot comprised of millions of compromised Internet of Things devices, including several popular models of wireless IP cameras and routers.
According to Check Point’s analysis, the new bot—referred to as both “IoTroop” and, more dramatically, “Reaper”—has already infected more than 1 million organizations across the world and is more sophisticated than the Mirai IoT bot that was used last year to launch a massive denial-of-service attack. Mirai’s makers compromised IoT devices by guessing default usernames and passwords for cameras and routers—a fairly simple, if effective, means of compromise. IoTroop, on the other hand, takes advantage of several different technical vulnerabilities to infect devices made by at least nine different vendors, including Linksys, Netgear, and D-Link.
The Check Point researchers suggest it’s possible that the two bots are the work of the same people, but they caution that IoTroop is growing “at a far greater pace and with more potential damage” than Mirai. Another security firm, Netlab 360, also reported some similarities between the IoTroop and Mirai source code, but it also found that IoTroop was scanning for new devices to infect less aggressively than Mirai. That might sound good, but it means that the bot could avoid detection for longer while recruiting new machines.
So far, whoever is building IoTroop hasn’t actually used it for anything, but the researchers tracking its growth are clearly deeply concerned about the harm it could cause. Check Point warns: “The next cyber hurricane is about to come.” Netlab 360 came up with the Reaper moniker, so it doesn’t seem much more hopeful that the bot will lie dormant permanently. And it’s hard to imagine why anyone would bother to build a massive botnet in this manner if not to cause some sort of harm eventually.
It’s hard to know at this point what form that harm will take. Like Mirai, IoTroop could be used to launch a massive denial-of-service attack. Or, it could be used to distribute ransomware, or to send spam or phishing messages, or merely rented out at an exorbitant hourly rate to anyone who wants to do any of those things.
What’s remarkable about IoTroop is how powerless we seem to feel we are to stop it. After all, IoTroop is not actually a hurricane. We’re not at the mercy of nature here—we’re merely at the mercy of the devices that we ourselves have manufactured, purchased, and failed to protect. To their credit, many of the vendors whose devices are being compromised have released software patches to fix the vulnerabilities that IoTroop is exploiting. (If you’re wondering whether your devices may be vulnerable, Check Point provides a list of all the vendors and products it has identified being recruited by IoTroop, and Brian Krebs provides links to several of those vendors’ security updates and advisories for the relevant vulnerabilities.)
According to both Check Point and Netlab 360, the IoTroop malware is still being updated and revised by its authors. So patching existing vulnerabilities won’t necessarily stop the bot’s creators from taking advantage of new ones—but, frankly, they probably won’t need to. Trying to get people to care about whether their wireless IP cameras or routers are vulnerable or compromised is simply a losing battle, especially when there are no ill effects or dramatic attacks to point to (yet). It’s hard enough to get people to care about whether their personal computers or phones are secure. Anyone who won’t bother to download a security update on their phone or laptop, even with alerts popping up at them on a daily basis, is probably not going to download an update for the wireless router that only think about when it stops working.
So if we really wanted to clean up IoTroop and stop it in its tracks, we would take all of those devices offline before they had a chance to take us offline. We would look to the internet service providers that can monitor traffic patterns and identify compromised machines reporting to bot command-and-control and ask them to cut off service to affected devices until they had been patched. It would make people furious—but that would be the point. It would get their attention and force them to figure out which devices in their homes were infected and what to do to fix them. It would even be the rare circumstance where the fact that there is almost no competition among ISPs might serve as an advantage: They wouldn’t have to fear losing customers.
Needless to say, this will never happen. And perhaps that’s for the best—cutting off internet service to millions of infected devices might be every bit as damaging and disruptive as an IoTroop denial-of-service attack. But just because we’re not willing to go to the lengths necessary to fix this growing threat doesn’t mean it’s unstoppable. And at some point, somewhere down the road after witnessing even bigger, more damaging attacks, we may decide that the high price of remediation is well worth it.