California Connected-Devices Bill: Is it enough to Stop IoT Botnets?
It was recently announced that the State of California is introducing new legislation which amongst other requirements, will effectively ban the use of weak passwords on internet-enabled devices. The law will come into force in 2020 and means manufacturers of Internet-of-Things (IoT) devices will no longer be able to program their products with default or generic passwords, which have notoriously been exploited by cybercriminals. The move has sparked wide-scale media attention with many industry experts saying the legislation brings us one step closer to helping improve the security of mass produced connected devices also known as IoTs.
Following the announcement of the California Bill, the UK government last week also announced a new Code of Practice for consumer IoT security. The Code of Practice sets out practical steps for IoT manufacturers to improve the security of their products including the guideline of no default or weak passwords. The government specifically points out that the Code of Practice will help mitigate against the threat of Distributed Denial of Service (DDoS) attacks that can be launched from poorly secured IoT devices and services.
But will these government initiatives on different sides of the Atlantic be enough to prevent cybercriminals from recruiting IoT devices into botnets?
Taking Aim at IoT Botnets
Unsecured IoT devices offer huge spoils for malicious attackers, giving them the potential to harness thousands of devices and turn them into a botnet army. One of the most infamous botnets in recent years is Mirai and its derivatives. The Mirai botnet first came to light in 2016 and even today it is still amongst those widely used by cybercriminals, with attackers advertising access to botnets on social media sites like Instagram.
In 2016 the Mirai botnet was reported as being responsible for carrying out a huge DDoS attack against DNS provider DYN, which, as a result, also knocked out the websites of many major brands including Twitter, Netflix and Airbnb. The botnet recruited IoT devices by using a table of more than 60 common factory default usernames and passwords to log into vulnerable IoT devices and infect them with the Mirai malware.
The new California legislation and UK government Code of Practice should make it harder for cybercriminals to recruit IoT devices using default passwords, in the same way the actors behind early Mirai did. However, it will not stop consumers assigning too-easy to guess passwords to their devices when they get they install them. Attackers are all too aware of this behaviour and also maintain lists of the most common consumer assigned passwords like “password” or “123”.
Additionally, IoT devices may still suffer from basic security flaws and it is precisely this lack of security that makes them so vulnerable to hackers. It is not just a password problem anymore. Many bad actors and Mirai variants can recruit IoT devices via known vulnerabilities in their software stacks, many of which are patched or up-to-date.
The new California State legislation and UK government Code of Practice should be praised as they are both positive steps in the right direction for reducing what has become a significant cyber security issue over the past few years. However, we are unlikely to see a measurable reduction in cyber crime perpetrated on the back of weakly secured IoT devices. Firstly, the California legislation will only apply to a small percentage of IoT devices sold around the globe, additionally, it will not be enforced until 2020. Secondly, we have already seen the original Mirai botnet, which leveraged weak static passwords, morph into multiple variants which use notably more sophisticated vulnerabilities to gain control of IoT devices.
Given this reality, organizations should seek to protect their networks from DDoS attacks fuelled by IoT-driven botnets by deploying an in-line, real-time, automated solution at the network edge, which can detect unusual network activity including IoT based attacks and prevent such threats from entering a network.