Internet of Zombies: How the IoT trend might lead to botnets

The internet has now become so versatile that companies have begun to get creative with how they use it. Enter the Internet of Things, a trend that involves giving everyday items the ability to connect to the internet. Everything from refrigerators to thermostats are now part of the IoT. While this trend certainly has its benefits, it's still struggling with security. 

Certain hackers have even begun to figure out how to use these devices in order to create botnets, or collections of connected gadgets that can be used to attack a target. So, what does the average consumer need to know about IoT security, and how can they avoid becoming part of a botnet?

Lizard Squad attack was huge

"The most likely attack vector here is default passwords."

To understand this problem, you must first be introduced to what a motivated cyber criminal can do. The most recent of these would be the LizardStresser botnet attack that was levied against institutions in Brazil and the U.S. This particular incident was a distributed denial of service attack, which is basically where a hacker uses all of the machines under his control to send massive amounts of data to his victim's servers. These computers simply aren't able to handle the onslaught and often crash as a result. 

However, this aggressive move was unique. Aside from the fact that it utilized IoT devices rather than conventional computers, it was also found to be a 400 gigabits per second attack, according to ComputerWeekly's Warwick Ashford. To put that into context, Oliver Cragg of the International Business Times reported on a 470Gbps attack that has been considered by many to be the largest on record to date. 

While the LizardStresser incident is certainly terrifying in scale, the reason this is relevant to you is how the hackers ended up gaining control over these IoT devices. The most likely attack vector here is the default passwords that these gadgets often come with. When a manufacturer makes a connected machine, they also have to test it to ensure it works. This means that they need administrative privileges, so they'll often program in default passwords.

The issue with this is that people very often don't change these passwords when they bring the device home. This means that a hacker can often find these login credentials online, or even use a computer to guess common phrases until they have access. Due to the IoT's relatively new notoriety, coupled with the fact that people often don't understand the need for securing devices that aren't traditional computers, cyber criminals can compromise a large swath of devices without much effort. 

Hackers are looking to compromise your IoT gadgets. Hackers can compromise IoT devices to leverage DDoS attacks.

More IoT devices = more targets

Computer science in general is all about taking the path of least resistance, and hacking is no exception. So, it makes sense that cyber criminals would target an attack vector that is not only unsecured but also extremely numerous. This last point is going to majorly affect the IoT's security in the years to come, as industry experts agree that this trend is only going to get larger. 

Exactly how many gadgets will be under the IoT banner in the future is a topic of hot debate, but it's reasonable to assume this number is certainly going to increase quite a bit. Gartner has predicted there to be more than 20 billion IoT devices up and running by 2020. That's a huge amount of machines to play with. If only a fraction of those are left unguarded or protected by default passwords then a hacker could recruit as large of a botnet as he desired. 

Users need to know the risks

The IoT is an incredible advancement, and just because there are some issues here doesn't mean you should avoid the trend altogether. There's clearly a major danger here that the industry itself needs to address, but at the end of the day, people need to take responsibility for the security of their own devices. 

The best way that you can protect yourself is to change the default password on any gadget that you purchase. Hackers are relying on you either forgetting about doing this or simply not caring, and they will exploit this for personal gain. 

Total Defense

What We Have to Say:

Related Anti Virus Articles

Read More


Common scams hackers use to get your personal information

Hackers employ a lot of techniques in order to steal your personal information, and keeping track of them all can be difficult. We hate to see people fall victim to the malicious actions of a few individuals, so we put together a list of some of the most common scams that hackers rely on. 


We've discussed phishing scams quite a lot in the past, but vishing is just as dangerous for your privacy. This word is a portmanteau of voice phishing, and it can actually be a lot more successful than regular email phishing. Vishing is where a criminal calls your house and pretends to be someone they aren't, using this disguise to either gain your trust or scare you. Once that's accomplished, the hacker will simply ask you for private information that they could later use for personal gain. 

"Vishing can be a lot more successful than regular email phishing."

Such a scheme could be as simple as a hacker pretending to be a long-lost friend, eventually asking you what your dog's name was so they can bypass a security question. However, a more recent scam was the calls a lot of U.S. citizens were receiving from the "IRS." As Forbes contributor John Wasik explained, criminals would call people in the hopes of frightening them into giving up information such as their Social Security numbers. There are a wide range of nefarious actions hackers can take when they get their hands on this data, but a lot of those involved in these scams simply requested fraudulent tax returns. 

The only way to avoid vishing is to never trust anyone who calls you from an unknown number. The IRS or similar institutions will never need to confirm personal information with you over the phone. Your skepticism is the first and last lines of defense against hackers. 

Card skimmers

While vishing calls often sound very real, there are few scams that fly under the radar like card skimmers. These devices sit right on top of the card readers on machines such as ATMs and gas pumps, and their only job is to steal your information. When you swipe your card, the institution you're paying gets all of the banking information they need via the magnetic strip. This means that a hacker that can trick you into running your card through his skimmer can make off with all the data he needs to steal your money. 

Although those new EMV chips are designed to disable this kind of hack, many places haven't rolled out the new card readers yet. That said, PCMag's Max Eddy has laid out some pretty simple instructions to follow if you want to ensure a machine doesn't have a skimmer. After checking the device for obvious signs of tampering – like the card reader being a different color than the one on the machine next to yours  – gently start wiggling all pieces. If something moves, there's a very good chance that a hacker has glued his own gadget over the existing one in order to steal your information. ATMs are built without many flaws, but hackers very often do a slapdash job in order to move quickly and avoid getting caught. 

Hackers can steal your information with card skimmers. Card skimmers come in all shapes and sizes.

Fake job postings

Anyone who's been out of work for a long stretch of time knows the stress of an unsuccessful job search. As the months pass by, you slowly begin to lower your standards and start looking for anything with a paycheck. Hackers know how desperate some people become in their unemployment, and use this to scam them. 

Cyber criminals will very often post a link on sites like Craigslist claiming to have an incredible position available. Sometimes, the malicious individual will even find a person's email address on a site like LinkedIn and send them a message about a job offer. This person will often take the time to create a Facebook page for their company in order to build your confidence. Once they've got your attention with an impossibly high salary, the hacker will ask you to send your resume with all of your private information or even your Social Security number. 

Again, the only way to steer clear of these kinds of scams is to stay vigilant. Always do in-depth research about any position you're offered, and if a job sounds too good to be true, it probably is. 

Total Defense

What We Have to Say:

Read More