That’s a question many in the security industry have been asking themselves. IoT botnets are networks of insecure IoT devices like webcams and DVRs that have been taken over by a piece of malware and controlled by a single attacker. This nefarious practice grabbed the spotlight in 2016 when the Mirai botnet disrupted internet usage across the East Coast of the United States, hitting internet hosting provider OVH and KrebsOnSecurity with record-breaking DDoS attacks. Researchers’ estimates on Mirai’s size vary from 800,000 infected devices to 2.5 million.
But Mirai was only the beginning. IoT botnets are cheap and easy to amass, thanks to the poor or nonexistent security controls of most IoT devices. In fact, Spamhaus estimates that botnet command and control (C2C) servers more than doubled from 393 in 2016 to 943 in 2017. Gartner predicts that there will be 20.4 billion IoT devices in use by 2020, so there will be even more potential bots for attacker to abuse over the coming years.
IoT botnet malware continues to transform, as many new IoT botnets have been spotted in the wild. The Reaper botnet, which infects devices by leveraging several known vulnerabilities rather than using a list of common passwords like Mirai, controls 28,000 devices and approximately 2 million devices are vulnerable based on the vulnerabilities it exploits. A recent botnet named Hide ‘n Seek has 24,000 bots and uses a new peer-to-peer method of spreading itself. The Hajime botnet has infected 300,000 IoT devices. The Satori botnet, based on the Mirai source code, grabbed 280,000 bots in a 12-hour period! Another Mirai variant called Okiru targets ARC processors and could potentially infect 1.5 billion devices based on researcher’s estimates.
So how big can the next major botnet get? That’s a difficult question to answer with any degree of certainty. But many of the new botnets named above have the potential to grow as large or larger than Mirai, and as more insecure IoT devices are produced, that potential size is only going to increase. If we don’t add better security to our IoT devices, they will only create larger botnets. It’s not a matter of if a botnet attack will top Mirai, it’s when. –Marc Laliberte
Ondrej Prenek says
What are the references? I’m doing a research about botnets and I’m looking for number of vulnerable devices per each botnet family. Thank you!
Marc Laliberte says
The lower-bound for Mirai infections was from a CloudFlare post at the time. The upper bound was from McAfee’s threat report – https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-mar-2017.pdf