Bruce Schneier takes to the pages of Technology Review to remind us all that while botnets have been around for a long time, the Internet of Things is supercharging them, thanks to insecurity by design.
Botnets are useful for denial of service attacks, but they're also an indispensable part of the spam ecosystem, clickfraud, extortion, and other bad news.
Cheap IoT gadgets are manufactured by absentee proprietors and large, respected companies who ignore urgent warnings about their defects (or punish people who complain by remote-bricking their gadgets), leading to nightmarish breaches.
Worse, IoT manufacturers use antiquated DRM laws to threaten security researchers who reveal the defects in their products with brutal lawsuits and even jail-time (and this will be a risk for any device controlled by a browser).
Once you know a botnet exists, you can attack its command-and-control system. When botnets were rare, this tactic was effective. As they get more common, this piecemeal defense will become less so. You can also secure yourself against the effects of botnets. For example, several companies sell defenses against denial-of-service attacks. Their effectiveness varies, depending on the severity of the attack and the type of service.
But overall, the trends favor the attacker. Expect more attacks like the one against Dyn in the coming year.
Botnets of Things
[Bruce Schneier/MIT Technology Review]