IoT botnets are on the rise and 5G isn’t helping anything

Image of small robots connected to represent a botnet
(Image credit: Shutterstock)

The detection of IoT botnets is at an all-time high and the number of varieties is also steadily rising - two trends that are showing no signs of slowing down.

That's according to Kevin McNamee, director of threat intelligence at Nokia who added that the advent of 5G 'creates more problems than it solves'.

Referencing figures from Nokia's 2019 Threat Intelligence Report, McNamee said the telecoms giant observed 78% of botnets carried active malware, 35% of which shared similarities in either code or attack methodology with 2016's Mirai.

The hugely successful Mirai botnet in 2016 which was responsible for one of the biggest DDoS attacks in history, has inspired a wide portfolio of newer iterations that are pervasively proliferating.

Satori and Reaper botnets are examples of the more malicious variants which succeeded Mirai, while Hajime copied Mirai's attack methodology to plug the vulnerabilities its malicious predecessor exploited in the first place - a bot for good.

Researchers at Unit 42 announced in March that they had discovered another new variant of Mirai that had an updated attack methodology, a wider-reaching attack surface which specifically targeted enterprise IoT devices.

Any device that's visible on the open internet right now can be targeted by an IoT botnet and if it has a vulnerability as well, then it will be hacked within minutes, said McNamee, and the advent of 5G complicates things further.

While the next generation of mobile networking has its cyber security advantages, such as network slicing, it also presents issues that could exacerbate the already growing botnet bother.

"Now with 5G, we're going to be moving to much more devices, bigger networks, higher bandwidth and probably the carriers are going to make decisions around what IP addresses to use and likely they'll use IPv6 addresses [rather than the current IPv4 ones]," said McNamee. "So there is the potential to make the wrong decisions that you're opening up the attack surface by making those devices visible."

He also noted that due to more IoT devices becoming potentially visible, it means that bots can recruit more devices through which it can launch offensives like DDoS attacks. These can then become far more damaging than before due to the larger bandwidth that 5G affords.

"More IoT devices means bigger botnets," he said. "So nowadays, when you see a botnet of 100,000 bots, think five years down the road, [we could see] a botnet of 1 million, 2 million or 10 million bots."

In addition, the ability for a 5G network to be 'sliced' or segmented by the carrier might also present problems that it otherwise intends to solve.

Network slicing is emblematic of classic cyber security best practice: segmenting different parts of a network so attackers can't move across the whole company. Alongside the more inherently secure and encrypted 5G control plane, the slicing capability gives businesses an added layer of network security and a way of mitigating the negative possibilities of attacks exploiting higher bandwidths.

However, segmenting the network can also make an attacker's job easier by signposting where the information they want resides. It's like the context page of a textbook indicating the page of a topic but also the pages on which you can easily find different sub-topics.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.