Digital zombies may already be in your home
All the hand-wringing over the integration of generative artificial intelligence may be glossing over another type of bot that's already causing damage in our daily lives: Growing armies of infected internet-connected devices.
Botnets running automated software have existed for two decades. Early variants ran largely on Windows-based PCs and were used to send spam. Now they're far more stealthy and ubiquitous. In fact, there's a good chance a bot has already been installed in your home. The number of network-connected gadgets deployed to conduct mass attacks has escalated over the past year, Nokia Oyj said in a recent report, and they're being used to shutter websites, hack banking systems, close hospitals and cut off communications services.
Internet cameras — used for household security, to monitor the baby, or keep tabs on the dog — are a common target. As are routers that sit in almost every home, largely forgotten by their owners. Just in the past two months, models from Taiwan's Zyxel and Chinese firm TP-Link, two of the largest providers of consumer-level networking equipment, were identified as vulnerable to malicious code. Both have since issued advisories for customers to update their software.
The process of gathering infected devices into a network of bots is remarkably straightforward. First, a nefarious actor scans the internet for insecure gadgets. Since every network connection has a unique address, automated software need only trawl through various possibilities to look for a valid result — similar to robocallers dialing random phone numbers.
Once a match is found, the next step is to try various combinations of login and password. A few thousand attempts can be made within minutes — aided by the fact that many people never update their devices from default settings, so the most likely sequences are already known. The internet-protocol addresses of successfully breached targets are than added to a database, along with their security credentials.
All this information is uploaded to a command-and-control server which acts as the operations center. Loading pernicious programs into the storage memory of exploited devices is simple once you know basic details such as the operating system. Suddenly, your nannycam is a bot, although it may still function normally and show no signs of being possessed by alien code. Put thousands of these zombie gadgets together in a directory and you have a network of bots ready to execute whatever its owner decides.
One of the most infamous deployments of a botnet came from a vengeful college student angered by being excluded from his chosen elective. As Yale Law School professor and author Scott J. Shapiro recounts in Fancy Bear Goes Phishing, teenager Paras Jha strung together an army of 40,000 bots and unleashed them on Rutgers University in 2014. The flood of traffic created by these devices, called a distributed denial of service (DDoS) attack, brought the New Jersey institution to its knees.
Two years later Jha's identity was unveiled by cybersecurity journalist and researcher Brian Krebs, but not before he developed Mirai — botnet software that persists to this day. Jha and co-conspirators were later convicted. New variants are still in use.
While botnets can run on desktop and laptop PCs, internet-connected devices are a better choice because they're subject to a much lower level of scrutiny, are rarely updated with security patches, and owners pay little attention to the software that runs on them. That's why the proliferation of internet of things-based botnets continues. According to a June 7 Threat Intelligence Report from Nokia, the number of devices involved in DDoS attacks climbed fivefold over the past year to almost 1 million bots. They now account for more than 40% of all denial of service traffic.
To ameliorate the problem, consumers need to ensure they change the passwords on their devices regularly, update their software and avoid products from companies with a history of cybersecurity breaches.
DDoS attacks are more than an annoyance — they can also have severe security and safety consequences. U.S. power grids were targeted in 2019, though electricity supply wasn't affected, and governments across the world have had their services interrupted by these mass assaults. In recent years, hospitals have also become victims.
But bringing websites and network services to a halt isn't the only use for botnets. A collection of zombie devices can use their collective power to brute-force their way through defenses by continuously guessing passwords. In Latin America, a botnet was deployed to gather information on victims — a form of automated mass surveillance — that could later be exploited to access banking systems. They're also used to send ransomware threats, spread propaganda and misinformation in Ukraine, and suppress reach on Twitter — prompting Elon Musk in April to offer a $1 million bounty.
Digital zombies aren't going to attract the same attention as a chatbot or automated photo generator, nor the same level of fearmongering among AI skeptics. But they won't go away, and neither will the risk. Every device with a processor, memory and an internet connection is a potential bot, which means they can be weaponized against us.
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners. Tim Culpan is a Bloomberg Opinion columnist covering technology in Asia. Previously, he was a technology reporter for Bloomberg News.