With every revolution comes the difficulties of ruling. 5G is an exciting proposition. It offers higher speeds, lower latency and increased power. All of these should enable greater possibilities for businesses and consumers.

However, these advancements can come at a cost: the creation of new threat profiles that were not previously possible. Akin to common colds becoming resistant to antibiotics, a combination of new evolving technologies can cause new combinations and mutations. This is very much the situation we find developing between 5G and botnets.

We are all aware of the explosion in internet-enabled devices. Experts predict that the IoT market will grow from an installed base of 11.2 billion devices in 2017 to 20.4 billion devices in 2020. That is a lot of potential entry points for malicious actors.

The worry is that 5G is accelerating the proliferation of these unsecured devices into every area of life. The consequences could be the creation of botnets on a scale not yet seen. Add into that the increased speed and reduced latency of a 5G network, and you have something potentially formidable.

IoT and 5G are both important technological achievements which are changing the world. However, this optimism needs to be tempered with clear thinking and planning to keep up with the consequent evolution of the threat landscape.

How Botnets Form

Unsecured IoT devices form the foundation of malicious Botnets. Botnet spyware or attacks are underestimated in the threat landscape because they are ‘dumb’ in nature.

Rather than any network breach or utilising advanced techniques, building botnets relies on less sophisticated hijacking methods such as scanning open networks for vulnerable devices without proper security certifications, or even worse those that are using factory-default passwords.

"No network can stand up to millions of bots spamming it at the same time. Consequently, botnets are still a popular and active threat."

This is why you are likely to hear talk about the proliferation of IoT devices increasing the attack surface. On this scale, there are a lot of potential targets, touching nearly every individual and industry. This increases the likelihood of Trojans capable of installing spyware, keyloggers and more spreading.

The most common form of attack a botnet is used for is a distributed denial of service (DDoS) attack, where multiple devices are used to form a swarm of internet-enabled devices, which can simultaneously target specific IPs and overwhelm them.

Botnets might use brute force attack methods, but the problem is that they are effective in their aim: No network can stand up to millions of bots spamming it at the same time. Consequently, botnets are still a popular and active threat.

Just in the last few weeks security experts have delivered warnings that an IoT botnet has been targeting the financial services sector with DDoS attacks in what they believe is the first such campaign since Mirai; and the site Webstresser.org was taken down after being blamed for more than four million cyber-attacks around the world.

New variations of the Mirai botnet are still being discovered now, years after the attack against Dyn servers took down the US East Coast.

Multiplying power of 5G

Botnets do not require the typical hacker skillset to assemble, can cause widespread disruption and take advantage of the poor security practices of others. However, there is a growing cause for concern over the way the availability of 5G networks combined with the ready availability of unsecured IoT devices will empower malicious botnets of the future.

Unlike previous generations, 5G networks take advantage of virtualisation and cloud systems. Experts warn this could perpetuate and broaden existing security flaws in mobile networks, potentially leaving it more vulnerable to breaches if not properly secured.

The stakes rise in a future where everything is connected

Where matters are even more concerning is how the extra speed and power might be utilised by a malicious actor. Hackers are about to be handed much more powerful tools. DDoS attacks could increase in scale and frequency, causing untold disruption to business or critical infrastructure.

This adds an all new importance to ensuring that IoT devices are not easily co-opted into malicious botnets. Building the devices with poor security certifications or easily guessable default passwords is like locking your home’s front door but leaving the keys in the lock.

In fact, The European Union Agency for Network and Information Security are so concerned with this pattern than they advocate slowing down IoT deployments until a greater understanding of the situation can be gained.

Protecting ourselves

The hard work is preventing this sort of exposure in the first place. Behaviour change, such as individuals updating their devices with secure passwords, or being discerning about which IoT products they buy based on security factors, is an important and effective remedy which we should strive to accelerate.

However, education is not enough. 5G is coming in the next few years – a schedule which leaves us in a ‘tragedy of the commons’ situation, where we cannot mobilise change in peoples’ habits quickly enough.

That is why it is essential we see a greater focus on security by design from IoT device manufacturers. Introducing tougher security protocols, securer default passwords and more will see a reduction in the number of IoT devices being hijacked for botnet purposes.

Good security design should include an inventory of authorised and unauthorised devices within your environment so you can see what you are protecting; limited user privileges and application permissions to only what is required; and exercising good cyber hygiene, such as removing unnecessary services, stamping out vulnerabilities and maintaining organisation of your network.

Manufacturers meanwhile, could design devices with unique passwords out of the box, or at the very least, not a handful of easily guessable combinations.

At present, the producers of vulnerable IoT devices are insulated from any standards requirements, market feedback or liability concerns, meaning that they have no responsibility to protect their users. This has to change.

Steve Mulhearn is director of Advanced Technologies at Fortinet.