ABSTRACT
Mirai and its variants have demonstrated the ease and devastating effects of exploiting vulnerable Internet of Things (IoT) devices. In many cases, the exploitation vector is not sophisticated; rather, adversaries exploit misconfigured devices (e.g. unauthenticated protocol settings or weak/default passwords). Our work aims at unveiling the state of IoT devices along with an exploration of the current attack landscape. In this paper, we perform an Internet-level IPv4 scan to unveil 1.8 million misconfigured IoT devices that may be exploited to perform large-scale attacks. These results are filtered to exclude a total of 8,192 devices that we identify as honeypots during our scan. To study current attack trends, we deploy six state-of-art IoT honeypots for a period of 1 month. We gather a total of 200, 209 attacks and investigate how adversaries leverage misconfigured IoT devices. In particular, we study different attack types, including denial of service, multistage attacks and attacks from infected online hosts. Furthermore, we analyze data from a /8 network telescope covering a total of 81 billion requests towards IoT protocols (e.g. CoAP, UPnP). Combining knowledge from the aforementioned experiments, we identify 11, 118 IP addresses (that are part of the detected misconfigured IoT devices) that attacked our honeypot setup and the network telescope.
- Netlab 360. 2021. Anglerfish Honeypot. (2021). https://blog.netlab.360.com/tag/anglerfish-honeypot/Google Scholar
- abuse.ch. 2021. MalwareBazaar. (2021). https://bazaar.abuse.ch/Google Scholar
- Peter Adkins. 2017. Kako Honeypot. (2017). https://github.com/darkarnium/kakoGoogle Scholar
- Syaiful Andy, Budi Rahardjo, and Bagus Hanindhito. 2017. Attack scenarios and security analysis of MQTT communication protocol in IoT system. In 2017 4th International Conference on Electrical Engineering, Computer Science and Informatics (EECSI). IEEE, Yogyakarta, Indonesia, 1--6. Google ScholarCross Ref
- Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai Botnet. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 1093--1110. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakisGoogle ScholarDigital Library
- Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai Botnet. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 1093--1110. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakisGoogle ScholarDigital Library
- Arbor-Bbservatory. 2021. arbor-observatory. (2021). https://www.arbor-observatory.com/Google Scholar
- S. Arvind and V. A. Narayanan. 2019. An Overview of Security in CoAP: Attack and Analysis. In 2019 5th International Conference on Advanced Computing Communication Systems (ICACCS). IEEE, Coimbatore, India, 655--660. Google ScholarCross Ref
- Remillano II Augusto, Noel Collado Patrick, and Ivy Titiwa Karen. 2020. XORDDoS, Kaiji Variants Target Exposed Docker Servers. (2020). https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.htmlGoogle Scholar
- Leonardo Babun, Kyle Denney, Z. Berkay Celik, Patrick McDaniel, and A. Selcuk Uluagac. 2021. A survey on IoT platforms: Communication, security, and privacy perspectives. Computer Networks 192 (2021), 108040. Google ScholarCross Ref
- Belkin. 2021. Belkin Wemo. (2021). https://www.belkin.com/us/Google Scholar
- Bitsight.com. 2021. Bitsight.com. (2021). https://www.bitsight.com/Google Scholar
- Alex Burt. 2020. Gitpaste-12: a new worming botnet with reverse shell capability spreading via GitHub and Pastebin. (2020). https://blogs.juniper.net/en-us/threat-research/gitpaste-12Google Scholar
- CAIDA. 2021. The CAIDA UCSD Network Telescope "Darknet Scanners" Dataset - April-May2021. (2021). https://www.caida.org/data/passive/telescope-darknet-scanners_dataset.xmlGoogle Scholar
- Censys. 2021. Censys Search. (2021). Retrieved May 24, 2021 from https://censys.io/Google Scholar
- Douligeris Christos, Raghimi Omid, Barros Lourenço Marco, and Marinos Louis. 2020. ENISA Threat Landscape 2020 - Emerging Threats. ENISA ETL2020 (2020), 8--10. https://www.enisa.europa.eu/publications/emerging-trendsGoogle Scholar
- Cloudflare. 2021. SSDP DDoS Attack. (2021). https://www.cloudflare.com/learning/ddos/ssdp-ddos-attack/Google Scholar
- CriminalIP. 2021. CriminalIP. (2021). https://security.criminalip.com/Google Scholar
- Cymmetria. 2016. MTPot. (2016). https://github.com/Cymmetria/MTPotGoogle Scholar
- Decester. 2000. An SSH Honeypot. (2000). https://github.com/desaster/kippoGoogle Scholar
- Zakir Durmeric. 2018. zgrab2. (2018). https://github.com/zmap/zgrab2Google Scholar
- Zakir Durumeric. 2017. ZTag. (2017). https://github.com/zmap/ztagGoogle Scholar
- Zakir Durumeric, Michael Bailey, and J. Alex Halderman. 2014. An Internet-Wide View of Internet-Wide Scanning. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA, 65--78. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/durumericGoogle Scholar
- Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications. In 22nd USENIX Security Symposium (USENIX Security 13). USENIX Association, Washington, D.C., 605--620. https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/durumericGoogle Scholar
- fireHOL. 2021. Europe Blocklist. (2021). https://github.com/firehol/blocklist-ipsets/blob/master/ip2location_country/ip2location_continent_eu.netsetGoogle Scholar
- Apache Foundation. 2021. Apache ActiveMQ. (2021). https://activemq.apache.org/Google Scholar
- Apache Foundation. 2021. Apache Qpid. (2021). https://qpid.apache.org/Google Scholar
- Jazib Frahim, Carlos Pignataro, Jeff Apcar, and Monique Morrow. 2015. Securing the internet of things: A proposed framework. (2015).Google Scholar
- Robert David Graham. 2014. MASSCAN: Mass IP port scanner. (2014).Google Scholar
- GreyNoise. 2021. GreyNoise. (2021). https://viz.greynoise.io/Google Scholar
- hackingump. 2020. UpnP - Messing up Security since years. (2020). https://malwareandstuff.com/upnp-messing-up-security-since-years/Google Scholar
- Muhammad A. Hakim, Hidayet Aksu, A. Selcuk Uluagac, and Kemal Akkaya. 2018. U-PoT: A Honeypot Framework for UPnP-Based IoT Devices. In 2018 IEEE 37th International Performance Computing and Communications Conference (IPCCC). IEEE, Orlando, FL, USA, 1--8. Google ScholarCross Ref
- Hwanjo Heo and Seungwon Shin. 2018. Who is Knocking on the Telnet Port: A Large-Scale Empirical Study of Network Scanning. In Proceedings of the 2018 on Asia Conference on Computer and Communications Security (ASIACCS '18). Association for Computing Machinery, New York, NY, USA, 625--636. Google ScholarDigital Library
- HKVision. 2021. HKVision Network Camera - User Manual. (2021). https://www.hikvision.com/UploadFile/image/EN-user%20manual%20of%20%20network%20camera%20v3.0.0.pdfGoogle Scholar
- T. Holz and F. Raynal. 2005. Detecting honeypots and other suspicious environments. In Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop. IEEE, West Point, NY, USA, 29--36. Google ScholarCross Ref
- ICSA. 2016. CISA-ICSA-16-299-01. (2016). https://us-cert.cisa.gov/ics/advisories/ICSA-16-299-01Google Scholar
- Fraunhofer IKE. 2021. Malpedia. (2021). https://malpedia.caad.fkie.fraunhofer.de/Google Scholar
- Coalition Inc. 2021. BinaryEdge. (2021). https://www.binaryedge.io/Google Scholar
- InterneTTL. 2021. InterneTTL. (2021). http://www.internettl.org/Google Scholar
- ipgeolocation. 2021. ipgeolocation.io. (2021). ipgeolocationGoogle Scholar
- ipip.net. 2021. ipip.net. (2021). https://en.ipip.net/Google Scholar
- Philipp Jeitner. 2018. Telnet IoT Honeypot. (2018). https://github.com/Phype/telnet-iot-honeypotGoogle Scholar
- Mattijs Jonker, Alistair King, Johannes Krupp, Christian Rossow, Anna Sperotto, and Alberto Dainotti. 2017. Millions of Targets under Attack: A Macroscopic Characterization of the DoS Ecosystem. In Proceedings of the 2017 Internet Measurement Conference (IMC '17). Association for Computing Machinery, New York, NY, USA, 100--113. Google ScholarDigital Library
- Constantinos Kolias, Georgios Kambourakis, Angelos Stavrou, and Jeffrey Voas. 2017. DDoS in the IoT: Mirai and Other Botnets. Computer 50, 7 (2017), 80--84. Google ScholarDigital Library
- LeakIX. 2021. LeakIX. (2021). https://leakix.net/Google Scholar
- Tongbo Luo, Z. Xu, Xing Jin, Y. Jia, and Xin Ouyang. 2017. IoT CandyJar : Towards an Intelligent-Interaction Honeypot for IoT Devices. (2017), 11 pages.Google Scholar
- Gordon Lyon. 2021. NMap Network Mapper. (2021). https://nmap.org/Google Scholar
- Phillip Maddux. 2019. HoneyPy Honeypot. (2019). https://github.com/foospidy/HoneyPyGoogle Scholar
- Malwaremustdie. 2020. Rhombus - Linux DDoS botnet aims VPS & IoT, w/persistence & dropper. (2020). https://otx.alienvault.com/pulse/5e6aacfe61b118f3fc41026aGoogle Scholar
- Linda Markowsky and George Markowsky. 2015. Scanning for vulnerable devices in the Internet of Things. In 2015 IEEE 8th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), Vol. 1. IEEE, Warsaw, Poland, 463--467. Google ScholarDigital Library
- Ian Mcateer, Muhammad Imran Malik, Z. Baig, and P. Hannay. 2017. Security vulnerabilities and cyber threat analysis of the AMQP protocol for the internet of things. In Australian Information Security Management Conference. Edith Cowan University, Perth, W.A., 11.Google Scholar
- Tor Metrics. 2021. ExoneraTor. (2021). https://metrics.torproject.org/exonerator.htmlGoogle Scholar
- MITRE. 2021. Common Vulnerabilities and Exposures. (2021). Retrieved May 24, 2021 from https://cve.mitre.org/Google Scholar
- David Moore. 2002. Network Telescopes: Observing Small or Distant Security Events. In 11th USENIX Security Symposium (USENIX Security 02). USENIX Association, San Francisco, CA, 9. https://www.usenix.org/conference/11th-usenix-security-symposium/network-telescopes-observing-small-or-distant-securityGoogle Scholar
- Shun Morishita, Takuya Hoizumi, Wataru Ueno, Rui Tanabe, Carlos Gañán, Michel JG van Eeten, Katsunari Yoshioka, and Tsutomu Matsumoto. 2019. Detect me if you... oh wait. An internet-wide view of self-revealing honeypots. In 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM). IEEE, IEEE, Washington DC, USA, 134--143.Google Scholar
- Natlas. 2021. Natlas. (2021). https://github.com/natlas/natlasGoogle Scholar
- Nataliia Neshenko, Elias Bou-Harb, Jorge Crichigno, Georges Kaddoum, and Nasir Ghani. 2019. Demystifying IoT Security: An Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-Scale IoT Exploitations. IEEE Communications Surveys Tutorials 21, 3 (2019), 2702--2733. Google ScholarCross Ref
- NIST. 2021. misconfiguration. (2021). https://csrc.nist.gov/glossary/term/misconfigurationGoogle Scholar
- NIST. 2021. NATIONAL VULNERABILITY DATABASE. (2021). https://nvd.nist.gov/Google Scholar
- Onyphe. 2021. Onyphe. (2021). https://www.onyphe.io/Google Scholar
- Michel Oosterhof. 2016. Cowrie SSH/telnet honeypot. (2016). https://github.com/micheloosterhof/cowrieGoogle Scholar
- ZoomEye Org. 2021. ZoomEye. (2021). https://www.zoomeye.org/Google Scholar
- Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, and Christian Rossow. 2015. IoTPOT: Analysing the Rise of IoT Compromises. In 9th USENIX Workshop on Offensive Technologies (WOOT 15). USENIX Association, Washington, D.C., 9. https://www.usenix.org/conference/woot15/workshop-program/presentation/paGoogle ScholarDigital Library
- The Honeynet Project. 2021. The Honeynet Project. (2021).Google Scholar
- Quadmetrics. 2021. Quadmetrics. (2021). https://www.quadmetrics.com/Google Scholar
- Net Systems Research. 2021. Net Systems Research. (2021). https://www.netsystemsresearch.com/Google Scholar
- Rapid7 Research. 2021. Project Sonar. (2021). https://www.rapid7.com/research/project-sonar/Google Scholar
- Philipp Richter and Arthur Berger. 2019. Scanning the scanners: Sensing the Internet from a massively distributed network telescope. In Proceedings of the Internet Measurement Conference. Association for Computing Machinery, New York, NY, United States, Amsterdam, Netherlands, 144--157.Google ScholarDigital Library
- Lukas Rist, Johnny Vestergaard, Daniel Haslinger, A Pasquale, and J Smith. 2013. Conpot ics/scada honeypot. (2013).Google Scholar
- ShadowServer.org. 2021. ShadowServer.org. (2021). https://www.shadowserver.org/Google Scholar
- Sharashka. 2021. Sharashka. (2021). https://sharashka.io/data-feedsGoogle Scholar
- Hajime Shimada, Katsutaka Ito, Hirokazu Hasegawa, and Yukiko Yamaguchi. 2019. Implementation of MQTT/CoAP Honeypots and Analysis of Observed Data. SECURWARE 2019, The Thirteenth International Conference on Emerging Security Information, Systems and Technologies 10 (2019), 35--40.Google Scholar
- SHODAN. 2021. Shodan. (2021). https://www.shodan.io/Google Scholar
- Drew Springall, Zakir Durumeric, and J Alex Halderman. 2016. FTP: The forgotten cloud. In 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, IEEE, Toulouse, France, 503--513.Google ScholarCross Ref
- Shreyas Srinivasa, Jens Myrup Pedersen, and Emmanouil Vasilomanolakis. 2021. Gotta catch 'em all: a Multistage Framework for honeypot fingerprinting. (2021). arXiv:cs.CR/2109.10652Google Scholar
- Miroslav Stampar. 2017. HonTel Honeypot. (2017). https://github.com/stamparm/hontelGoogle Scholar
- CAIDA STARDUST. 2021. Flow Level Traffic (FlowTuple). (2021). https://stardust-dev.caida.org/docs/data/flowtuple/Google Scholar
- Stretchoid.com. 2021. Stretchoid.com. (2021). http://stretchoid.com/Google Scholar
- Alpha Strike. 2021. Alpha Strike. (2021). https://www.alphastrike.ioGoogle Scholar
- Oleg Surnin, Fatima Hussain, Rasheed Hussain, Svetlana Ostrovskaya, Andrey Polovinkin, JooYoung Lee, and Xavier Fernando. 2019. Probabilistic Estimation of Honeypot Detection in Internet of Things Environment. In 2019 International Conference on Computing, Networking and Communications (ICNC). IEEE, Honolulu, HI, USA, 191--196. Google ScholarCross Ref
- FOFA Cyberspace Surveying and Mapping. 2021. Fofa. (2021). https://fofa.so/Google Scholar
- Madiha H. Syed, Eduardo B. Fernandez, and Julio Moreno. 2018. A Misuse Pattern for DDoS in the IoT. In Proceedings of the 23rd European Conference on Pattern Languages of Programs (EuroPLoP '18). Association for Computing Machinery, New York, NY, USA, Article 34, 5 pages. Google ScholarDigital Library
- Dino Tools. 2010. Web Honeypot. (2010). https://github.com/DinoTools/dionaea/Google Scholar
- Gray Hat Tools. 2021. PFT Printer Exploration. (2021). http://www.phenoelit.org/fr/tools.htmlGoogle Scholar
- Communication & Distributed Systems RWTH Aachen University. 2021. RWTH Aachen Scan. (2021). http://researchscan.comsys.rwth-aachen.de/Google Scholar
- Stanford University. 2021. Censys Universal IPv4 Internet Dataset. (2021). https://scans.io/Google Scholar
- Ivan Vaccari, Maurizio Aiello, and Enrico Cambiaso. 2020. SlowITe, a Novel Denial of Service Attack Affecting MQTT. Sensors 20, 10 (2020). Google ScholarCross Ref
- Ivan Vaccari, Maurizio Aiello, and Enrico Cambiaso. 2020. SlowTT: A Slow Denial of Service against IoT Networks. Information 11, 9 (2020). Google ScholarCross Ref
- Emmanouil Vasilomanolakis, Shankar Karuppayah, Mathias Fischer, Max Mühlhäuser, Mihai Plasoianu, Lars Pandikow, and Wulf Pfeiffer. 2013. This Network is Infected: HosTaGe - a Low-Interaction Honeypot for Mobile Devices. In Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones & Mobile Devices (SPSM '13). Association for Computing Machinery, New York, NY, USA, 43--48. Google ScholarDigital Library
- Emmanouil Vasilomanolakis, Shankar Karuppayah, Max Mühlhäuser, and Mathias Fischer. 2014. HosTaGe: A Mobile Honeypot for Collaborative Defense. In Proceedings of the 7th International Conference on Security of Information and Networks (SIN '14). Association for Computing Machinery, New York, NY, USA, 330--333. Google ScholarDigital Library
- Alan Tamer Vasques and João J. C. Gondim. 2020. Amplified Reflection DDoS Attacks over IoT Reflector Running CoAP. In 2020 15th Iberian Conference on Information Systems and Technologies (CISTI). IEEE, Seville, Spain, 1--6. Google ScholarCross Ref
- Alexander Vetterl and Richard Clayton. 2018. Bitter Harvest: Systematically Fingerprinting Low- and Medium-interaction Honeypots at Internet Scale. In 12th USENIX Workshop on Offensive Technologies (WOOT 18). USENIX Association, Baltimore, MD, 9. https://www.usenix.org/conference/woot18/presentation/vetterlGoogle Scholar
- Benjamin Vignau, Raphaël Khoury, Sylvain Hallé, and Abdelwahab Hamou-Lhadj. 2021. The evolution of IoT Malwares, from 2008 to 2019: Survey, taxonomy, process simulator and perspectives. Journal of Systems Architecture 116 (2021), 102143. Google ScholarDigital Library
- Virustotal. 2021. Virustotal. (2021). https://www.virustotal.comGoogle Scholar
- VMWare. 2021. RabbitMQ. (2021). https://www.rabbitmq.com/Google Scholar
- Gerry Wan, Liz Izhikevich, David Adrian, Katsunari Yoshioka, Ralph Holz, Christian Rossow, and Zakir Durumeric. 2020. On the Origin of Scanning: The Impact of Location on Internet-Wide Scans. In Proceedings of the ACM Internet Measurement Conference (IMC '20). Association for Computing Machinery, New York, NY, USA, 662--679. Google ScholarDigital Library
- Gerry Wan, Liz Izhikevich, David Adrian, Katsunari Yoshioka, Ralph Holz, Christian Rossow, and Zakir Durumeric. 2020. On the Origin of Scanning: The Impact of Location on Internet-Wide Scans. In Proceedings of the ACM Internet Measurement Conference (IMC '20). Association for Computing Machinery, New York, NY, USA, 662--679. Google ScholarDigital Library
- Jianxin Wang, Ming K. Lim, Chao Wang, and Ming-Lang Tseng. 2021. The evolution of the Internet of Things (IoT) over the past 20 years. Computers & Industrial Engineering 155 (2021), 107174. Google ScholarCross Ref
- M. Wang, Javier Santillan, and F. Kuipers. 2018. ThingPot: an interactive Internet-of-Things honeypot. (2018). arXiv:arXiv:1807.04114Google Scholar
- ZMap. 2020. ZMap Block and Allow Lists. (2020). https://github.com/zmap/zmap/wiki/Block-and-Allow-ListsGoogle Scholar
Recommendations
Hack for Hire: Exploring the Emerging Market for Account Hijacking
WWW '19: The World Wide Web ConferenceEmail accounts represent an enticing target for attackers, both for the information they contain and the root of trust they provide to other connected web services. While defense-in-depth approaches such as phishing detection, risk analysis, and two-...
Exploitation and threat analysis of open mobile devices
ANCS '09: Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications SystemsThe increasingly open environment of mobile computing systems such as PDAs and smartphones brings rich applications and services to mobile users. Accompanied with this trend is the growing malicious activities against these mobile systems, such as ...
Neutralizing Cross-Site Scripting Attacks Using Open Source Technologies
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive StrategiesExploiting the security vulnerabilities in web browsers, web applications and firewalls is a fundamental trait of cross-site scripting (XSS) attacks. Majority of web population with basic web awareness are vulnerable and even expert web users may not ...
Comments