Abstract
The insecurity of smart Internet-connected or so-called “IoT” devices has become more concerning than ever. The existence of botnets exploiting vulnerable, often poorly secured and configured Internet-facing devices has been known for many years. However, the outbreak of several high-profile DDoS attacks sourced by massive IoT botnets, such as Mirai, in late 2016 served as an indication of the potential devastating impact that these vulnerable devices represent. Since then, the volume and sophistication of attacks targeting IoT devices have grown steeply and new botnets now emerge every couple of months. Although a lot of research is being carried out to study new spurs of attacks and malware, we still lack a comprehensive overview of the current state of the IoT thread landscape. In this paper, we present the insights gained from operating low- and high-interaction IoT honeypots for a period of six months. Namely, we see that the diversity and sophistication of IoT botnets are both growing. While Mirai is still a dominating actor, it now has to coexist with other botnets such as Hajime and IoT Reaper. Cybercriminals also appear to be packing their botnets with more and more software vulnerability exploits targeting specific devices to increase their infection rate and win the battle against the other competing botnets. Finally, while the IoT malware ecosystem is currently not as sophisticated as the traditional one, it is rapidly catching up. We thus believe that the security community has the opportunity to learn from passed experience and act proactively upon this emerging threat.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Glutton: https://github.com/mushorg/glutton
Cowrie: https://github.com/micheloosterhof/cowrie
Telnet-IoT-honeypot: https://github.com/Phype/telnet-iot-honeypot
MTPot: https://github.com/Cymmetria/MTPot
Honeything: https://github.com/omererdem/honeything
Dionaea: https://github.com/DinoTools/dionaea
Conpot: https://github.com/mushorg/conpot.
- 2.
We retained only vulnerabilities that can be exploited from by a remote attacker and that were related to services exposed by our honeypots.
References
Shodan. https://www.shodan.io/
VirusTotal. https://www.virustotal.com/
Internet Census (2012). http://census2012.sourceforge.net/paper.html
CVE-2016-1555 (2016). https://nvd.nist.gov/vuln/detail/CVE-2016-1555
CVE-2016-5681 (2017). https://nvd.nist.gov/vuln/detail/CVE-2016-5681
CVE-2017-17107 (2017). https://nvd.nist.gov/vuln/detail/CVE-2017-17107
Antonakakis, M., et al.: Understanding the mirai botnet. In: USENIX Security Symposium (2017)
Anubhav, A.: Agile QBot variant adds NbotLoader Netgear Bug in its new update, July 2017. https://blog.newskysecurity.com/agile-122bf2f4e2f3
Anubhav, A.: Masuta : Satori creators’ second botnet weaponizes a new router exploit, January 2018. https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7
Checkpoint: IoTroop Botnet: the full investigation, October 2017. https://research.checkpoint.com/iotroop-botnet-full-investigation/
Chen, D.D., Woo, M., Brumley, D., Egele, M.: Towards automated dynamic analysis for Linux-based embedded firmware. In: NDSS, February 2016
Costin, A., Zaddach, J., Francillon, A., Balzarotti, D.: A large scale analysis of the security of embedded firmwares. In: USENIX Security Symposium (2014)
Costin, A., Zarras, A., Francillon, A.: Automated dynamic firmware analysis at scale: a case study on embedded web interfaces. In: ASIACCS, May 2016
Cozzi, E., Graziano, M., Fratantonio, Y., Balzarotti, D.: Understanding Linux malware. In: IEEE Symposium on Security and Privacy, May 2018
Cui, A., Stolfo, S.J.: A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan. In: ACSAC, December 2010
Edwards, S., Profetis, I.: Hajime: analysis of a decentralized internet worm for IoT devices. Rapidity Netw. (2016)
Embedi: enlarge your botnet with: top D-Link routers, September 2017. https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin/
Guarnizo, J.D., et al.: Siphon: towards scalable high-interaction physical honeypots. In: CPSS, April 2017
Kim, P.: Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol, September 2017. https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html
Krebs, B.: Who is Anna-Senpai, the Mirai worm author? January 2017. https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
Kumar, M.: Advanced Malware targeting Internet of the Things and Routers, March 2016. https://thehackernews.com/2016/03/internet-of-thing-malware.html
Leita, C., Mermoud, K., Dacier, M.: Scriptgen: an automated script generation tool for honeyd. In: ACSAC, December 2005
Luo, T., Xu, Z., Jin, X., Jia, Y., Ouyang, X.: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices. In: Blackhat, USA, July 2017
Offensive Security: D-Link Devices - UPnP SOAP TelnetD command execution (Metasploit), September 2013. https://www.exploit-db.com/exploits/28333/
Offensive Security: Remote buffer overflow in cookie header, June 2014. https://www.exploit-db.com/exploits/33863/
Offensive Security: D-Link DIR-890L/R - Multiple buffer overflow vulnerabilities, November 2015. https://www.exploit-db.com/exploits/38716/
Offensive Security: Brickcom corporation network cameras - multiple vulnerabilities, April 2016. https://www.exploit-db.com/exploits/39696/
Offensive Security: Brickcom IP Camera - credentials disclosure, July 2017. https://www.exploit-db.com/exploits/42588/
Offensive Security: SSD advisory - D-Link 850L multiple vulnerabilities, August 2017. https://blogs.securiteam.com/index.php/archives/3364
Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: IoTPOT: analysing the rise of IoT compromises. In: WOOT, August 2015
Wang, M., Santillan, J., Kuipers, F.: ThingPot: an interactive IoT honeypot (2017)
Zaddach, J., Bruno, L., Francillon, A., Balzarotti, D.: Avatar: a framework to support dynamic security analysis of embedded systems’ firmwares. In: NDSS, February 2014
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Vervier, PA., Shen, Y. (2018). Before Toasters Rise Up: A View into the Emerging IoT Threat Landscape. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2018. Lecture Notes in Computer Science(), vol 11050. Springer, Cham. https://doi.org/10.1007/978-3-030-00470-5_26
Download citation
DOI: https://doi.org/10.1007/978-3-030-00470-5_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00469-9
Online ISBN: 978-3-030-00470-5
eBook Packages: Computer ScienceComputer Science (R0)