Paper Discussion 9b: IoTPOT: Analyzing the Rise of IoT Compromises

[s-hanna15]

• @bushidocodes, Sean McBride, Comprehension: What is the advantage of having a slow progressive attack...
• @bushidocodes, Sean McBride, Comprehension: What is it about the telnet protocol that makes is especially vulnerable?
• @AkinoriKahata, Akinori Kahata, Comprehension: What is the recommendation for developers...
• @albero94, Alvaro Albero, Critical: How are they logging all the actions that an attacker performs?
• @searri, Rick Sear, Comprehension: What is the landscape like today?
• @searri, Rick Sear, Comprehension: Is there any danger that, now that this research is published, attackers...
• @ericwendt, Eric Wendt, Critical: Is the system purely for identifying attacks?
• @samfrey99, Sam Frey, Critical: Why is the distribution of devices in section 2 so skewed towards DVRs?
• @samfrey99, Sam Frey, Critical: Were attackers aware that their DoS attacks were being blocked?
• @reesealanj, Reese Jones, Critical: What about Telnet made it the most significant attack vector?
• @rachellkm, Rachell Kim, Comprehension: What does it mean to categorize device type by HTTP title?

[bushidocodes]

Reviewer: Sean McBride

Review Type: Comprehension Review

Problem Being Solved:

There have been anecdotal reports that the number of telnet-based attacks against IOT systems have increased. What is the nature of these attacks?

Main Contributions:

1. Validated the anecdotal observation that there has been a large increase in Telnet-based attacks on IOT devices.
2. Designed a novel Honeypot (IOTPOT) with a frontend that simulates the Telnet protocol and a backend (IOTBOX) and uses qemu to execute malicious commands in ephemeral sandboxes and then store the request-response interactions in a database for later memoization via the front-end.
3. Ran the honeypot for a bit over a month to capture 76,605 malware download attempts and then performed post-op analysis of the attacks, demonstrating the flow of telnet-attacks across several families.

Questions:

1. ZORRO removed binaries from Unix locations in path to make it harder for other botnets to steal the node. Wouldn't this potentially break the device itself, making the end-user aware something is happening?
2. What is the advantage of having a slow progressive attack (ZORRO) rather than performing the entire exploit in one go? Is this for security reasons or just for engineering / distributed system reasons (our pool of MIPS penetrators is saturated...)?
3. What is it about the telnet protocol that makes is especially vulnerable? On the flip side, why is this exposed publicly on a router?

[AkinoriKahata]

Reviewer: Akinori Kahata Review type: Comprehensive

1. The problem being solved.
   • Recently, the number of Internet of things devices is increasing, and many of these devices are vulnerable to cyberattacks. Especially, many of these are used by Distributed Denial of Service (DDoS) attack as part of a botnet. To prevent those IoT devices from becoming a part of a botnet, to clarify the attack pattern of adversaries is essential.
2. The main contributions.
   • Firstly, by researching attacks from adversaries to darknet of Japan, the researchers showed the number of scanning to IP addresses from a device of a botnet. Next, they made IoT Honeypot (IoTPOT), and using by IoTPOT gathered information of cyberattack, concretely intrusion, infection and monetization. As a result, they revealed 17 malware binaries and attack types of each malware.
3. Questions.
   • Why they chose attacks that use telnet for their first research? I want to know comparing data with the number of using other ports.
   • I think the goal of security research is to improve the cybersecurity of society. What is the recommendation for developers and consumers to improve cybersecurity from the result of this research?

[albero94]

Reviewer: Alvaro Albero Review Type: Analytical

Problem domain

The number of attacks to IoT devices keeps increasing and many of these attacks are Telnet attacks. The authors want to understand more on how these attacks are performed and what are they targeting.

Main contributions

The authors perform an analysis and confirm the increasing number of Telnet attacks. First, they create a honeypot to receive this kind of attacks by simulating different IoT devices. When an attack is performed, they analyze it and capture the malware samples. Second, they propose a Box that is able to run the attacker’s commands and the captured malware for further understanding. Finally, they have organized the attacks in different families based on the actions performed, the architectures they are targeting and their goals.

Questions

• Are the devices counted in section 2 malicious? Have they been compromised or just example user devices?
• Does the IoTBox only gets used when the attacker is unknown? I understand that the commands are sent to the IoT box and then the system learns from them and creates a profile. Once there is a profile, the IoTBox is never needed again for that type of attack?
• How are they logging all the actions that an attacker performs? From using a dictionary, to deleting binaries and downloading files to performing DoS attacks.

Critiques

• I really liked this paper, explains an interesting concept to gather information about malware attacks to IoT devices that had not been used before, as previous work was mainly done with low interaction honey pots. They provide a lot of detail an information in most of the sections explaining how they did a previous research. They explain the design and implementation of the honey pot and the exact commands that the attacks tried to perform, something that helped me understand better how security attacks work. They also provide good information about IoTBox and the results.
• The only part that I would have liked more detail is when they talk about downloading manually the collected malware samples. I guess they found these IP addresses based on the IP addresses that the infected devices try to download files from, but I do not think they explicitly say it. They could have also given more detail about this “malware repositories”, where are they hosted, how you can access them, what type of malware you can download, etc.

[searri]

Reviewer: Rick Sear Review Type: Comprehension

Problem being solved

IoT devices often have weak or no passwords, making them vulnerable to very simple cyberattacks. This paper introduces a honeypot to draw in attackers and gain insight into their techniques, as well as provide some analysis of what they found.

Important contributions

The paper introduces IoTPOT, which acts like IoT devices running on various hardware architectures. Attackers enter the IoTBOX environment; their interactions are monitored by a Frontend Responder, Profiler, and Downloader to gather information about the attack and attacker.

Questions

• This paper was published in 2015. What's the landscape like today? Do attackers still go for these easy Telnet attacks? How much have the infection patterns (3.4.2) changed?
• What is C&C communication? All I can find on Google is listings for companies.
• Is there any danger that, now that this research is published, attackers will be able to figure out sophisticated ways of avoiding honeypots? From a networking perspective, how hard is it to tell the difference between honeypot virtualized hardware and an actual IoT device?

[ericwendt]

Reviewer: Eric Wendt Review Type: Critical

Problem being solved IoTPOT describes itself as a honey-pot for gathering security analytics for IoT devices and attacks. The tools that IoTPOT provides are extended features from what already exists. Analyzing attacks threats to IoT systems is important for the sheer amount of them exist.

Main contributions

• The first contribution this paper provides is a diagram of how their system works. This isn't super detailed, and more details would have been helpful, but for the sake of simplicity, the diagrams are effective.
• Another contribution is how their programs run. They essentially emulate CPU hardware in virtual IoT devices. These devices then deliberately open themselves up for attack. The system will then monitor the attacker's behaviour at every step.

Questions

• how are attacks identified, what technology do they use?
• Is the system purely for identifying attacks, or are there prevention methods built in as well?
• Why do some of the attacks log off after successfully getting creds? It's like there's a separate attack after the fact.

Critiques

• please more detail. I got no sense of how this system actually identifies and handles attacks, just simply that they do.
• Explain Telnet better?

[samfrey99]

Reviewer: Sam Frey Review Type: Critical

Problem: IoT devices often lack sufficient security to protect themselves against basic intrusion attempts. Many IoT devices continue to use weak, default login credentials, leaving themselves accessible to attackers. This makes them an easy target, and their always-on nature makes them the perfect candidates for a malicious botnet.

Important Contributions: The authors created IoTPOT, a honeypot, to attract malicious attackers and capture malware samples. With these samples, the authors can gain a better understanding of attacks against IoT devices, and thus, a better idea of how to protect them. With IoTPOT, the authors were able to identify 4 distinct families of malware attacking IoT devices.

Questions:

• Why is the distribution of devices in section 2 so skewed towards DVRs? Is there something about DVRs that makes them "ideal candidates" for a telnet-based attack?
• Is current anti-virus so bad that only 2 out of the 43 collected samples of malware were recognized? That seems like security is falling way behind. Why did it take this long for someone to recognize this?
• Were attackers aware that their DoS attacks were being blocked by the Access Controller, or did the IoTPOT have a way to make it appear to the attacker that everything was working the way they expected?

Critique: While the paper is well written and easy to understand, it lacks substance. The authors did a great job of explaining what they did, but not so much how they did it. I do recognize that this may be an intentional decision though. As Rick (@searri) brought up, publishing this paper makes it available to attackers as well. Too much detail on implementation could render IoTPOT useless.

[reesealanj]

Reviewer: Reese Jones Review Type: Critical

Problem Bring Solved: Even though there have been advancements in security for General Purpose Computers and other "normal" devices, IoT Hardware consistently relies on security techniques which leaves them open to compromise and attack. The systems are often so insecure they are run off of basic default/no password protection and are therefore vulnerable to some of the most basic intrusion attacks available.

Main Contributions: The paper discusses IoTPOT, a honeypot created by the authors which is meant to lure in any potential attackers. On top of that IoTPOT is meant to help used those lured in attackers to grab information about attacks in order to better understand the security threats facing IoT devices.

Questions

• What exactly is the technology behind identifying attacks? I felt as though that was not discussed enough.

• Is Telnet as much an attack vector today as it was when the paper was published? A quick google search did not yield an IoT and Telnet article dated after 2016.

• What about Telnet made it the -in my reading- most significant attack vector in the whole paper? As in why is it such a risk.

Critiques

• Through reading this my main critique lies with the fact the paper exists at all, doesn't having this information out there in any capacity completely negate the purpose of developing and designing the IoTPOT system?

• Just as mentioned in my questions, if they're going into so much detail re: the IoTPOT system already I would have liked to see more about how attacks are monitored and cataloged.

[rachellkm]

Reviewer: Rachell Kim Review Type: Comprehension

Problem Being Solved:

There has been an increase in DDoS attacks on Telnet-based IoT devices since 2014. This issue prompted the need to analyze and study how IoT devices are being compromised by different types of malware.

Main Contribution:

The authors propose a honeypot called IoTPOT to simulate IoT devices and capture details of Telnet-based attacks. Moreover, they also propose and utilize a backend virtual environment called IoTBOX to execute captured malware and perform analysis. From the results, the authors have been able to identify different families of malware and certain characteristics of their behaviors.

Questions:

1. What does it mean to categorize device type by HTTP title? And what “available manuals” are they referring to for categorization when there exists no telling keyword?
2. I’m a bit confused at how 70k attackers were able to find the IoTPOT over a 39 day period, but this might be rooted in my misunderstanding of what a honeypot is. Is it emulating device information over a network to attract attackers? Or is it an open port? How do they find the honeypot to log in?

[mralexjacobson]

Reviewer: Alex Jacobson Review Type: Critical

Summary of problem being solved:

The threats against IOT devices are increasing. The authors design honeypot and sandbox in order to attract these attacks to analyze them.

Main contributions:

The authors are kind enough to summarize their own contributions. They detect a large increase in the number Telnet based attacks and the involvement of IOT devices. They propose a Honeypot to analyze those attacks, and they also propose IOT-box to run the malware on different cpu architectures in order to further analyze the attacks.

Questions: What is Telnet? Seems like some communication protocol, but I do not know what exactly it is. What is a darknet? I believe the illegal online drug marketplaces are hosted on the dark web. Are darknet and dark web equivalent? What is 23/TCP? Is it a port? Not entirely clear on that.

Critiques:

The paper uses a lot of vocabulary that I am not familiar with. Perhaps i’m just unprepared to read this paper, but a bit of background would have been nice. For example, I do not know exactly what a honeypot is, as it is used in this paper. I eventually inferred that it is liked honey too bees, trying to attract the attacks in order to analyze them, but overall more background would have been nice.

The authors use a device to attract attacks and analyze them. They learned that there are at least four DDoS malware families targeting IOT devices. While this is nice to know, what is the significance? What can we do with that knowledge in order to prevent attacks? Would have been good to discuss that.