Skip to main content
SpringerLink
Log in

Before Toasters Rise Up: A View into the Emerging IoT Threat Landscape

  • Conference paper
  • First Online:
Book cover Research in Attacks, Intrusions, and Defenses (RAID 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11050))

Abstract

The insecurity of smart Internet-connected or so-called “IoT” devices has become more concerning than ever. The existence of botnets exploiting vulnerable, often poorly secured and configured Internet-facing devices has been known for many years. However, the outbreak of several high-profile DDoS attacks sourced by massive IoT botnets, such as Mirai, in late 2016 served as an indication of the potential devastating impact that these vulnerable devices represent. Since then, the volume and sophistication of attacks targeting IoT devices have grown steeply and new botnets now emerge every couple of months. Although a lot of research is being carried out to study new spurs of attacks and malware, we still lack a comprehensive overview of the current state of the IoT thread landscape. In this paper, we present the insights gained from operating low- and high-interaction IoT honeypots for a period of six months. Namely, we see that the diversity and sophistication of IoT botnets are both growing. While Mirai is still a dominating actor, it now has to coexist with other botnets such as Hajime and IoT Reaper. Cybercriminals also appear to be packing their botnets with more and more software vulnerability exploits targeting specific devices to increase their infection rate and win the battle against the other competing botnets. Finally, while the IoT malware ecosystem is currently not as sophisticated as the traditional one, it is rapidly catching up. We thus believe that the security community has the opportunity to learn from passed experience and act proactively upon this emerging threat.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Glutton: https://github.com/mushorg/glutton

    Cowrie: https://github.com/micheloosterhof/cowrie

    Telnet-IoT-honeypot: https://github.com/Phype/telnet-iot-honeypot

    MTPot: https://github.com/Cymmetria/MTPot

    Honeything: https://github.com/omererdem/honeything

    Dionaea: https://github.com/DinoTools/dionaea

    Conpot: https://github.com/mushorg/conpot.

  2. 2.

    We retained only vulnerabilities that can be exploited from by a remote attacker and that were related to services exposed by our honeypots.

References

  1. Shodan. https://www.shodan.io/

  2. VirusTotal. https://www.virustotal.com/

  3. Internet Census (2012). http://census2012.sourceforge.net/paper.html

  4. CVE-2016-1555 (2016). https://nvd.nist.gov/vuln/detail/CVE-2016-1555

  5. CVE-2016-5681 (2017). https://nvd.nist.gov/vuln/detail/CVE-2016-5681

  6. CVE-2017-17107 (2017). https://nvd.nist.gov/vuln/detail/CVE-2017-17107

  7. Antonakakis, M., et al.: Understanding the mirai botnet. In: USENIX Security Symposium (2017)

    Google Scholar 

  8. Anubhav, A.: Agile QBot variant adds NbotLoader Netgear Bug in its new update, July 2017. https://blog.newskysecurity.com/agile-122bf2f4e2f3

  9. Anubhav, A.: Masuta : Satori creators’ second botnet weaponizes a new router exploit, January 2018. https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7

  10. Checkpoint: IoTroop Botnet: the full investigation, October 2017. https://research.checkpoint.com/iotroop-botnet-full-investigation/

  11. Chen, D.D., Woo, M., Brumley, D., Egele, M.: Towards automated dynamic analysis for Linux-based embedded firmware. In: NDSS, February 2016

    Google Scholar 

  12. Costin, A., Zaddach, J., Francillon, A., Balzarotti, D.: A large scale analysis of the security of embedded firmwares. In: USENIX Security Symposium (2014)

    Google Scholar 

  13. Costin, A., Zarras, A., Francillon, A.: Automated dynamic firmware analysis at scale: a case study on embedded web interfaces. In: ASIACCS, May 2016

    Google Scholar 

  14. Cozzi, E., Graziano, M., Fratantonio, Y., Balzarotti, D.: Understanding Linux malware. In: IEEE Symposium on Security and Privacy, May 2018

    Google Scholar 

  15. Cui, A., Stolfo, S.J.: A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan. In: ACSAC, December 2010

    Google Scholar 

  16. Edwards, S., Profetis, I.: Hajime: analysis of a decentralized internet worm for IoT devices. Rapidity Netw. (2016)

    Google Scholar 

  17. Embedi: enlarge your botnet with: top D-Link routers, September 2017. https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin/

  18. Guarnizo, J.D., et al.: Siphon: towards scalable high-interaction physical honeypots. In: CPSS, April 2017

    Google Scholar 

  19. Kim, P.: Pwning the Dlink 850L routers and abusing the MyDlink Cloud protocol, September 2017. https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html

  20. Krebs, B.: Who is Anna-Senpai, the Mirai worm author? January 2017. https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

  21. Kumar, M.: Advanced Malware targeting Internet of the Things and Routers, March 2016. https://thehackernews.com/2016/03/internet-of-thing-malware.html

  22. Leita, C., Mermoud, K., Dacier, M.: Scriptgen: an automated script generation tool for honeyd. In: ACSAC, December 2005

    Google Scholar 

  23. Luo, T., Xu, Z., Jin, X., Jia, Y., Ouyang, X.: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices. In: Blackhat, USA, July 2017

    Google Scholar 

  24. Offensive Security: D-Link Devices - UPnP SOAP TelnetD command execution (Metasploit), September 2013. https://www.exploit-db.com/exploits/28333/

  25. Offensive Security: Remote buffer overflow in cookie header, June 2014. https://www.exploit-db.com/exploits/33863/

  26. Offensive Security: D-Link DIR-890L/R - Multiple buffer overflow vulnerabilities, November 2015. https://www.exploit-db.com/exploits/38716/

  27. Offensive Security: Brickcom corporation network cameras - multiple vulnerabilities, April 2016. https://www.exploit-db.com/exploits/39696/

  28. Offensive Security: Brickcom IP Camera - credentials disclosure, July 2017. https://www.exploit-db.com/exploits/42588/

  29. Offensive Security: SSD advisory - D-Link 850L multiple vulnerabilities, August 2017. https://blogs.securiteam.com/index.php/archives/3364

  30. Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: IoTPOT: analysing the rise of IoT compromises. In: WOOT, August 2015

    Google Scholar 

  31. Wang, M., Santillan, J., Kuipers, F.: ThingPot: an interactive IoT honeypot (2017)

    Google Scholar 

  32. Zaddach, J., Bruno, L., Francillon, A., Balzarotti, D.: Avatar: a framework to support dynamic security analysis of embedded systems’ firmwares. In: NDSS, February 2014

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Symantec Research Labs, Sophia Antipolis, France

    Pierre-Antoine Vervier

  2. Symantec Research Labs, Reading, UK

    Yun Shen

Authors
  1. Pierre-Antoine Vervier
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yun Shen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pierre-Antoine Vervier .

Editor information

Editors and Affiliations

  1. University of Illinois at Urbana-Champaign, Urbana, IL, USA

    Michael Bailey

  2. Ruhr-Universität Bochum, Bochum, Germany

    Thorsten Holz

  3. Vrije Universiteit Amsterdam, Amsterdam, The Netherlands

    Manolis Stamatogiannakis

  4. Foundation for Research & Technology – Hellas, Heraklion, Crete, Greece

    Sotiris Ioannidis

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Vervier, PA., Shen, Y. (2018). Before Toasters Rise Up: A View into the Emerging IoT Threat Landscape. In: Bailey, M., Holz, T., Stamatogiannakis, M., Ioannidis, S. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2018. Lecture Notes in Computer Science(), vol 11050. Springer, Cham. https://doi.org/10.1007/978-3-030-00470-5_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-00470-5_26

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-00469-9

  • Online ISBN: 978-3-030-00470-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation