Cyber Attack in IoT on the rise

- Observing attacks in IoT using IoTPOT -

Koji NakaoDistinguished Researcher - NICT

Guest Professor – Yokohama National University

Adviser – KDDI

2017/1/24 1

2

Cyber attacks in IoTon the rise

3

500+ device types ††inferred by telnet and web responses

600,000+IPs

Devices attacked our honeypot during Jan-June 2016

Categories of Inferred Infected devices(2016.9)

• Surveillance camera– IP camera– DVR

• Network devices– Router, Gateway– Modem, bridges– WIFI routers– Network mobile storage– Security appliances

• Telephone– VoIP Gateways– IP Phone– GSM Routers– Analog phone adapters

• Infrastructures– Parking management system– LED display controller

• Control system

– Solid state recorder

– Sensors

– Building control system (bacnet)

• Home/indivisuals

– Web cam, Video recorders

– Home automation GW

– Solar Energy Control System

– Energy demand monitoring system

• Broadcasting

– Media broadcasting

– Digital voice recorder

– Video codec

– Set-top-box,

• Etc

– Heat pump

– Fire alert system

– Medical device(MRI)

– Fingerprint scanner4

Devices are inferred by telnet/web banners

ROUTE CAUSES OF THE MASS-INFECTION

5

Telnet

6https://en.wikipedia.org/wiki/Telnet

They are everywhere in Internet

インターネット上の任意のホストからアクセス可能なTelnetサービスのバナーの例

openpli.3.0.dm800se

BCM96328 ADSL Router

BCM96328 Broadband Router

BCM96328 xDSL Router

Router CLI User Access Verification

openli 4 et4x00Air5450v2 login:

Hikvision login:

MX120-VoIP-AG login:

Netgear login:TL-WR740N login:

advrdvs login:dm800se.login:dvrdvs.login:

et4x00 login:

With default/weak id and password

8

[shogo@www9058up ~]$ telnet x.x.243.13

Trying x.x.243.13...

Connected to x.x.243.13.

Escape character is '^]'.

openpli.3.0.dm800s

dm800se.login: root

Password:12345

BusyBox v1.1.2 (2007.05.09-01:19+0000) Built-

in shell (ash)

Enter 'help' for a list of built-in commands.

Search for “default” “password” “list”

9

10Devices are inferred by telnet and web banners of these devices

Those devices attacked us also run telnet and we believe it is via which they got infected

Devices attacked our honeypot during Jan-June 2016

HOW WE MONITOR ATTACKS

11

Two approaches to monitor attacks

• Passive monitoringPrepare network to monitor attacks and wait– Darknet monitoring– Honeypot

• Active monitoringSearch for device/vulnerability/backdoors– Accessing Web, Telnet, FTP, etc to decide what

devices they are– Checking for backdoor ports– Measuring clock skew for tracing individual

devices

Darknet monitoring

13

Darknet: unused but routable IP address(es) or net blocks

Darknet

Many researchers/organization utilize darknet to monitor malicious activities like scanning, remote exploits, back scatters, etc

Scanning observation by nicter-Atlas

14

Atlas All view

Atlas only port23

Recently, “scanning to Port 23 (telenet)” is getting larger!!

•Capturing packets

through dark-net in

real time basis.

•Color indicates the

protocol types.

■UDP■TCP SYN■TCP SYN/ACK■TCP Other■ICMP

0

10,000,000

20,000,000

30,000,000

40,000,000

50,000,000

60,000,000

70,000,000

Increases of telnet attacks

10 years observation of NICTER darknet(23/tcp only)15

# packets

Big jump at 201490%+ OS fingerprints = Linux

To monitor in depth

16

Darknet monitoring is simple and great to monitor wider networks but limited as it only gets the first packet of each attack.

Darknet

?

Our system: IoTPOT = IoT Honeypot

17

We use decoy system (honeypot) to emulate vulnerable IoT devices to monitor the attacks in depth

IoTPOT

Attacker’s C2

Infected devices

Capture malware

Sandbox

Analyze in depth

Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, Christian Rossow, “IoTPOT: Analysing the Rise of IoT Compromises,” USENIX WOOT 2015

Observation result(last year)Period：2015/4/1～2015/7/31(122days)

0

50,000

100,000

150,000

200,000

250,000

IPs

150,000 IPs attempted to login, 100,000 actually did send us malware binaries

18

Binaries with 11 different CPU architectures93% of the binaries were new in VT (as of 2015/9/24)

# of Honeypot IP: 148

Access Login attempt

Malware download

Increase of attacks

35508

55592

78726

121632

242835

407357

380957

0

50000

100000

150000

200000

250000

300000

350000

400000

450000

Jan Feb Mar Apr May Jun Jul

2016

Num. of IP addresses

IPs/month

Source countries

20

中華人民共和国21%

トルコ

12%

ロシア

9%

ブラジル5%

インド5%

大韓民国5%

米国4%

コスタリカ4%

ベトナム2%

アルゼンチン2%

台湾2%

香港

2%

メキシコ2%

タイ

1%マレーシア1%

イスラエル1%

フィリピン1%

ウクライナ1%

コロンビア1%

スペイン1%

フランス1%

イタリア1%

ガーンジー島1%

ポーランド1% その他

15%

Period：2015/05/01 – 2016/02/21

China

Turkey

Rossia

Brazil

India

South Korea

US

FRANCE

-1

0

1

2

3

4

5

0 1 2 3 4 5 6 7 8 9

Log-Compromise Devices

線形 (Log-Compromise Devices)

ISPsTurk Telekom

Hong Kong Broadband Network Ltd

Rostelecom

21

10 10 10 10 10 1010 10 10

10

#users of ISP

10

10

10

10

10

#infected devices

Thanks to Prof. Michel van Eeten of TU Delft for providing ISP data

Telnet-based malware infection

22

Attackers/infected devices

1. Dictionary attacks on telnet

Malware download server C2

3. Malware download 4. C2 commands

5. Various attacks

Binaries

2.Check and customize environment

Targets

Dictionary used in 2015

23

root/root

root/admin

root/1234

root/12345

root/123456

root/1111

root/password

root/dreambox

root/root

root/admin

root/12345

root/123456

admin/root

…

admin/admin

admin/362729

admin/m4f6h3

admin/n3wporra

admin/263297

admin/fdpm0r

admin/1234

root/1234

root/xc3511

root/123456

root/12345

root/root

…

guest/guest

guest/12345

admin/

root/root

root/admin

root/

root/1234

root/123456

root/1111

root/password

root/dreambox

root/vizxv

root/root

root/toor

root/admin

root/user

….

Increase of id/password pairs

24

0

1000

2000

3000

4000

5000

6000

7000

8000

Increase of id/password pairs

→Increase of targeted devices

Total #pairs

# new pairs

2016/32015/11 2015/6

Telnet-based malware infection

25

Attackers/infected devices

1. Dictionary attacks on telnet

Malware download server C2

3. Malware download 4. C2 commands

5. Various attacks

Binaries

2.Check and customize environment

Targets

Eg. Malware binary downloads

2626

Binaries of MIPS, MIPSEL, ARM, PPC, SUPERH, MIPS16 are all downloaded and executed

Latest IoT malware

<Mirai （未来＝Future)>

• More than 500,000 IoT devices were infected by Mirai through telnet service.

– Characteristics:

• SCAN to 23/TCP，2323/TCP

• Dictionary Attack

• Destination IP address = TCP sequence Number

• Destrination IP, Window size, Source port may be random

– Source code of Mirai was uploaded to Hackforums and GitHub in September 2016 by Anna-senpai

【Digression 】Anna-senpai?

• Anna-senpai was a Japanese animation

• Broadcasted from July to September in 2015.

The Attacker may be very OTAKU (Comic fanatic).

Further information on “Mirai”

30

・Types of Infected:-Printer-Camera-Router-DVR and etc.

・Architecture used:-ARM-ARM7-MIPS-PowerPC-SH4-SPARC-X86

DDoS Attacks・Krebs on Security（16/9/20）

-Akamai Service

・DNS of DYN (16/10/21)

-Netflix-Twitter-Amazon

“Mirai” observed by Darknet

(by Destination IP address = TCP sequence Number)

0

20

40

60

80

100

120

140

160

180

200

0

5

10

15

20

25

30

35

40

45

8/1/16 8/11/16 8/21/16 8/31/16 9/10/16 9/20/16 9/30/16

Un

it:

10

th

ou

san

d

Un

it:

Mill

ion

1,400,000 Unique hosts

# of packets

# of unique hosts

Starting from 1st of August. After source code uploaded, scan was jumped up

40 million packets

Countries infected by Mirai from Source IPs

15%

15%

8%

8%5%

49%

VN

BR

TW

TR

IN

Other

VN

TR

BR

TW

IN

Other

Countries infected by MiraiAfter August 2016

14%

10%

9%

7%5%

55%

CN BR IN VN TW Other

CN

BR

IN

VN

TW

Other

Courtiers infected by IoT malwaresBefore August 2016

Telnet-based malware infection

33

Attackers/infected devices

1. Dictionary attacks on telnet

Malware download server C2

3. Malware download 4. C2 commands

5. Various attacks

Binaries

2.Check and customize environment

Targets

Dinial of Service (DoS)

Infected devices

Cache DNS at ISPs

9a3jk.cc.zmr666.com?elirjk.cc.zmr666.com?pujare.cc.zmr666.com?oiu4an.cc.zmr666.com?

Auth DNS for“zmr666.com”

9a3jk.cc.zmr666.com?elirjk.cc.zmr666.com?pujare.cc.zmr666.com?oiu4an.cc.zmr666.com?

Slow response

No resource

Propagation

Infected devices

36Size of attacks Arbor networks observed

Infected device Ips observed by IotPOT

2016/8/1-8/22

100Gbps+

The matching result is provided by Arbor Networks ASERT Japan

Two approaches to monitor attacks

• Passive monitoringPrepare network to monitor attacks and wait– Darknet monitoring– Honeypot

• Active monitoringSearch for device/vulnerability/backdoors– Accessing Web, Telnet, FTP, etc to decide what

devices they are– Checking for backdoor ports– Measuring clock skew for tracing individual

devices

Inferring infected device

38

Darknet

We check telnet/web banners and more tofind out which devices are attacking us

Honeypot

Examples of web interfaces of infected devices

39

10734

4856

1391787 430 411 337 206 206 174 60 20 19 15 11 10 10 9 6 6

0

2000

4000

6000

8000

10000

12000

Device categories

40

60+ categories are observed (top 20 listed below)

# IPs 2015/5/01-9/30

Categories of Inferred Infected devices(2016.9)

• Surveillance camera– IP camera– DVR

• Network devices– Router, Gateway– Modem, bridges– WIFI routers– Network mobile storage– Security appliances

• Telephone– VoIP Gateways– IP Phone– GSM Routers– Analog phone adapters

• Infrastructures– Parking management system– LED display controller

• Control system

– Solid state recorder

– Sensors

– Building control system (bacnet)

• Home/indivisuals

– Web cam, Video recorders

– Home automation GW

– Solar Energy Control System

– Energy demand monitoring system

• Broadcasting

– Media broadcasting

– Digital voice recorder

– Video codec

– Set-top-box,

• Etc

– Heat pump

– Fire alert system

– Medical device(MRI)

– Fingerprint scanner41

Devices are inferred by telnet/web banners

0

20

40

60

80

100

1202

01

5.1

0.0

2

20

15

.10

.13

20

15

.10

.22

20

15

.10

.31

20

15

.11

.12

20

15

.11

.22

20

15

.12

.04

20

15

.12

.15

20

15

.12

.24

20

16

.01

.02

20

16

.01

.11

20

16

.01

.21

20

16

.02

.16

20

16

.02

.25

20

16

.03

.05

20

16

.03

.14

20

16

.03

.23

20

16

.04

.01

20

16

.04

.10

20

16

.04

.19

20

16

.04

.28

20

16

.05

.07

20

16

.05

.16

20

16

.05

.25

20

16

.06

.03

20

16

.06

.12

20

16

.06

.21

20

16

.06

.30

20

16

.07

.09

20

16

.07

.18

20

16

.07

.27

20

16

.08

.06

20

16

.08

.15

IPs/day

Increase since May 2016

Infected devices in Japan (Daily count)

Potential victims?

43

Other vulnerabilities?

44

• IoTPOT implements following vulnerabilities exploited in the wild

– DVR configuration leak

Config files of Several DVR manufacturers can be accessed from WAN[7]

– Backdoors on routers [8]

Arbitrary code can be executed through backdoors of Chinese routers (53413/udp)

– IP cameras accessible

shodan, insecam[9]

Other vulnerabilities

45

[7] RAID7, Multiple DVR Manufacturers Configuration Disclosure. [Last visited: 2016/01/28]https://www.rapid7.com/db/modules/auxiliary/scanner/misc/dvr_config_disclosure[8]トレンドマイクロセキュリティブログ, UDPポートを開放した状態にするNetis製ルータに存在する

不具合を確認. [Last visited: 2016/01/28]http://blog.trendmicro.co.jp/archives/9725[9] Insecam.com, Network live IP video cameras directory. [Last visited: 2016/01/28].http://www.insecam.org/

Insecam

46

Japan wasNo 3

(2016/9/15)

Honey IP cam at YNU

47

0:00:00

0:01:00

0:02:00

0:03:00

0:04:00

0:05:00

1 97 193 289 385 481

イスラエル

スウェーデンパレスチナ

ロシア

アメリカ

レユニオン島

オランダ

フランス

日本

ドイツ

1/25 1/26 1/27 1/291/281/24

盗み見の継続時間

日時

Access to honey cam１）First access after 5 days from Germany2）Confirmed the exposed ID/pass in the camera image is used for accessing other service of the honey cam

→Not only machines but humans are watching

FRANCE

Watching duration

Honey cam was on Insecam!

Honey cam in YNU

0 0 0 0 0 0 2 1 1 1 1 0 1 1 1 0 0 2 0 1

4862

83829193

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

10000

ホスト数

認証なしIPカメラにアクセスしたホスト数

Refererにinsecamを含むホスト数

画像を取得したホスト数

• After our honey cam is on Insecam, accessing hosts are 1000+ times more!

• 80% from Japan

50

日本85%

アメリカ合衆国3%

ドイツ連邦共和国2%

フランス共和国1%

オランダ王国1%

その他8%

認証なしIPカメラへの

アクセス元国情報

People do not scan for cameras but simply look at those sites (insecam, shodan, etc)

Insecam attracts 1000+ times accesses

Japan

Monitoring, analysis, alert system at YNU

Passive monitors

Active Monitors

Analysis/Alert/Data Sharing

Internet

連携国・企業・大学等連携国・企業・大学等

Other organizations (CERTs, ISPs,

Universities, Security Vendors)

FeedbackAlerts

Monitoring, analysis, alert system at YNU

Passive monitors

Active Monitors

Analysis/Alert/Data Sharing

Internet

連携国・企業・大学等連携国・企業・大学等

Other organizations (CERTs, ISPs,

Universities, Security Vendors)

FeedbackAlerts

More sensors!

53

Japan: doneNetherlands: Done

Taiwan: Done

China: Done

Australia

USA

UKSingapore

Hong Kong

Thailand

Germany

Spain

France

India

Monitoring, analysis, alert system at YNU

Passive monitors

Active Monitors

Analysis/Alert/Data Sharing

Internet

連携国・企業・大学等連携国・企業・大学等

Other organizations (CERTs, ISPs,

Universities, Security Vendors)

FeedbackAlerts

Enhancement of active monitors

• With TU Delft team

– Enriching device signatures to infer device manufacturers and models

– Fingerprinting individual devices

• Usage of Censys, shodan data

Monitoring, analysis, alert system at YNU

Passive monitors

Active Monitors

Analysis/Alert/Data Sharing

Internet

連携国・企業・大学等連携国・企業・大学等

Other organizations (CERTs, ISPs,

Universities, Security Vendors)

FeedbackAlerts

Analysis/Alert/Data sharing

• Infra

– Big data handling infra, Use of cloud,

• Analysis capabilities

– Sandbox/Static analysis

– Vulnerability analysis

• Alerting

– NISC, JPCERT/CC, KRCERT/CC, TWCERT/CC,

• Countermeasures

– Cleaning up of infected devices、Patching、Penetration tools for IoT devices

Monitoring, analysis, alert system at YNU

Passive monitors

Active Monitors

Analysis/Alert/Data Sharing

Internet

連携国・企業・大学等連携国・企業・大学等

Other organizations (CERTs, ISPs,

Universities, Security Vendors)

FeedbackAlerts

We share samples, observation, insights, proxy sensors with more than 30 research

institutes/organizations

59

Japan

Iran

US

Norway

Singapore

Kenia

Germany

France

India

Saarland UMPI

Netherlands

TU Delft

EURECOM

UCSBNEUBirgham Young UArizona State UArbor NetworksFortinetSecure Octane

Taiwan

Institute for Information Industry (III)、National Chengchi University (NCCU)

Defense Science and Technology Agency

Blue Coat SystemsThe Honeynet Project

Czech

Avast

Slovakia

ESET

PEC University of Technology

JKUAT

Tehran Polytechnic University

More than 10 institutes

What can we learn from telnet-based infection?

It is technically easy to solve a problem of individual devices

Stop Telnet at any time before in useIf telnet is necessary, use better password

It is difficult to solve at massVarious manufacturers, installers, users in different

locations, no traces of devices after sales, too many of them, firmware updates never really done, aggressive

info sharing with systems like censys and shodan

60

Summary

• Various IoT devices are infected and joining botnets, causing real-world problems like DoS.

• It is too optimistic to expect the problem will be solved by solo efforts of manufacturers as the problem is already too big.

• Need mechanism to find, trace, notify, clean-up, and keep patching these devices.

61

62

DesignSecurity＊

Implement & use Security＊

Monitor & review

Security＊

Maintain & improve Security＊