Analysing the IoT threat landscape using consumer firmware-based, high fidelity honeypots

Mihály Csonka
Persbericht

Zijn jouw slimme apparaten ook deel van een illegaal cybernetwerk?

De kans is groot! Meer en meer slimme apparaten worden verbonden met het internet om zo onze levenskwaliteit te verbeteren. Dit stelt ze echter bloot aan hackers. Maar hoe gaan deze hackers nu eigenlijk te werk, en waar worden onze apparaten voor misbruikt?

Internet der dingen

Het internet der dingen bestaat uit apparaten die met het internet verbonden worden zodat er informatie gedeeld kan worden. Denk aan onder andere een digitale thermostaat of camera. Door deze aan het internet te verbinden kunnen ze van op afstand bediend worden. Zo kun je bijvoorbeeld van op je vakantieoord onder de zon controleren of dat er thuis niet wordt ingebroken. Dit kan echter ook tegen je gebruikt worden! Iemand met slechte bedoelingen kan zo te weten komen wanneer dat je het huis verlaat en waar dat de camera's geen zicht hebben. De proliferatie van het internet der dingen betekent dan ook dat de impact op privacy en veiligheid in geval van misbruik zeer hoog kan zijn.

Helaas behoort digitale veiligheid niet tot de sterke punten van het internet der dingen. Wanneer dat we apparaten kopen kijken we meestal naar de beschikbare functies en prijs. Kan dit slim slot integreren met Google Calendar? Hoe snel gaat het internet met deze router? Producenten weten dit. Ze spenderen dan ook minder tijd en geld aan het testen van de producten dan aan het ontwikkelen van functionaliteit. Verder is de computer in slimme apparaten ook zwakker dan je laptop of gsm. Dit belemmert het beveiligen van belangrijke informatie, zoals je wachtwoord. Maar, er is ook een onderscheid in de werking tussen apparaten. Zo verschilt het aandrijven van een molen in een koffiemachine bijvoorbeeld drastisch van het opnemen van camerabeelden. Het ontwerpen en ontwikkelen van zulke unieke apparaten vergt veel kennis. Alhoewel hier knappe koppen achter zitten, is vergissen menselijk. Dit alles leidt tot fouten die door hackers worden misbruikt. Het zijn echter niet enkel de apparaten die zulke fouten bevatten. Ook de netwerkprotocollen, dat zijn de manieren waarop apparaten communiceren, blijken structureel onveilig te zijn.

Honing lokt niet enkel beren

Het gezegde "ken uw vijand" is ook van toepassing in de strijd tegen hackers. Enkel door te weten hoe ze te werk gaan kunnen we ze bestrijden. Net als legitieme vakmannen geven hackers hun technieken en kennis echter niet graag vrij. Om deze informatie toch van ze te ontfutselen, gebruiken onderzoekers zogenaamde honeypots. Gelijkaardig aan het lokken van Winnie de Pooh met een pot honing, wordt een honeypot systeem gebruikt om hackers te lokken. Als het systeem vervolgens aangevallen wordt, noteert het alle handelingen van de hacker om ze naderhand te kunnen bestuderen.

Het spreekt voor zich dat een honeypot geloofwaardig moet overkomen om iemand te bedotten. Het perfect imiteren, tot op het kleinste detail toe, van een bestaand apparaat blijkt nochtans moeilijk in de praktijk. Het toevoegen van detail verhoogt namelijk drastisch de benodigde manuren en kosten om het systeem te bouwen. Mogelijks belangrijker dan de geloofwaardigheid van het systeem is echter dat het geen gevaar vormt voor anderen. Uiteraard, onderzoekers willen hackers bestrijden en niet misbruik bevorderen. Het is dus van uitermate belang om het honeypot systeem te ontwerpen zoals een insectenval. De val mag simpel zijn om te betreden. Het verlaten ervan voor ongewenste zaken moet echter zo moeilijk mogelijk worden gemaakt.

Virtuele leugens verspreiden

Om de complexiteit van het namaken te mijden, besloot men in dit onderzoek om bestaande apparaten te adapteren. De kosten van fysieke apparaten kunnen echter snel oplopen. Als oplossing besloot men een relatief nieuwe techniek te gebruiken. Deze techniek, genaamd firmware re-hosting, virtualiseert een apparaat volledig. De fysieke en virtuele versies van een apparaat kunnen vergeleken worden met een zakrekenmachine en de rekenmachine app op je smartphone respectievelijk. Alhoewel de app mogelijks meer functies bezit, is de basis werking eenzelfde. Helaas, ondanks de vele voordelen is deze techniek niet perfect. De virtuele apparaten vereisen verscheidene aanpassingen om geloofwaardig over te komen.

Hedendaags zijn er miljarden apparaten verbonden met het internet. Gevonden worden is daarentegen verrassend simpel. Hackers speuren het internet zelf actief af voor slachtoffers. Om de kans dat de honeypot bekeken wordt te verhogen, kan het echter ook geadverteerd worden. Alhoewel het eenzelfde doel dient, is dit uiteraard geen advertentie zoals op televisie. Het gebruik van een honeypot systeem is eigenlijk gelijkaardig aan het vertellen van een grote witte leugen om hackers te misleiden. Om niet door de mand te vallen, moet het verhaal waterdicht zijn. In dit onderzoek werden er twee verhalen verteld. Eerst werd er informatie over het apparaat op publieke fora verspreid. Een hacker met toepasselijke kennis en interesse zou hier gebruik van kunnen maken. Het tweede verhaal was persoonlijker. Het komt vaak voor dat men post-its en computer documenten gebruikt om hier wachtwoorden in te noteren. Misschien doet een college of jijzelf dit. Met de opkomst van online document bewerkers is dit echter een riskante gewoonte geworden. Het verkeerd instellen van permissies kan al snel leiden tot het delen van een document met onbevoegden. Zo een vals document met informatie over de honeypot werd ook publiek verspreid.

Robot dominantie

De miljarden unieke, onveilige apparaten blijken zowel een vloek als een zegen voor hackers. Manueel elk apparaat bestuderen om het vervolgens proberen te misbruiken is onbegonnen werk. Door zich te focussen op de gelijkenissen tussen de apparaten zijn ze er echter in geslaagd om dit proces te automatiseren. Dit maakt het mogelijk voor hackers om een menig aantal apparaten gelijk robots aan te sturen vanuit een centrale locatie. Alhoewel elk apparaat individueel relatief zwak is, bezit het collectief netwerk, ook wel botnet genoemd, veel kracht.

Zulke botnets worden hoofdzakelijk gebruikt om de infrastructuren van grote bedrijven te overspoelen met werk, waardoor deze onbruikbaar worden. Maar ook jij kan hier de gevolgen van ervaren. Zo zullen misbruikte apparaten trager gaan werken. Er is echter ook goed nieuws! Hackers verkrijgen al deze toegang door fouten in oude apparaten en standaard wachtwoorden te misbruiken. Update dus regelmatig je slimme apparatuur en stel unieke wachtwoorden in. Zo zorg jij ervoor dat ze geen deel worden van een illegaal cybernetwerk.

Bibliografie

- Satyajit Sinha. State of IoT 2021: Number of connected IoT devices growing 9% to 12.3 billion globally, cellular IoT now surpassing 2 billion. Accessed on: 2022-03-27. Sept. 2021. url: https://iot-analytics.com/number-connected-iot-devices/.

- Dennis Giese. DEFCON 27 IoT Village - Dennis Giese - Privacy leaks in smart devices: Extracting data from used smart home devices. Accessed on: 2022-03-27. Aug. 2019. url: https://dontvacuum.me/talks/DEFCON27-IoT-Village/DEFCON27-IoT-Village_D….

- Jingjing Ren et al. ‘Information Exposure From Consumer IoT Devices: A Multidimensional, Network-Informed Measurement Approach’. In: Proceedings of the Internet Measurement Conference. IMC ’19 (2019), pp. 267–279. doi: 10.1145/3355369.3355577.

- Catalin Cimpanu. A Hacker Just Pwned Over 150,000 Printers Left Exposed Online. Accessed on: 2022-03-27. Feb. 2017. url: https://www.bleepingcomputer.com/news/security/a-hacker-just-pwned-over….

- Brian Krebs. KrebsOnSecurity Hit With Record DDoS. Accessed on: 2022-03-27. Sept. 2016. url: https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddo….

- OVH. OVH News - The DDoS that didn’t break the camel’s VAC*. Accessed on: 2022-03-27. Oct. 2016. url: https://www.ovh.com/us/news/articles/a2367.the-ddos-that-didnt-break-th…, archived at https://web.archive.org/web/20170226233848/https://www.ovh.com/us/news/… on 26th Feb. 2017.

- Flashpoint Intel. An After-Action Analysis of the Mirai Botnet Attacks on Dyn. Accessed on: 2022-03-27. Oct. 2016. url: https://www.flashpoint-intel.com/cybercrime-forums-fraud/action-analysi….

- Vivek Ganti and Omer Yoachimik. A Brief History of the Meris Botnet. Accessed on: 2022-03-27. Nov. 2021. url: https://blog.cloudflare.com/meris-botnet/.

- Golam Kayas et al. ‘An Overview of UPnP-based IoT Security: Threats, Vulnerabilities, and Prospective Solutions’. In: 2020 11th IEEE Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON) (2020), pp. 0452–0460. doi: 10.1109/IEMCON51383.2020.9284885.

- Noureddine Boucif et al. ‘Crushing the Wave - new Z-Wave vulnerabilities exposed’. In: CoRR abs/2001.08497 (2020). doi: 10.48550/arXiv.2001.08497.

- Daniel dos Santos et al. Amnesia: 33 How TCP/IP Stacks Breed Critical Vulnerabilities in IoT, OT and IT Devices. Accessed on: 2022-02-27. 2021. url: https://i.blackhat.com/eu-20/Wednesday/eu-20-dosSantos-How-Embedded-TCP….

- Gao Shupeng et al. All the 4G Modules Could be Hacked. Accessed on: 2022-02-27. Aug.2019. url: https://i.blackhat.com/USA-19/Wednesday/us-19-Shupeng-All-The-4G-Module….

- Wenjun Fan et al. ‘Enabling an Anatomic View to Investigate Honeypot Systems: A Survey’. In: IEEE Systems Journal 12.4 (2018), pp. 3906–3919. doi: 10.1109/JSYST.2017.2762161.

- Abhishek Mairh et al. ‘Honeypot in Network Security: A Survey’. In: Proceedings of the 2011 International Conference on Communication, Computing & Security. ICCCS ’11 (2011), pp. 600–605. doi: 10.1145/1947940.1948065.

- Javier Franco et al. ‘A Survey of Honeypots and Honeynets for Internet of Things, Industrial Internet of Things, and Cyber-Physical Systems’. In: IEEE Communications Surveys Tutorials (2021), pp. 1–1. doi: 10.1109/COMST.2021.3106669.

- Alexander Vetterl and Richard Clayton. ‘Honware: A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days’. In: 2019 APWG Symposium on Electronic Crime Research (eCrime) (2019), pp. 1–13. doi: 10.1109/eCrime47957.2019.9037501.

- The European Union Agency for Network ENISA and Information Security. Internet of things (IOT). Accessed on: 2021-10-18. Aug. 2021. url: https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures/iot/.

- Internet Initiative IEEE. Towards a definition of the Internet of Things (IoT). en. Accessed on: 2022-01-23. May 2015. url: https://iot.ieee.org/images/files/pdf/IEEE_IoT_Towards_Definition_Inter….

- Christopher Greer et al. ‘Cyber-Physical Systems and Internet of Things’. en. In: NIST Special Publication 1900.202 (Mar. 2019). doi: 10.6028/NIST.SP.1900-202.

- Marius Muench et al. ‘What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices’. In: Network and Distributed System Security (NDSS) Symposium 2018 (Jan. 2018). doi: 10.14722/ndss.2018.23176.

- Christopher Wright et al. ‘Challenges in Firmware Re-Hosting, Emulation, and Analysis’. In: ACM Comput. Surv. 54.1 (Jan. 2021). issn: 0360-0300. doi: 10.1145/3423167.

- KC Wang. Embedded and Real-Time Operating Systems. Springer, 2017, pp. 401–475. isbn: 9783319515168.

- Sanjay Lal. Real World Multicore Embedded Systems. Ed. by Bryon Moyer. Oxford: Newnes, 2013. Chap. 15, pp. 517–560. isbn: 9780124160187. doi: 10.1016/B978-0-12-416018-7.00015-8.

- Manos Antonakakis et al. ‘Understanding the Mirai Botnet’. In: 26th USENIX Security Symposium (USENIX Security 17) (Aug. 2017), pp. 1093–1110. url: https://www.usenix.org/conference/usenixsecurity17/technical-sessions/p….

- Daniel Miessler and Craig Smith. IoT Attack Surface Areas Project. Accessed on: 2022-01-17. Nov. 2019. url: https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=I….

- Zhi-Kai Zhang et al. ‘IoT Security: Ongoing Challenges and Research Opportunities’. In: 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications (2014), pp. 230–234. doi: 10.1109/SOCA.2014.58.

- The European Union Agency for Network ENISA and Information Security. Baseline Security Recommendations for IoT. en. Accessed on: 2021-10-21. Nov. 2017. url: https://www.enisa.europa.eu/publications/baseline-security-recommendati….

- Nataliia Neshenko et al. ‘Demystifying IoT Security: An Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-Scale IoT Exploitations’. In: IEEE Communications Surveys Tutorials 21.3 (2019), pp. 2702–2733. doi: 10.1109/COMST.2019.2910750.

- Takeshi Sugawara et al. ‘Light Commands: Laser-Based Audio Injection Attacks on Voice-Controllable Systems’. In: 29th USENIX Security Symposium (USENIX Security 20) (Aug. 2020), pp. 2631–2648. url: https://www.usenix.org/conference/usenixsecurity20/presentation/sugawara.

- Palo Alto Networks, Inc. Impacts of Cyberattacks on IoT Devices. Accessed on: 2022-03-31. 2020. url: https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/repor….

- Saurabh Singh et al. ‘Advanced lightweight encryption algorithms for IoT devices: survey, challenges and solutions’. In: Journal of Ambient Intelligence and Humanized Computing (May 2017), pp. 1–18. doi: 10.1007/s12652-017-0494-4.

- Francesca Meneghello et al. ‘IoT: Internet of Threats? A Survey of Practical Security Vulnerabilities in Real IoT Devices’. In: IEEE Internet of Things Journal 6.5 (2019), pp. 8182–8201. doi: 10.1109/JIOT.2019.2935189.

- Fan Dang et al. ‘Understanding Fileless Attacks on Linux-Based IoT Devices with HoneyCloud’. In: Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services. MobiSys ’19 (2019), pp. 482–493. doi: 10.1145/3307334.3326083.

- Omar Alrawi et al. ‘The Circle Of Life: A Large-Scale Study of The IoT Malware Lifecycle’. In: 30th USENIX Security Symposium (USENIX Security 21) (Aug. 2021), pp. 3505–3522. url: https://www.usenix.org/conference/usenixsecurity21/presentation/alrawi-….

- Jing Liu, Yang Xiao and C.L. Philip Chen. ‘Authentication and Access Control in the Internet of Things’. In: 2012 32nd International Conference on Distributed Computing Systems Workshops (2012), pp. 588–592. doi: 10.1109/ICDCSW.2012.23.

- anonymous. Internet Census 2012 - Port scanning /0 using insecure embedded devices - Carna Botnet. Accessed on: 2022-03-19. 2012. url: https://census2012.sourceforge.net/paper.html, archived at https://web.archive.org/web/20220319071815/http://census2012.sourceforg… on 19th Mar. 2022.

- Aafaf Ouaddah et al. ‘Access control in the Internet of Things: Big challenges and new opportunities’. In: Computer Networks 112 (2017), pp. 237–262. issn: 1389-1286. doi: 10.1016/j.comnet.2016.11.007.

- Philipp Morgner and Zinaida Benenson. ‘Exploring Security Economics in IoT Standardization Efforts’. In: CoRR abs/1810.12035 (2018). doi: 10.48550/arXiv.1810.12035.

- Secretariat-General European Commission. JOINT COMMUNICATION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL Resilience, Deterrence and Defence: Building strong cybersecurity for the EU. Document 52017JC0450. Accessed on: 2022-03-29. Sept. 2017. url: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:52017JC0450.

- Council of the European Union European Parliament. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (Text with EEA relevance). Document 32019R0881. Accessed on: 2022-03-29. Apr. 2019. url: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32019R0881.

- Steve Mansfield-Devine. ‘Fileless attacks: compromising targets without malware’. In: Network Security 2017.4 (2017), pp. 7–11. issn: 1353-4858. doi: 10.1016/S1353- 4858(17) 30037-5.

- Sushil Kumar et al. ‘An emerging threat Fileless malware: a survey and research challenges’. In: Cybersecurity 3.1 (2020), pp. 1–12. doi: 10.1186/s42400-019-0043-x.

- Dansimp et al. Fileless threats - Windows security — Microsoft Docs. Accessed on: 2022-03-17. Oct. 2021. url: https://docs.microsoft.com/en-us/windows/security/threat-protection/int….

- John Sanchez. KOVTER: An Evolving Malware Gone Fileless - Security News. Accessed on: 2022-03-17. Aug. 2017. url: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digita….

- MITRE. MITRE ATT&CK. Accessed on: 2022-04-10. 2021. url: https://attack.mitre.org/.

- Yin Minn Pa Pa et al. ‘IoTPOT: Analysing the Rise of IoT Compromises’. In: 9th USENIX Workshop on Offensive Technologies (WOOT 15) (Aug. 2015). url: https://www.usenix.org/conference/woot15/workshop-program/presentation/….

- Armin Ziaie Tabari, Xinming Ou and Anoop Singhal. ‘What are Attackers after on IoT Devices? An approach based on a multi-phased multi-faceted IoT honeypot ecosystem and data clustering’. In: CoRR abs/2112.10974 (2021). doi: 10.48550/arXiv.2112.10974.

- Benjamin Vignau, Raphael Khoury and Sylvain Hall ́e. ‘10 Years of IoT Malware: A Feature-Based Taxonomy’. In: 2019 IEEE 19th International Conference on Software Quality, Reliability and Security Companion (QRS-C) (2019), pp. 458–465. doi: 10.1109/QRS-C.2019.00088.

- Lionel Metongnon and Ramin Sadre. ‘Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements’. In: Proceedings of the 2018 Workshop on Traffic Measurements for Cybersecurity. WTMC ’18 (2018), pp. 21–26. doi: 10.1145/3229598.3229604.

- Sam Edwards and Ioannis Profetis. Hajime: Analysis of a decentralized internet worm for IoT devices. Accessed on: 2022-04-15. 2016. url: http://security.rapiditynetworks.com/publications/2016- 10- 16/hajime.pdf, archived at https://web.archive.org/web/20210617095628/http://security.rapiditynetw… on 17th June 2021.

- Sadegh Torabi et al. ‘A Strings-Based Similarity Analysis Approach for Characterizing IoT Malware and Inferring Their Underlying Relationships’. In: IEEE Networking Letters 3.3 (2021), pp. 161–165. doi: 10.1109/LNET.2021.3076600.

- Trend Micro. Silex Malware Bricks IoT Devices with Weak Passwords. Accessed on: 2022-04-01. June 2019. url: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digita….

- Fernando Merces. Miner Malware Targets IoT, Offered in the Underground. Accessed on: 2022-04-01. May 2018. url: https://www.trendmicro.com/en_us/research/18/e/cryptocurrency-mining-ma….

- Eyal Ronen et al. ‘IoT Goes Nuclear: Creating a ZigBee Chain Reaction’. In: 2017 IEEE Symposium on Security and Privacy (SP) (2017), pp. 195–212. doi: 10.1109/SP.2017.14.

- Yan Jia et al. ‘Burglars’ IoT Paradise: Understanding and Mitigating Security Risks of General Messaging Protocols on IoT Clouds’. In: 2020 IEEE Symposium on Security and Privacy (SP) (2020), pp. 465–481. doi: 10.1109/SP40000.2020.00051.

- Federico Maggi, Rainer Vosseler and Davide Quarta. The Fragility of Industrial IoT’s Data Backbone. Security and Privacy Issues in MQTT and CoAP Protocols. Accessed on: 2022-03-01. 2018. url: https://documents.trendmicro.com/assets/white_papers/wp-the-fragility-o….

- Zach Shelby, Klaus Hartke and Carsten Bormann. The Constrained Application Protocol (CoAP). RFC 7252. June 2014. doi: 10.17487/RFC7252.

- Andrew Banks et al. MQTT Version 5.0. OASIS Standard. Accessed on: 2022-03-01. Mar. 2019. url: https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html.

- Scott O. Bradner. Key words for use in RFCs to Indicate Requirement Levels. RFC 2119. Mar. 1997. doi: 10.17487/RFC2119.

- Qinying Wang et al. ‘MPInspector: A Systematic and Automatic Approach for Evaluating the Security of IoT Messaging Protocols’. In: 30th USENIX Security Symposium (USENIX Security 21) (Aug. 2021), pp. 4205–4222. url: https://www.usenix.org/conference/usenixsecurity21/presentation/wang-qi….

- The Open Connectivity Foundation. OCF - UPnP Standards & Architecture. Accessed on: 2022-03-01. 2022. url: https://openconnectivity.org/developer/specifications/upnp-resources/up….

- IBM Corporation. What is zero configuration networking? - IBM Documentation. Accessed on: 2022-03-01. 2012. url: https://www.ibm.com/docs/en/snips/4.6.0?topic=networking-what-is-zero-c….

- Andrew Donoho et al. UPnP Device Architecture 2.0. Accessed on: 2022-03-01. 2015. url: https://upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v2.0.pdf.

- Marek Majkowski. Stupidly Simple DDoS Protocol (SSDP) generates 100 Gbps DDoS. Accessed on: 2022-03-03. June 2017. url: https://blog.cloudflare.com/ssdp-100gbps/.

- Jonathan Squire. Universal Plug and Play IGD - A Fox in the Hen House. Accessed on: 2022-02-27. Aug. 2008. url: https://www.blackhat.com/presentations/bh-usa-08/Squire/BH_US_08_Squire….

- HD Moore. Security Flaws in Universal Plug and Play: Unplug, Don’t Play. Accessed on: 2022-03-03. Jan. 2013. url: https://information.rapid7.com/rs/411-NAK-970/images/SecurityFlawsUPnP%….

- Akamai Threat Research. UPnProxy: Blackhat Proxies via NAT Injections. Accessed on: 2022-04-05. Mar. 2018. url: https://www.akamai.com/site/en/documents/research-paper/upnproxy-blackh….

- Mike Belshe, Roberto Peon and Martin Thomson. Hypertext Transfer Protocol Version 2 (HTTP/2). RFC 7540. May 2015. doi: 10.17487/RFC7540.

- Sheila Frankel and Suresh Krishnan. IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap. RFC 6071. Feb. 2011. doi: 10.17487/RFC6071.

- Eric Rescorla and Nagendra Modadugu. Datagram Transport Layer Security Version 1.2. RFC 6347. Jan. 2012. doi: 10.17487/RFC6347.

- Asma Haroon et al. ‘E-Lithe: A Lightweight Secure DTLS for IoT’. In: 2017 IEEE 86th Vehicular Technology Conference (VTC-Fall) (2017), pp. 1–5. doi: 10.1109/VTCFall.2017.8288362.

- Yassine Maleh, Abdellah Ezzati and Mustapha Belaissaoui. ‘An enhanced DTLS protocol for Internet of Things applications’. In: 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM) (2016), pp. 168–173. doi: 10.1109/WINCOM.2016.7777209.

- Angelo Capossele et al. ‘Security as a CoAP resource: An optimized DTLS implementation for the IoT’. In: 2015 IEEE International Conference on Communications (ICC) (2015), pp. 549–554. doi: 10.1109/ICC.2015.7248379.

- Chang-Seop Park. ‘Security Architecture for Secure Multicast CoAP Applications’. In: IEEE Internet of Things Journal 7.4 (2020), pp. 3441–3452. doi: 10.1109/JIOT.2020.2970175.

- Lance Spitzner. Honeypots: tracking hackers. Vol. 1. Addison-Wesley, 2002. isbn: 9780321108951.

- The European Union Agency for Network ENISA and Information Security. Proactive detection of security incidents II - Honeypots. en. Accessed on: 2021-10-21. Nov. 2012. url: https://www.enisa.europa.eu/publications/proactive-detection-of-securit….

- Wenjun Fan et al. ‘Enabling an Anatomic View to Investigate Honeypot Systems: A Survey’. In: IEEE Systems Journal 12.4 (2018), pp. 3906–3919. doi: 10.1109/JSYST.2017.2762161.

- Lance Spitzner. Honeytokens: The Other Honeypot. Accessed on: 2022-01-23. July 2003. url: https://community.broadcom.com/symantecenterprise/communities/community….

- Maya Bercovitch et al. ‘HoneyGen: An automated honeytokens generator’. In: Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics (2011), pp. 131–136. doi: 10.1109/ISI.2011.5984063.

- Christian Seifert, Ian Welch, Peter Komisarczuk et al. Honeyc-the low-interaction client honeypot. Accessed on: 2022-01-23. 2007. url: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.61.6882&rep=r….

- Marcin Nawrocki et al. ‘A Survey on Honeypot Software and Data Analysis’. In: CoRRabs/1608.06249 (2016). doi: 10.48550/arXiv.1608.06249.

- Timothy Barron and Nick Nikiforakis. ‘Picky Attackers: Quantifying the Role of System Properties on Intruder Behavior’. In: Proceedings of the 33rd Annual Computer Security Applications Conference. ACSAC 2017 (2017), pp. 387–398. doi: 10.1145/3134600.3134614.

- Chedy Missaoui et al. ‘Who is reusing stolen passwords? An empirical study on stolen passwords and countermeasures’. In: International Symposium on Cyberspace Safety and Security (2018), pp. 3–17. doi: 10.1007/978-3-030-01689-0_1.

- Daniel Fraunholz et al. ‘Hack My Company: An Empirical Assessment of Post-Exploitation Behavior and Lateral Movement in Cloud Environments’. In: CECC 2018 (2018). doi: 10.1145/3277570.3277573.

- Martin Lazarov, Jeremiah Onaolapo and Gianluca Stringhini. ‘Honey Sheets: What Happens

to Leaked Google Spreadsheets?’ In: 9th Workshop on Cyber Security Experimentation and Test (CSET 16) (Aug. 2016). url: https://www.usenix.org/conference/cset16/ workshop-program/presentation/lazarov.

- Stephen Hilt et al. Caught in the Act: Running a Realistic Factory Honeypot to Capture Real Threats. Accessed on: 2022-03-14. 2020. url: https://documents.trendmicro.com/assets/white_papers/wp-caught-in-the-a….

- Jeremiah Onaolapo, Enrico Mariconti and Gianluca Stringhini. ‘What Happens After You Are Pwnd: Understanding the Use of Leaked Webmail Credentials in the Wild’. In: IMC’16 (2016), pp. 65–79. doi: 10.1145/2987443.2987475.

- Mitsuaki Akiyama et al. ‘HoneyCirculator: distributing credential honeytoken for introspection of web-based attack cycle’. In: International Journal of Information Security 17 (Apr. 2018). doi: 10.1007/s10207-017-0361-5.

- Shun Morishita et al. ‘Detect Me If You... Oh Wait. An Internet-Wide View of Self-Revealing Honeypots’. In: 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM) (2019), pp. 134–143. url: http://yoshioka.ynu.ac.jp/papers/IM2019-honeypot.pdf.

- Alexander Vetterl and Richard Clayton. ‘Bitter Harvest: Systematically Fingerprinting Low- and Medium-interaction Honeypots at Internet Scale’. In: 12th USENIX Workshop on Offensive Technologies (WOOT 18) (Aug. 2018). url: https://www.usenix.org/conference/woot18/presentation/vetterl.

- morgajp. Issue: Missing response to ”cat /bin/echo” command. Accessed on: 2022-01-28. Jan. 2017. url: https://github.com/Cymmetria/MTPot/issues/9.

- Valerio Selis and A. Marshall. ‘MEDA: a Machine Emulation Detection Algorithm’. In: Proceedings of the 12th International Conference on Security and Cryptography (July 2015). doi: 10.5220/0005535202280235.

- T. Holz and F. Raynal. ‘Detecting honeypots and other suspicious environments’. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop (2005), pp. 29–36. doi: 10.1109/IAW.2005.1495930.

- Daehee Jang et al. ‘Rethinking anti-emulation techniques for large-scale software deployment’. In: Computers & Security 83 (2019), pp. 182–200. issn: 0167-4048. doi: 10.1016/j.cose.2019.02.005.

- Tal Garfinkel et al. ‘Compatibility is Not Transparency: VMM Detection Myths and Realities’. In: Proceedings of the 11th USENIX Workshop on Hot Topics in Operating Systems. HOTOS’07 (2007). url: https://www.cs.cmu.edu/~jfrankli/hotos07/vmm_detection_hotos07.pdf.

- Peter Ferrie. Attacks on Virtual Machine Emulators. Accessed on: 2022-03-01. 2007. url: https://pferrie.tripod.com/papers/attacks2.pdf.

- Alexander Kedrowitsch et al. ‘A First Look: Using Linux Containers for Deceptive Honeypots’. In: Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense. SafeConfig ’17 (2017), pp. 15–22. doi: 10.1145/3140368.3140371.

- Najmeh Miramirkhani et al. ‘Spotless Sandboxes: Evading Malware Analysis Systems Using Wear-and-Tear Artifacts’. In: 2017 IEEE Symposium on Security and Privacy (SP) (2017), pp. 1009–1024. doi: 10.1109/SP.2017.42.

- Humberto Carvalho, Geoffrey Nelissen and Pavel Zaykov. ‘mcQEMU: Time-Accurate Simulation of Multi-core platforms using QEMU’. In: 2020 23rd Euromicro Conference on Digital System Design (DSD) (2020), pp. 81–88. doi: 10.1109/DSD51259.2020.00024.

- The Honeynet Project. Charter - Honeynet Definitions, Requirements, and Standards. Accessed on: 2021-10-24. Oct. 2004. url: https://honeynet.onofri.org/alliance/requirements.html.

- The Honeynet Project. Know Your Enemy: Honeynets. Accessed on: 2022-01-23. May 2006. url: https://project.honeynet.org/papers/honeynet/index.html, archived at https://web.archive.org/web/20120905181856/https://project.honeynet.org… on 5th Sept. 2012.

- Emmanouil Vasilomanolakis et al. ‘A Honeypot-Driven Cyber Incident Monitor: Lessons Learned and Steps Ahead’. In: Proceedings of the 8th International Conference on Security of Information and Networks. SIN ’15 (2015), pp. 158–164. doi: 10.1145/2799979.2799999.

- Andrew Fasano et al. ‘SoK: Enabling Security Analyses of Embedded Systems via Rehosting’. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security (2021), pp. 687–701. doi: 10.1145/3433210.3453093.

- Warren Cabral et al. ‘Review and Analysis of Cowrie Artefacts and Their Potential to be Used Deceptively’. In: 2019 International Conference on Computational Science and Computational Intelligence (CSCI) (2019), pp. 166–171. doi: 10.1109/CSCI49370.2019.00035.

- Daniel Fraunholz et al. ‘Introducing Falcom: A Multifunctional High-Interaction Honeypot Framework for Industrial and Embedded Applications’. In: 2018 International Conference on Cyber Security and Protection of Digital Services (Cyber Security) (2018), pp. 1–8. doi: 10.1109/CyberSecPODS.2018.8560675.

- Muhammad A. Hakim et al. ‘U-PoT: A Honeypot Framework for UPnP-Based IoT Devices’. In: 2018 IEEE 37th International Performance Computing and Communications Conference (IPCCC) (2018), pp. 1–8. doi: 10.1109/PCCC.2018.8711321.

- Meng Wang, Javier Santillan and Fernando Kuipers. ‘ThingPot: an interactive Internet-of-Things honeypot’. In: CoRR abs/1807.04114 (2018). doi: 10.48550/arXiv.1807.04114.

- Chad Spensky et al. ‘Conware: Automated Modeling of Hardware Peripherals’. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security (2021), pp. 95–109. doi: 10.1145/3433210.3437532.

- Michael D. Ernst. Static and dynamic analysis: Synergy and duality. Accessed on: 2022-02-07. 2003. url: https://www.cs.nmsu.edu/~jcook/woda2003/papers/Ernst.pdf.

- Ye Zhou. ‘Chameleon: Towards Adaptive Honeypot for Internet of Things’. In: Proceedings of the ACM Turing Celebration Conference - China. ACM TURC ’19 (2019). doi: 10.1145/3321408.3321589.

- Tongbo Luo et al. Iotcandyjar: Towards an intelligent-interaction honeypot for iot devices. Accessed on: 2022-02-27. 2017. url: https://www.blackhat.com/docs/us-17/thursday/us-17-Luo-Iotcandyjar-Towa….

- Juan David Guarnizo et al. ‘SIPHON: Towards Scalable High-Interaction Physical Honeypots’. In: Proceedings of the 3rd ACM Workshop on Cyber-Physical System Security. CPSS’17 (2017), pp. 57–68. doi: 10.1145/3055186.3055192.

- Michael Sutton, Adam Greene and Pedram Amini. Fuzzing: brute force vulnerability discovery. Pearson Education, 2007. isbn: 9780321680853.

- Jonas Zaddach et al. ‘Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares’. In: (Feb. 2014). doi: 10.14722/ndss.2014.23229.

- Markus Kammerstetter, Christian Platzer and Wolfgang Kastner. ‘Prospect: Peripheral Proxying Supported Embedded Code Testing’. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security. ASIA CCS ’14 (2014), pp. 329–340. doi: 10.1145/2590296.2590301.

- Michael K. Johnson. Device Driver Basics. Accessed on: 2022-02-07. 1996. url: https://tldp.org/LDP/khg/HyperNews/get/devices/basics.html.

- Marius Muench et al. ‘Avatar 2 : A Multi-Target Orchestration Platform’. In: Proc. Workshop Binary Anal. Res.(Colocated NDSS Symp.) 18 (2018), pp. 1–11. doi: 10.14722/bar.2018.23017.

- Eric Gustafson et al. ‘Toward the Analysis of Embedded Firmware through Automated Re-hosting’. In: 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019) (Sept. 2019), pp. 135–150. url: https://www.usenix.org/conference/raid2019/presentation/gustafson.

- Evan Johnson et al. ‘Jetset: Targeted Firmware Rehosting for Embedded Systems’. In: 30th USENIX Security Symposium (USENIX Security 21) (Aug. 2021), pp. 321–338. url: https://www.usenix.org/conference/usenixsecurity21/presentation/johnson.

- Wei Zhou et al. ‘Automatic Firmware Emulation through Invalidity-guided Knowledge Inference’. In: 30th USENIX Security Symposium (USENIX Security 21) (Aug. 2021), pp. 2007–2024. url: https://www.usenix.org/conference/usenixsecurity21/presentation/zhou.

- James C. King. ‘Symbolic Execution and Program Testing’. In: Commun. ACM 19.7 (July 1976), pp. 385–394. issn: 0001-0782. doi: 10.1145/360248.360252.

- Mingeun Kim et al. ‘FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis’. In: Annual Computer Security Applications Conference. ACSAC ’20 (2020), pp. 733–745. doi: 10.1145/3427228.3427294.

- Andrei Costin, Apostolis Zarras and Aur ́elien Francillon. ‘Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces’. In: CoRR abs/1511.03609 (2015). doi: 10.48550/arXiv.1511.03609.

- Daming Chen et al. ‘Towards Automated Dynamic Analysis for Linux-based Embedded Firmware’. In: Network and Distributed System Security (NDSS) Symposium 2016 (Jan. 2016). doi: 10.14722/ndss.2016.23415.

- Eclipse iot. IoT & Edge: Developer Survey Report. Accessed on: 2022-03-19. Dec. 2021. url: https://f.hubspotusercontent10.net/hubfs/5413615/IoT%20&%20Edge%20Devel….

- Terrehon Bowden et al. The /proc Filesystem - Chapter 4: Configuring procfs. Accessed on: 2022-03-22. June 2009. url: https://www.kernel.org/doc/html/latest/filesystems/proc.html#chapter-4-….

- Marek Majkowski. Reflections on reflection (attacks). Accessed on: 2022-03-19. May 2017. url: https://blog.cloudflare.com/reflections-on-reflections/.

- Ryan Hamilton et al. QUIC: A UDP-Based Multiplexed and Secure Transport. Internet-Draft. Work in Progress. Oct. 2016. url: https://datatracker.ietf.org/doc/html/draft-hamilton-quic-transport-pro….

- Brian Krebs. Source Code for IoT Botnet ‘Mirai’ Released. Accessed on: 2022-04-28. Oct. 2016. url: https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-re….

- Level 3 Threat Research Labs. Attack of Things! - Beyond Bandwidth. Accessed on: 2022-05-03. Sept. 2016. url: https://blog.level3.com/security/attack-of-things/, archived at https://web.archive.org/web/20170126131627/http://blog.level3.com/secur… on 26th Jan. 2017.

- Asher Davila. Home & Small Office Wireless Routers Exploited to Attack Gaming Servers. Accessed on: 2022-05-03. Oct. 2019. url: https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-….

- Tara Seals. Gafgyt Botnet Lifts DDoS Tricks from Mirai — Threatpost. Accessed on: 2022-05-03. Apr. 2021. url: https://threatpost.com/gafgyt-botnet-ddos-mirai/165424/.

- Johannes Ullrich. InfoSec Handlers Diary Blog - SANS Internet Storm Center. Accessed on: 2022-05-03. Feb. 2014. url: https://isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+w….

- Paul Kimayong. IoT botnet exploiting TVT Shenzhen DVRs still lingers — Official Juniper Networks Blogs. Accessed on: 2022-05-03. Mar. 2020. url: https://blogs.juniper.net/en-us/threat-research/iot-botnet-exploiting-t….

- Christer Weingel and Jakob Oestergaard. The Linux Watchdog driver API. Accessed on: 2022-05-05. May 2007. url: https://www.kernel.org/doc/Documentation/watchdog/watchdog-api.txt.

- Doron Voolf et al. Gafgyt Targeting Huawei and Asus Routers and Killing Off Rival IoT

Botnets. Accessed on: 2022-05-03. Dec. 2019. url: https://www.f5.com/labs/articles/threat-intelligence/gafgyt-targeting-h….

- Barbara Stark et al. WANIPConnection:2 Service - For UPnP Version 1.0. Accessed on: 2022-05-09. 2010. url: http://upnp.org/specs/gw/UPnP-gw-WANIPConnection-v2-Service.pdf.

- Richard Sharpe, Ed Warnicke and Ulf Lamping. 8.5. Conversations. Accessed on: 2022-05-10. url: https://www.wireshark.org/docs/wsug_html_chunked/ChStatConversations.ht….

Universiteit of Hogeschool
master in de informatica - Networking and Security
Publicatiejaar
2022
Promotor(en)
Prof. Peter Quax
Kernwoorden
Share this on: