IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies

Presented at Black Hat USA 2018, Aug. 9, 2018, 3:50 p.m. (50 minutes)

Computer malware in all its forms is nearly as old as the first PCs running commodity OSes, dating back at least 30 years. However, the number and the variety of "computing devices" dramatically increased during the last several years. Therefore, the focus of malware authors and operators slowly but steadily started shifting or expanding towards Internet of Things (IoT) malware.

Unfortunately, at present there is no publicly available comprehensive study and methodology that collects, analyses, measures, and presents the (meta-)data related to IoT malware in a systematic and a holistic manner. In most cases, if not all, the resources on the topic are available as blog posts, sparse technical reports, or Systematization of Knowledge (SoK) papers deeply focused on a particular IoT malware strain (e.g., Mirai). Some other times those resources are already unavailable, or can become unavailable or restricted at any time. Moreover, many of such resources contain errors (e.g., wrong CVEs), omissions (e.g., hashes), limited perspectives (e.g., network behaviour only), or otherwise present incomplete or inaccurate analysis. Hence, all these factors leave unattended the main challenges of analysing, tracking, detecting, and defending against IoT malware in a systematic, effective and efficient way.

This work attempts to bridge this gap. We start with mostly manual collection, archival, meta-information extraction and cross-validation of more than 637 unique resources related to IoT malware families. These resources relate to 60 1 IoT malware families, and include 260 resources related to 48 unique vulnerabilities used in the disclosed or detected IoT malware attacks. We then use the extracted information to establish as accurately as possible the timeline of events related to each IoT malware family and relevant vulnerabilities, and to outline important insights and statistics. For example, our analysis shows that the mean and median CVSS scores of all analyzed vulnerabilities employed by the IoT malware families are quite modest yet: 6.9 and 7.1 for CVSSv2, and 7.5 and 7.5 for CVSSv3 respectively. Moreover, the public knowledge to defend against or prevent those vulnerabilities could have been used, on average, at least 90 days before the first malware samples were submitted for analysis. Finally, to help validate our work as well as to motivate its continuous growth and improvement by the research community, we open-source our datasets and release our IoT malware analysis framework and our IoT malware analysis framework.


Presenters:

  • Jonas Zaddach - Malware Research Engineer, Talos Security Intelligence and Research Group at Cisco Systems
    Jonas Zaddach is a Computer Science graduate of the Technische Universitaet Muenchen and Telecom ParisTech, where he wrote his thesis on securing infrastructure-as-a-service clouds in a double-degree program. Results from this research is at basis of the well-received presentation "SatanCloud:A Journey Into the Privacy and Security Risks of Cloud Computing". In his youth he spent his time making his Lego Mindstorms robot do things it was not supposed to do by hacking its firmware. Since then he has shifted his attention to harddrives and many other embedded devices. Currently Jonas holds his PhD from EURECOM in the field of "Development of novel binary analysis techniques for security applications", specializing in dynamic analysis of firmwares of embedded devices. At present he is a binary and security ninja at Talos Security Intelligence and Research Group at Cisco Systems where he works as a Malware Research Engineer.
  • Andrei Costin - Independent Security Researcher and University Assistant Professor, Firmware.RE and JYU.FI
    Andrei Costin is an Assistant Professor at University of Jyvaskyla in Finland (JYU.FI). He is a Computer Science graduate of the Politehnica University of Bucharest where he did his thesis work in Biometrics and Image Processing, and obtained his PhD in France at EURECOM Institute. While starting out his IT-career in the Computer Games industry, he has worked in the Telecom field and also was a senior developer at a specialized firm programming various GSM/UMTS/GPS sub-systems. He is the author of the MiFare Classic Universal toolKit (MFCUK), the first publicly available (FOSS) card-only key cracking tool for the MiFare Classic RFID card family and is known as the "printer guy" for his "Hacking MFPs" and "Hacking PostScript" series of hacks & talks. Andrei delivered more than 40 presentations at top international security conferences, three of which at BlackHat venues. He was spotted security-harassing airplanes with ADS-B hacks (though no planes were harmed during the experiments), remotely hacking fireworks/demolition/pyrotechnic systems (though no fireworks show were spoiled and no buildings were demolished), and otherwise finding and disclosing vulnerabilities and exploits in IoT/embedded devices. He is passionate about security in a holistic fashion. At present, Andrei is mostly busy developing cutting-edge security research for embedded systems both as part of his JYU.FI and Firmware.RE affiliations. He also trains new generations of cyber-security experts as part of his successful master program courses at University of Jyvaskyla.

Links:

Similar Presentations: