Thesis (PDF, 2Mb)
Total Page:16
File Type:pdf, Size:1020Kb
Honeypots in the age of universal attacks and the Internet of Things Alexander Michael Vetterl Churchill College November 2019 This dissertation is submitted for the degree of Doctor of Philosophy Declaration This dissertation is the result of my own work and includes nothing which is the outcome of work done in collaboration except as declared in the preface and specified in the text. It is not substantially the same as any work that has already been submitted before for any degree or other qualification except as declared in the preface and specified in the text. This dissertation does not exceed the prescribed word limit of 60 000 words. Alexander Michael Vetterl November, 2019 Honeypots in the age of universal attacks and the Internet of Things Alexander Michael Vetterl Summary Today's Internet connects billions of physical devices. These devices are often immature and insecure, and share common vulnerabilities. The predominant form of attacks relies on recent advances in Internet-wide scanning and device discovery. The speed at which (vulnerable) devices can be discovered, and the device monoculture, mean that a single exploit, potentially trivial, can affect millions of devices across brands and continents. In an attempt to detect and profile the growing threat of autonomous and Internet-scale attacks against the Internet of Things, we revisit honeypots, resources that appear to be legitimate systems. We show that this endeavour was previously limited by a fundamentally flawed generation of honeypots and associated misconceptions. We show with two one-year-long studies that the display of warning messages has no deterrent effect in an attacked computer system. Previous research assumed that they would measure individual behaviour, but we find that the number of human attackers is orders of magnitude lower than previously assumed. Turning to the current generation of low- and medium-interaction honeypots, we demonstrate that their architecture is fatally flawed. The use of off-the-shelf libraries to provide the transport layer means that the protocols are implemented subtly differently from the systems being impersonated. We developed a generic technique which can find any such honeypot at Internet scale with just one packet for an established TCP connection. We then applied our technique and conducted several Internet-wide scans over a one- year period. By logging in to two SSH honeypots and sending specific commands, we not only revealed their configuration and patch status, but also found that many of them were not up to date. As we were the first to knowingly authenticate to honeypots, we provide a detailed legal analysis and an extended ethical justification for our research to show why we did not infringe computer-misuse laws. Lastly, we present honware, a honeypot framework for rapid implementation and deployment of high-interaction honeypots. Honware automatically processes a standard firmware image and can emulate a wide range of devices without any access to the manu- facturers' hardware. We believe that honware is a major contribution towards re-balancing the economics of attackers and defenders by reducing the period in which attackers can exploit vulnerabilities at Internet scale in a world of ubiquitous networked `things'. Acknowledgements First, and foremost, I am deeply grateful to Richard Clayton for his tireless enthusiasm and encouragement. No matter what else was happening, he always had time and provided me with ample support. Without his guidance and mentorship I would never have been able to complete this thesis. I am also immensely grateful to Ross Anderson for all the freedom he gave me in pursuing my research interests and for his continuous support. Under his supervision, I was able to grow as a researcher and person through discussions and conversations, which have also helped me to see the bigger picture. I am indebted to Alastair Beresford for his invaluable advice at crucial times and his sincere interest in my work. I thank Christian Rossow for generously agreeing to examine my dissertation and providing meticulous feedback. I would like to thank the members of the Cybercrime Centre, past and present, for their support including Alice Hutchings, Daniel Thomas, Sergio Pastrana, Ben Collier, Yi Ting Chua, Maria Bada and Ildik´oPete. I would like to express my gratitude to the German Academic Exchange Service (DAAD) and the Computer Laboratory for generously providing funding for my PhD. I would also like to thank my friends for making my time here in Cambridge enjoyable as well as intellectually stimulating, especially Kaspars Karlsons, Diana Popescu, Tiago Azevedo, Marco Caballero, Marija Pajevic, Khaled Baqer, Christian O'Connell, Florian Str¨ohl,Ilia Shumailov, Mansoor Ahmed-Rengers and Michael Dodson. Last but not least, I would like to thank my wife, Ann-Kathrin, for the joy she has brought into my life and for believing in me at every step of the way. This dissertation is dedicated to her. Contents 1 Introduction 13 1.1 Chapter outline . 15 1.2 Publications and contributions . 16 1.3 Statement on research ethics . 18 2 Background 19 2.1 CPE and IoT devices . 19 2.1.1 Common characteristics . 20 2.1.2 Protocols and services . 22 2.1.3 Common vulnerabilities . 23 2.2 Universal attacks . 25 2.2.1 Device discovery and Internet-wide scanning . 25 2.2.2 Denial of service attacks . 26 2.2.3 Proxying malicious traffic . 27 2.3 Honeypots . 28 2.3.1 Types of honeypots . 29 2.3.2 Evolution of honeypots . 30 2.3.3 Fingerprinting honeypots . 32 2.4 Summary . 34 3 Revisiting the effect of warning messages on attackers' behaviour 37 3.1 Introduction . 37 3.2 Maimon et al.'s original study . 40 3.3 Experiment 1: The deterrent effects of warning banners . 40 3.3.1 Design . 42 3.3.2 Procedures . 42 3.3.3 Outcome measures . 45 3.3.4 Results . 45 3.3.4.1 First trespassing incidents . 45 3.3.4.2 All trespassing incidents recorded . 47 3.3.4.3 Session types recorded and commands issued . 50 3.4 Experiment 2: Surveying system trespassers . 51 3.4.1 Recruitment . 52 3.4.2 Survey design . 53 3.4.3 Results . 53 3.5 Discussion . 54 3.6 Conclusion . 57 4 Fingerprinting honeypots at Internet scale 59 4.1 Introduction . 59 4.2 Background . 61 4.3 Systematically fingerprinting honeypots . 62 4.3.1 Efficient detection of deviations . 62 4.3.2 Protocol 1: SSH . 63 4.3.3 Protocol 2: Telnet . 65 4.3.4 Protocol 3: HTTP/Web . 66 4.4 Internet-wide scanning . 67 4.4.1 Results . 68 4.4.2 Validation . 69 4.4.3 Accuracy . 71 4.4.4 Honeypot deployment . 71 4.5 SSH: Implementation flaws . 72 4.5.1 SSH Binary Packet Protocol . 72 4.5.2 Disconnection messages . 73 4.6 Discussion . 74 4.6.1 Practical impact . 75 4.6.2 Countermeasures . 76 4.7 Ethical considerations . 76 4.8 Related work . 77 4.9 Conclusion . 78 5 Counting outdated honeypots: legal and useful 81 5.1 Introduction . 81 5.2 Unauthorised access to computers . 82 5.2.1 Statutory text . 82 5.2.2 Implicit authorisation . 84 5.3 Ethical analysis . 85 5.4 Fingerprinting SSH honeypots . 87 5.4.1 Identifying SSH honeypot patch levels . 87 5.4.2 Measurement setup . 88 5.5 Results . 88 5.5.1 Authentication configuration . 88 5.5.2 Set-up options of SSH honeypots . 90 5.6 Discussion . 91 5.7 Conclusion . 91 6 Honware: A virtual honeypot framework for capturing CPE and IoT zero days 93 6.1 Introduction . 94 6.2 Virtual honeypot framework . 95 6.2.1 Automated firmware extraction . 97 6.2.2 Customised pre-built kernel . 97 6.2.2.1 Honeypot logging and module loading . 98 6.2.2.2 Signal interception . 98 6.2.2.3 Module loading . 99 6.2.2.4 NVRAM . 99 6.2.2.5 Network configuration . 100 6.2.3 Filesystem modifications . 100 6.2.4 Emulation . 101 6.3 Evaluation . 101 6.3.1 Extraction, network reachability and services . 101 6.3.1.1 Extraction . 102 6.3.1.2 Network reachability . 102 6.3.1.3 Services . 104 6.3.2 Honeypot deployments in the wild . 104 6.3.2.1 Broadcom UPnPHunter . 105 6.3.2.2 DNS hijack . 105 6.3.2.3 UPnPProxy . 107 6.3.2.4 Mirai variants . 107 6.3.3 Timing attacks to fingerprint honware . 108 6.4 Ethical considerations . 111 6.5 Discussion . ..