DOCSLIB.ORG

On the Investigation of Vulnerabilities in Smart Connected Cameras

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
On the Investigation of Vulnerabilities in Smart Connected Cameras Teknik och samhälle Datavetenskap Bachelor’s thesis 15 credits, ground level On the investigation of vulnerabilities in smart connected cameras Undersökning av sårbarheter i smarta anslutna kameror Désirée Jönsson Exam: Bachelor of Science in Engineering Supervisor: Joseph Bugeja Area: Computer Engineering Examiner: Andreas Jacobsson Program: Data & Mobil IT Date of final seminar: 2017-08-25 Abstract Humans have always developed products to simplify their everyday lives in the home en- vironment. A fast growing area is the Internet of Things where smart connect devices belong. The intention with smart cameras is surveillance where one can monitor their smart camera wireless from e.g a smartphone. Challenges with the intelligent connected cameras includes, how to get knowledge about espionage, attacks and damages. Many of these smart cameras have a reduced-size, low-power hardware with smaller resources avail- able, and therefore unable to implement optimal security mechanisms. Although these connected cameras can enrich the safety and create security with their surveillance, the smart camera also allows new ways for attackers to intrude due to the devices are con- nected to the Internet. The purpose of this thesis is to investigate what kind of open data is available on the Internet from, connected cameras. This is done by creating a program to extract publicly available smart camera information that is visible to anyone who has access to the Internet, and thus access to Shodan’s search engine. The open data shows vulnerabilities that can potentially be exploited to intrude on devices. The vulnerabilities found in the connected cameras due to availability of Shodan, were insecure configuration management and insuf- ficient authentication. By highlighting significant vulnerabilities in smart cameras found today, the thesis can contribute to how one with publicly available information can gain knowledge about vulnerabilities in smart devices. Given that vulnerabilities exist and the smart camera is connected to the Internet, it may be more than the owner of the smart camera that monitors the residence. Sammanfattning Människan har alltid utvecklat produkter för att förenkla sin vardag i hemmet. Ett område som växer snabbt är sakernas Internet där smarta ansluta enheter tillhör. Intentionen med smarta kameror är övervakning där man har möjlighet att bevaka sin intelligenta kam- era trådlöst från exempelvis en smartmobil. Utmaningar med de intelligenta anslutna kamerorna är att hur kan man få kunskap om spionage, attacker och skador. Många av dessa smarta kameror har mindre resurser tillgängliga, och har då inte möjlighet att imple- mentera optimala säkerhetsmekanismer. Även om dessa smarta enheter kan berika tillvaron och skapa trygghet med sin övervakning, så möjliggör också den smarta kameran nya sätt för angripare att göra intrång, då enheten är uppkopplade mot Internet. Syftet med den här uppsatsen är att undersöka vilken öppen data som finns tillgänglig på Internet om uppkopplade kameror. Detta genom att skapa ett program för att ex- trahera publik tillgänglig information om smarta kameror som är synliga för alla som har tillgång till Internet, och då också tillgång till Shodans sökmotor. Den öppna datan påvisar sårbarheter som kan utnyttjas för att göra intrång. Sårbarheterna som fanns hos de uppkopplade kamerorna på grund av tillgängligheten på Shodan var osäker konfigu- rationshantering och otillräcklig autentisering. Genom att belysa befintliga sårbarheter i smarta kameror som finns idag, kunna bidra till hur man med publik tillgänglig information kan få kunskap om sårbarheter hos smarta produkter. Med bakgrund till att sårbarheter finns och den smarta kameran är uppkopplad mot Internet, kan det vara så att det är fler än ägaren till den smarta kameran som övervakar hemmet. Acknowledgments I would like to express gratitude to Joseph Bugeja for the feedback, inputs and always inspiring discussions during my work of this thesis. Glossary Connected camera: Is a device that can send and receive images/videos via a computer network and the Internet for different purposes. Also named Smart camera, IP camera, Network camera etc. Common Vulnerabilities and Exposures (CVE): Provides a reference-method for publicly known information-security, vulnerabilities and exposures. Insecure configuration management (ICM): Configuration management (CM) is a process for establishing and maintaining consistency of a product’s performance and secu- rity. Lack of CM can lead to insecure configuration management (ICM). Internet of Things (IoT): The Internet of Things is a term used for the development of a network consisting of devices which are embedded with electronics, software, sensors and network connectivity that enables these objects to collect and exchange data. The devices are connected to one another or to the Internet via protocols, and are in general referred to as smart (connected) devices. Open data: refers to digital information that is freely available without restrictions. Open Web Application Security Project (OWASP): is an organization with the ambition to support technologies in the field of web application security. Passive reconnaissance: Information gathering without actively engaging with a system to cause harm. Shodan: is a search engine for connected devices on the Internet. Supervisory Control and Data Acquisition (SCADA): Software application pro- gram for process control. Vulnerability: A weakness or defect in a system which enables an attacker to bypass security measures, and might be exploited to cause loss or harm. Web crawlers: are software programs that uses another search engine’s data to pro- duce their own results from the Internet. Table of Contents 1 Introduction 1 1.1 Problem Domain . 1 1.2 Problem Discussion . 2 1.3 Research Questions . 2 1.4 Scope and Limitations . 2 1.5 Thesis Organization . 3 2 Background 4 2.1 Smart Cameras . 4 2.2 Smart Homes . 4 2.3 Shodan . 5 2.3.1 What is Shodan and how to use it . 5 2.3.2 Open data on Shodan . 6 2.4 Vulnerability . 7 2.4.1 Common Vulnerabilities and Exposures (CVE) . 7 2.4.2 Open Web Application Security Project (OWASP) . 7 2.5 Reconnaissance . 8 3 Related Work 9 3.1 Uninvited Connections . 9 3.2 Internet of Things (IOT): Taxonomy of Security Attacks . 10 3.3 Exploiting known vulnerabilities of a smart thermostat . 10 3.4 Embedded systems security: Threats, vulnerabilities, and attack taxonomy . 11 4 Research Methodology 12 4.1 Methodology of choice . 13 4.2 Literature Study . 13 4.3 Experimental setup . 13 4.3.1 Create the program . 14 4.3.2 Verification of the program . 14 4.4 Procedure . 16 4.4.1 Extract the open data and filtration . 16 4.4.2 Data analysis . 16 5 Result and Analysis 17 5.1 The program . 17 5.1.1 Collected open data on smart cameras . 17 5.2 The vulnerabilities . 19 5.2.1 Specific vulnerabilities linked to CVE-2011-5261 . 19 5.2.2 Collected open data matching CVE-2011-5261 . 19 5.2.3 Insecure Configuration Management . 21 5.2.4 Insufficient authentication . 21 5.2.5 Vulnerability example tied to a specific smart camera . 23 5.3 Analysis of the result . 24 6 Discussion 25 6.1 Related work . 25 6.2 Limitations discussion . 25 6.3 Methodology Discussion . 25 6.4 Ethics . 25 7 Conclusion and Future work 26 7.1 Answering the research questions . 26 7.2 Future Work . 26 A Search criteria 29 B Filter and Keywords 30 1 Introduction Nowadays more individuals are relying on Internet technologies to meet their daily life activities. Most of the appliances such as washing machines, refrigerators are Internet- enabled, and also TVs are connected to the Internet [1]. The devices that are connected to one another or to the Internet via wireless protocols are in general referred to as smart (connected) devices. A part of a camera being smart is that they are autonomous and might act without users awareness or in some cases need of control. The connected devices are a part of Internet of Things (IoT). The IoT is about everyday devices that are using network connectivity that enable devices to collect and use data [1]. The IoT term was coined by Kevin Ashton 1998 [2]. Even earlier, the concept Ubiquitous computing was described by Mark Weiser and the concept describes the idea of integrating computing to appear anytime and everywhere [2]. A smart home is a residence that uses IoT technology and comprises a network of smart devices that meets different householders needs. The most prominent areas are: security, entertainment, energy and healthcare [5]. The global smart home market is growing at a fast pace. In 2015 the market was valued at $9.8 billion and is estimated to reach $43 billion in 2020 [5]. An example of a difference between a smart home in comparison to a traditional home are physical buttons. Physical buttons requires physical access in tradi- tional home. A person needs to physically turn the light on and off. In a smart home the physical access is not required. The buttons can be connected or disconnected with the help from wireless connectivity for e.g lighting control [1]. The number of connected devices introduced in the market has increased with connected devices, approaching about 15 billion today [3]. To take it in perspective, that is roughly two devices per human being. J. Wurm et al. [3] further discloses that the trend is going to continue and estimate about 26 billion network connected devices by the year 2020. This rapid increment of the smart home field leads to a race to put the next smart device on the market first. The consequence is that questions like security and vulnerability issues are not getting the focus and thought that are required [2] [3]. One uses the connected camera in the arguably most private environment there is, our home where there is personal data such as family photo albums, sensitive conversations, etc.
Load more

Recommended publications
  • Who Is Knocking on the Telnet Port: a Large-Scale Empirical Study of Network Scanning
    Session 15: Network Security 2 ASIACCS’18, June 4–8, 2018, Incheon, Republic of Korea Who is Knocking on the Telnet Port: A Large-Scale Empirical Study of Network Scanning Hwanjo Heo Seungwon Shin KAIST KAIST ETRI [email protected] [email protected] ABSTRACT this information (i.e., who serves what) is absolutely imperative for Network scanning is the primary procedure preceding many net- attackers. Hence, attackers aggressively gather this information by work attacks. Until recently, network scanning has been widely directly searching target hosts or even employing already deployed studied to report a continued growth in volume and Internet-wide malware (e.g., botnet) for efficiency. trends including the underpinning of distributed scannings by lin- As such, since this network scanning is an indispensable process gering Internet worms. It is, nevertheless, imperative to keep us for cyber attacks, attention should still be paid to it, even though informed with the current state of network scanning, for factual it has been studied, investigated, and monitored for a long time. and comprehensive understanding of the security threats we are Indeed, researchers and practitioners have already deeply surveyed, facing, and new trends to serve as the presage of imminent threats. analyzed, and measured this behavior [3, 8, 26, 34, 35]. However, it In this paper, we analyze the up-to-date connection-level log should be kept in mind that the characteristics of network scanning data of a large-scale campus network to study the recent scanning (e.g., main target services and scan origins) are quite sensitive to the trends in breadth.
    [Show full text]
  • German Cities Exposed a Shodan-Based Security Study on Exposed Cyber Assets in Germany
    German Cities Exposed A Shodan-based Security Study on Exposed Cyber Assets in Germany Natasha Hellberg and Rainer Vosseler Trend Micro Forward-Looking Threat Research (FTR) Team A TrendLabs Research Paper Contents TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and 4 should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Exposed Cyber Assets Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro 5 reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are Exposed Cities: intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise Germany related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or 12 enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro Exposed Cyber Assets makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree in Germany that access to and use of and reliance on this document and the content thereof is at your own risk.
    [Show full text]
  • An Intelligent Improvement of Internet-Wide Scan Engine for Fast Discovery of Vulnerable Iot Devices
    S S symmetry Article An Intelligent Improvement of Internet-Wide Scan Engine for Fast Discovery of Vulnerable IoT Devices Hwankuk Kim ID , Taeun Kim and Daeil Jang * Korea Internet & Security Agency, 9, Jinheung-gil, Naju-si, Jeollanam-do 58324, Korea; [email protected] (H.K.); [email protected] (T.K.) * Correspondence: [email protected]; Tel.: +82-61-820-1274 Received: 31 March 2018; Accepted: 7 May 2018; Published: 10 May 2018 Abstract: Since 2016, Mirai and Persirai malware have infected hundreds of thousands of Internet of Things (IoT) devices and created a massive IoT botnet, which caused distributed denial of service (DDoS) attacks. IoT malware targets vulnerable IoT devices, which are vulnerable to security risks. Techniques are needed to prevent IoT devices from being exploited by attackers. However, unlike high-performance PCs, IoT devices are lightweight, low-power, and low-cost, having performance limitations regarding processing and memory, which makes it difficult to install security and anti-malware programs. Recently, several studies have been attempted to quickly search for vulnerable internet-connected devices to solve this real issue. Issues yet to be studied still exist regarding these types of internet-wide scan technologies, such as filtering by security devices and a shortage of collected operating system (OS) information. This paper proposes an intelligent internet-wide scan model that improves IP state scanning with advanced internet protocol (IP) randomization, reactive protocol (port) scanning, and OS fingerprinting scanning, applying k* algorithm in order to find vulnerable IoT devices. Additionally, we describe the experiment’s results compared to the existing internet-wide scan technologies, such as ZMap and Shodan.
    [Show full text]
  • Andrews Ku 0099M 16872 DA
    Evaluating the Proliferation and Pervasiveness of Leaking Sensitive Data in the Secure Shell Protocol and in Internet Protocol Camera Frameworks Ron Andrews B.S. Computer Science, University of Kansas, 2003 Submitted to the graduate degree program in Electrical Engineering and Computer Science Department and the Graduate Faculty of the University of Kansas in partial fulfillment of the requirements for the degree of Masters of Science in Computer Science. Chair: Alexandru G. Bardas Fengjun Li Bo Luo Date defended: Nov 18, 2019 The Dissertation Committee for Ron Andrews certifies that this is the approved version of the following dissertation : Evaluating the Proliferation and Pervasiveness of Leaking Sensitive Data in the Secure Shell Protocol and in Internet Protocol Camera Frameworks Chair: Alexandru G. Bardas Date approved: Nov 18, 2019 ii Abstract In George Orwell’s nineteen eighty-four: A novel, there is fear regarding what “Big Brother”, knows due to the fact that even thoughts could be “heard”. Though we are not quite to this point, it should concern us all in what data we are transferring, both intentionally and unintentionally, and whether or not that data is being “leaked”. In this work, we consider the evolving landscape of IoT devices and the threat posed by the pervasive botnets that have been forming over the last several years. We look at two specific cases in this work. One being the practical application of a botnet system actively executing a Man in the Middle Attack against SSH, and the other leveraging the same paradigm as a case of eavesdropping on Internet Protocol (IP) cameras.
    [Show full text]
  • Internet of Things Ddos White Paper
    Internet of Things DDoS White Paper October 24, 2016 E-ISAC Private: Sector Members and Partner Organizations (TLP: White) Recommended Audience: Public Internet of Things DDoS White Paper October 24, 2016 Over the past several months, existing attack surfaces and new malware payloads were exploited in unique ways, using custom attack software. The E-ISAC developed the following recommendations for defensive capabilities in the Electricity Subsector with suggestions to improve the overall posture of network security and cyber security within our community. Security, if considered at all, is typically an afterthought for devices designed to be used as part of the Internet of Things (IoT). Cyber security practitioners agree that nearly all devices on the Internet are more likely to be attacked because of the general omission of security in the design process of these new devices. Due to the highly interconnected state of the IoT, the insecurity built into systems as mundane as consumer products and toys can now be leveraged against systems as critical as industrial controls, such as those used in the electric power industry. Recent attacks highlight the scale of network bandwidth that can be unleashed upon connected systems. A new form of attack is a class known as the Non-Reflection Distributed Denial of Service (DDoS) Attack. This new technique uses very large numbers of devices typically classified as “Things” in the terminology of the IoT, that can be harnessed from all areas of the Internet rather than a small number of networks. This massive scale of devices had successfully generated attack throughput rates on the order of one Terabit-per-second (Tbps) or more.
    [Show full text]
  • Systematically Fingerprinting Low- and Medium-Interaction Honeypots at Internet Scale
    Bitter Harvest: Systematically Fingerprinting Low- and Medium-interaction Honeypots at Internet Scale Alexander Vetterl Richard Clayton University of Cambridge University of Cambridge [email protected] [email protected] Abstract alistic environment for humans to interact with. Attack- ers have a strong motivation to detect honeypots at an The current generation of low- and medium interac- early stage as they do not want to disclose their methods, tion honeypots uses off-the-shelf libraries to provide the exploits and tools [21]. These attackers have attempted transport layer. We show that this architecture is fa- to distinguish honeypots by executing commands within tally flawed because the protocols are implemented sub- the login shell (or the impersonation of the login shell) tly differently from the systems being impersonated. We and examining the responses. This has led to an arms present a generic technique for systematically finger- race as attackers develop new distinguishers and honey- printing low- and medium interaction honeypots at In- pot authors improve the verisimilitude of their system. ternet scale with just one packet and an ERR (Equal Er- However, if a honeypot can be detected at the transport ror Rate) of 0.0183. We conduct Internet-wide scans and level, for example without completing the SSH hand- identify 7 605 honeypot instances across nine different shake or Telnet options negotiation, the honeypot’s value honeypot implementations for the most important net- will be minimal and efforts to impersonate the service work protocols SSH, Telnet, and HTTP. For SSH hon- will be in vain [25].
    [Show full text]
  • US Cities Exposed a Shodan-Based Security Study on Exposed Assets in the US
    US Cities Exposed A Shodan-Based Security Study on Exposed Assets in the US Numaan Huq, Stephen Hilt, and Natasha Hellberg Trend Micro Forward-Looking Threat Research (FTR) Team A TrendLabsSM Research Paper TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information Contents and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the 4 particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro Exposed Cyber Assets reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to 6 the original language official version of the document. Any discrepancies or differences created in the translation are Exposed Cities not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree 36 that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro Safeguarding Against disclaims all warranties of any kind, express or implied.
    [Show full text]
  • Abnormal Behavior-Based Detection of Shodan and Censys-Like Scanning
    Abnormal Behavior-Based Detection of Shodan and Censys-Like Scanning Seungwoon Lee1, Seung-Hun Shin2, and Byeong-hee Roh1 1 Dept. of Computer Engineering, Ajou University, Suwon, Korea 2University College, Ajou University, Suwon, Korea {swleeyg, sihnsh, bhroh}@ajou.ac.kr Abstract—Shodan and Censys, also known as IP Device search that port. Thus, it can make the device safe from Shodan and engines, build searchable databases of internet devices and Censys to detect and prevent SYN scan and banner grab. In a networks. Even these tools are useful for security, those also can topological view, Shodan and Censys operate several distributed provide the vulnerabilities to malicious users. To prevent the servers and they scan the hosts separately and is aggregated in information disclosure of own IP devices on those search engines, the database [1][4]. Also, they use horizontal scan which means a fundamental solution is blocking the access from the scanners of scanning a single port on multiple hosts. them. Therefore, it is needed to understand and consider their scanning mechanism. Therefore, we propose an abnormal Those scans can be detected using the ideas of existing behavior based scan detection of Shodan and Censys. To do this, researches. Single host port scan including TCP SYN and several traditional scan detection approaches are combined and Banner grabbing can be detected using misuse detection [5][6] applied to satisfy their specification. Proposed idea is monitoring and anomaly detection [7] in IDSs (Intrusion Detection System). packets whether it is abnormal or not and adding on the suspicious Misuse detection is also called rule-based detection that misuse list if it is.
    [Show full text]
  • Search Engines That Scan for Internet-Connected Services: Classification and Empirical Study
    SEARCH ENGINES THAT SCAN FOR INTERNET-CONNECTED SERVICES: CLASSIFICATION AND EMPIRICAL STUDY by Christopher Bennett A thesis submitted to the Faculty of Graduate and Post Doctoral Affairs in partial fulfillment of the requirements for the degree of Master of Computer Science in Network Security Carleton University Ottawa, Ontario ©2021 Christopher Bennett Abstract In this thesis, we revisit outdated definitions of Surface Web and Deep Web and pro- vide new definitions and apply them to Internet search engines. We argue thatthe scope of the term \Web" is too narrow when referring to information on the Internet. We offer, and define, new terms to better describe the state of the Internet: Surface Internet, Shallow Internet, and Deep Internet. We use these terms to describe: Re- sponding Internet-Connected Entity (RICE), Search Engine for Responding Internet- Connected Entities (SERICE), Web search engines, and Internet search engines. We explain how popular Internet-wide scanning services | Shodan and Censys | are SERICEs that index RICEs. In empirical work, we analyze scans from Shodan and Censys and determine they use few resources and provide an up-to-date view of the Internet. ii Acknowledgements Throughout the writing of this thesis I have received a great deal of support and assistance. Firstly, I would like to express my gratitude and appreciation to my supervisors Dr. Paul van Oorschot and Dr. AbdelRahman Abdou for the long hours reviewing my thesis and mentoring me. I thank them for the lessons I have learned and will never forget. I would like to thank the members of the Carleton Computer Security Lab and Carleton Internet Security Lab, especially Christopher Bellman, for their invaluable insight and discussions during my time at Carleton University.
    [Show full text]
  • Muninn Monitoring Changes in the Icelandic Internet Through Repeated Port Scanning
    Muninn Monitoring Changes in the Icelandic Internet through Repeated Port Scanning Alex Már Gunnarsson Níels Ingi Jónasson Sindri Ingólfsson Thesis of 12 ECTS Bachelor of Science in Computer Science May 2019 Muninn Monitoring Changes in the Icelandic Internet through Repeated Port Scanning Alex Már Gunnarsson Níels Ingi Jónasson Sindri Ingólfsson Thesis of 12 ECTS credits submitted to the School of Computer Science at Reykjavík University in partial fulfillment of the requirements for the degree of Bachelor of Science in Computer Science May 2019 Supervisor: Gylfi Þór Guðmundsson Examiner: Marcel Kyas Advisors: Theódór R. Gíslason Hlynur Óskar Guðmundsson Acknowledgements We would like to give special thanks to these individuals and organizations. Syndis was very generous to accomidate us by providing us with an office space, lunches and caffeine as well as advice from experts in the field. CERT for showing great interest in the project and providing advice regarding ethical concerns. Opin Kerfi was nice enough to allow us to perform our scans when no other service provider was willing to host us. Hlynur Þór Óskarsson for taking time out of his busy schedule to provide us with guidance on a weekly basis. Theódór Ragnar Gíslason for encouragement and being there when we needed to consult his expertise. Gylfi Þór Guðmundsson for being constantly ready to help and molding our mass of stupid ideas into good ones. i [This page is intentionally left blank] ii Contents 1 Introduction 1 2 Background 2 2.1 Standards and Definitions . .2 2.2 Internet Census 2012 . .5 2.3 Shodan . .5 2.4 Application for Historical Service Assessment (AHSA) .
    [Show full text]
  • Iot-Botnet Detection and Isolation by Access Routers
    2018 9th International Conference on the Network of the Future (NOF) IoT-Botnet Detection and Isolation by Access Routers Christian Dietz∗y, Raphael Labaca Castro∗, Jessica Steinbergery, Cezary Wilczak∗, Marcel Antzek∗, Anna Sperottoy and Aiko Prasy ∗ Research Institute CODE yDesign and Analysis of Communication Systems Bundeswehr University Munich University of Twente Neubiberg, Germany Enschede, The Netherlands Email:fChristian.Dietz, Raphael.Labaca, Email:fC.Dietz, J.Steinberger, Cezary.Wilczak, [email protected] A.Sperotto, [email protected] Abstract—In recent years, emerging technologies such as the The main attack techniques used by IoT botnets exploit Internet of Things gain increasing interest in various commu- security vulnerabilities and make use of sophisticated, complex nities. However, the majority of IoT devices have little or no and multi-vector large-scale cyber attacks based on flooding protection at software and infrastructure levels and thus are also opening up new vulnerabilities that might be misused by and Water Torture techniques whereas traditional Botnets cybercriminals to perform large-scale cyber attacks by means make use of Reflection and Amplification. In particular, the IoT of IoT botnets. These kind of attacks lead to infrastructure botnet Mirai used 10 predefined attack vectors [7] including and service outages and cause enormous financial loss, image generic routing encapsulation (GRE) flood, TCP STOMP and and reputation damage. One approach to proactively block DNS Water Torture technique and mainly performed volumet- the spreading of such IoT botnets is to automatically scan for vulnerable IoT devices and isolate them from the Internet ric, application-layer, and TCP state-exhaustion attacks [6].
    [Show full text]
  • An Exploration of the Cybercrime Ecosystem Around Shodan
    An exploration of the cybercrime ecosystem around Shodan Maria Bada* and Ildiko Pete* Department of Computer Science and Technology, University of Cambridge Cambridge, UK fi[email protected] *These authors contributed equally to this work Abstract—Discussions on underground forums provide valu- interactions of members of underground forums provides a able insights to hackers’ practices, interests and motivations. novel perspective of IoT security and reveals vulnerabilities Although Internet of Things (IoT) vulnerabilities have been that are actively discussed, the main targets, and hackers’ extensively explored, the question remains how members of hacker communities perceive the IoT landscape. In this work, we motivations to exploit these vulnerabilities. present an analysis of IoT related discussions that are potentially Specifically in this study, we analyse discussions around cybercriminal in nature. In particular, we analyse forum threads Shodan, one of the most popular search engines of Internet that discuss the search engine Shodan. The source of these posts facing devices and services. Shodan is designed to crawl the is the CrimeBB dataset provided by the Cambridge Cybercrime Internet and to index discovered services [6], and it allows Centre (CCC)1. We analyse 1051 thread discussions from 19 forums between 2009 and 2020. The overall aim of our work is the discovery of vulnerable devices [7]. Thus, it is widely to explore the main use cases of Shodan and highlight hackers’ used by security professionals and have greatly contributed to targets and motivations. We find that Shodan is versatile and raising awareness of the problems facing the IoT landscape. is actively used by hackers as a tool for passive information Through analysing Shodan related discussions on underground gathering providing easier access to hackable targets.
    [Show full text]