IoT Home Guard : A Tool for Malicious Behavior Detection in IoT Devices

IoT Home Guard is a project to help people discover malware in smart home devices.

For users the project can help to detect compromised smart home devices. For security researchers it is also useful in network analysis and malicious hehaviors detection.

In July 2018 we had completed the first version. We will complete the second version by October 2018 with improvement of user experience and increased number of identifiable devices.

The first generation is a hardware device based on Raspberry Pi with wireless network interface controllers. We will customize new hardware in the second generation.

The system can be set up with software part in laptops after essential environment configuration. Software part is available in software_tools/.

Also Read – 7 Reasons Why You Should Use PDF Over Word

Proof of principle

Our approach is based on the detection of malicious network traffic. A device implanted malwares will communicate with remote server, trigger a remote shell or send audios/videos to server.

The chart below shows the network traffic of a device which implanted snooping malwares.

  • Red line : traffic between devices and a remote spy server.
  • Green line : normal traffic of devices.
  • Black line : Sum of TCP traffic.

Modules

  • AP module and Data flow catcher: Catch network traffic.
  • Traffic analying engine: Extract characteristics from network traffic and compare them with device fingerprint database.
  • Device fingerprint database: Normal network behaviors of each devices, based on whitelist. Call APIs of 360 threat intelligence database (https://ti.360.net/).
  • Web server: There may be a web server in the second generation.

Procedure

The tool works as an Access Point, connected manually by devices under test, sends network traffic to traffic analyzing engine for characteristic extraction.

Traffic analyzing engine compares characteristics with entries in device fingerprint database to recognize device type and suspicious network connection. Device fingerprint database is a collect of normal behaviors of each device based on whitelist.

Additionally, characteristics will be searched on threat intelligence database of Qihoo 360 to identify malicious behaviours. A web server is set up as user interfaces.

Effectiveness

In our research, we have succcessfully implanted Trojans in eight devices including smart speakers, cameras, driving recorders and mobile translators with IoT-Implant-Toolkit.

A demo video below:

We collected characteristics of those devices and ran IoT-Home-Guard. All devices implanted Trojans have been detected.

We believe that malicious behaviours of more devices can be identified with high accuracy after supplement of fingerprint database.

Download
R K

Share
Published by
R K
Tags: IoTIoT Home GuardMalicious
6 years ago

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

1 week ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

2 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

3 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

3 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

3 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

3 weeks ago