The Viability and Potential Consequences of IoT-Based Ransomware

With the increased threat of ransomware and the substantial growth of the Internet of Things (IoT) market, there is significant motivation for attackers to carry out IoT-based ransomware campaigns. In this thesis, the viability of such malware is tested. As part of this work, various techniques that could be used by ransomware developers to attack commercial IoT devices were explored. First, methods that attackers could use to communicate with the victim were examined, such that a ransom note was able to be reliably sent to a victim. Next, the viability of using "bricking" as a method of ransom was evaluated, such that devices could be remotely disabled unless the victim makes a payment to the attacker. Research was then performed to ascertain whether it was possible to remotely gain persistence on IoT devices, which would improve the efficacy of existing ransomware methods, and provide opportunities for more advanced ransomware to be created. Finally, after successfully identifying a number of persistence techniques, the viability of privacy-invasion based ransomware was analysed. For each assessed technique, proofs of concept were developed. A range of devices -- with various intended purposes, such as routers, cameras and phones -- were used to test the viability of these proofs of concept. To test communication hijacking, devices' "channels of communication" -- such as web services and embedded screens -- were identified, then hijacked to display custom ransom notes. During the analysis of bricking-based ransomware, a working proof of concept was created, which was then able to remotely brick five IoT devices. After analysing the storage design of an assortment of IoT devices, six different persistence techniques were identified, which were then successfully tested on four devices, such that malicious filesystem modifications would be retained after the device was rebooted. When researching privacy-invasion based ransomware, several methods were created to extract information from data sources that can be commonly found on IoT devices, such as nearby WiFi signals, images from cameras, or audio from microphones. These were successfully implemented in a test environment such that ransomable data could be extracted, processed, and stored for later use to blackmail the victim. Overall, IoT-based ransomware has not only been shown to be viable but also highly damaging to both IoT devices and their users. While the use of IoT-ransomware is still very uncommon "in the wild", the techniques demonstrated within this work highlight an urgent need to improve the security of IoT devices to avoid the risk of IoT-based ransomware causing havoc in our society. Finally, during the development of these proofs of concept, a number of potential countermeasures were identified, which can be used to limit the effectiveness of the attacking techniques discovered in this PhD research

Persistence in Linux-Based IoT Malware

The Internet of Things (IoT) is a rapidly growing collection of “smart” devices capable of communicating over the Internet. Being connected to the Internet brings new features and convenience, but it also poses new security threats, such as IoT malware. IoT malware has shown similar growth, making IoT devices highly vulnerable to remote compromise. However, most IoT malware variants do not exhibit the ability to gain persistence, as they typically lose control over the compromised device when the device is restarted. This paper investigates how persistence for various IoT devices can be implemented by attackers, such that they retain control even after the device has been rebooted. Having persistence would make it harder to remove IoT malware. We investigated methods that could be used by an attacker to gain persistence on a variety of IoT devices, and compiled the requirements and potential issues faced by these methods, in order to understand how best to combat this future threat. We successfully used these methods to gain persistence on four vulnerable IoT devices with differing designs, features and architectures. We also identified ways to counter them. This work highlights the enormous risk that persistence poses to potentially billions of IoT devices, and we hope our results and study will encourage manufacturers and developers to consider implementing our proposed countermeasures or create new techniques to combat this nascent threat

Hunting High or Low: Evaluating the Effectiveness of High-Interaction and Low-Interaction Honeypots

Honeypots are cybersecurity mechanisms that are set up as decoys in networks to lure and monitor attackers trying to compromise vulnerable systems. Two commonly used honeypot designs are high-interaction and low-interaction honeypots, which differ in the amount of interplay that the attackers are allowed to do. So far, the effectiveness of high-interaction and low-interaction honeypots has been understudied, making it difficult for security teams to choose between different honeypot technologies. The aim of this paper is to compare the effectiveness of high-interaction and low-interaction honeypots through real-world data. We deployed multiple Elasticsearch honeypot implementations to collect data: a closed-source high-interaction honeypot developed by the authors, and three types of open-source low-interaction honeypots (namely Elastichoney, Delilah and Elasticpot). The collected data came from 48 instances of high-interaction honeypots and 111 instances of low-interaction honeypots, over a period of 14 days. We found that low-interaction honeypots captured only a fraction of the attacks that high-interaction honeypots can catch. On the other hand, low-interaction honeypots are simpler, more efficient to run due to their low usage of resources, and easier to deploy. In our dataset, high-interaction honeypots captured 76.12% of the total attack packets and attracted 70.61% of the unique attacker IPs. In comparison, low-interaction honeypots performed a lot worse in collecting attack data; they only managed to capture 23.88% of the total attack packets and attracted 29.39% of the unique attacker IPs. In this paper, we present an experiment that evaluated and compared the effectiveness of high-interaction and low-interaction honeypots in terms of the amount and the type of information collected from attacks targeting them. It follows from our findings that it would be wiser to either concentrate solely on using high-interaction honeypots, or to increase the effectiveness of low-interaction ones by automatically changing each static value during deployment and/or by increasing the mimicking capabilities of low-interaction honeypots

Industrialising Blackmail: Privacy Invasion Based IoT Ransomware

Ransomware (malware that threatens to lock or publish victims’ assets unless a ransom is paid) has become a serious security threat, targeting individual users, companies and even governments, causing significant damage, disruption and cost. Instances of ransomware have also been observed stealing private data and blackmailing their victims. Worryingly, the prevalence of Internet of Things (IoT) devices and the massive amount of personal data that they collect have opened up another avenue of attack. The main aim of this paper is to determine whether privacy invasion based ransomware would be a viable vector for attackers to use on IoT devices. The secondary aim is to identify countermeasures that can be implemented to prevent such attacks from being used. To accomplish these aims, we examined how private data accessible via IoT devices could be obtained, processed and managed by a ransomware attacker. We identified a number of data sources on IoT devices that can be used to access private data, such as audio and video feeds. We then investigated methods to interpret such data in order to blackmail the device’s owner. We then produced proof of concept malware for multiple IoT devices, including an external “collator” that manages the valuable data collected, demonstrating that an attack could be performed at scale. This research shows that attackers can use the functionality of an infected device to invade the privacy of the device’s owner, as part of a ransomware attack. We have demonstrated that, given suitable infrastructure, attackers would be able to ransom users for values higher than the cost of the compromised device, as well as heavily damage the trust in the device itself, which would cause further negative impact on the device manufacturer. Finally, we highlight the need for proactive measures to deter this style of attack by applying the suggested countermeasures

Hunting high or low: evaluating the effectiveness of high-interaction and low-interaction honeypots

Honeypots are cybersecurity mechanisms that are set up as decoys in networks to lure and monitor attackers trying to compromise vulnerable systems. Two commonly used honeypot designs are high-interaction and low-interaction honeypots, which differ in the amount of interplay that the attackers are allowed to do. So far, the effectiveness of high-interaction and low-interaction honeypots has been understudied, making it difficult for security teams to choose between different honeypot technologies. The aim of this paper is to compare the effectiveness of high-interaction and low-interaction honeypots through real-world data. We deployed multiple Elasticsearch honeypot implementations to collect data: a closed-source high-interaction honeypot developed by the authors, and three types of open-source low-interaction honeypots (namely Elastichoney, Delilah and Elasticpot). The collected data came from 48 instances of high-interaction honeypots and 111 instances of low-interaction honeypots, over a period of 14 days. We found that low-interaction honeypots captured only a fraction of the attacks that high-interaction honeypots can catch. On the other hand, low-interaction honeypots are simpler, more efficient to run due to their low usage of resources, and easier to deploy. In our dataset, high-interaction honeypots captured 76.12% of the total attack packets and attracted 70.61% of the unique attacker IPs. In comparison, low-interaction honeypots performed a lot worse in collecting attack data; they only managed to capture 23.88% of the total attack packets and attracted 29.39% of the unique attacker IPs. In this paper, we present an experiment that evaluated and compared the effectiveness of high-interaction and low-interaction honeypots in terms of the amount and the type of information collected from attacks targeting them. It follows from our findings that it would be wiser to either concentrate solely on using high-interaction honeypots, or to increase the effectiveness of low-interaction ones by automatically changing each static value during deployment and/or by increasing the mimicking capabilities of low-interaction honeypots