Proof of principle
Our approach is based on the detection of malicious network traffic. A device implanted malwares will communicate with remote server, trigger a remote shell or send audios/videos to server.
The chart below shows the network traffic of a device which implanted snooping malwares.
Red line : traffic between devices and a remote spy server.
Green line : normal traffic of devices.
Black line : Sum of TCP traffic.
- AP module and Data flow catcher: Catch network traffic.
- Traffic analying engine: Extract characteristics from network traffic and compare them with device fingerprint database.
- Device fingerprint database: Normal network behaviors of each devices, based on whitelist. Call APIs of 360 threat intelligence database (https://ti.360.net/).
- Web server: There may be a web server in the second generation.
| | | |
| data_flow_catcher |<----| devices connected |
| | | |
| device_fingerprint_databse |<---------> | flow_analyze_engine |
|____________________________| ¦ |_____________________|
__________________________________ ¦ ____↓_______ _________________
| | ¦ | | | |
| 360 threat intelligence database |<- | web_server |<-----------| user interfaces |
|__________________________________| |____________| |_________________|
The tool works as an Access Point, connected manually by devices under test, sends network traffic to traffic analyzing engine for characteristic extraction. Traffic analyzing engine compares characteristics with entries in device fingerprint database to recognize device type and suspicious network connection. Device fingerprint database is a collect of normal behaviors of each device based on whitelist. Additionally, characteristics will be searched on threat intelligence database of Qihoo 360 to identify malicious behaviors. A web server is set up as user interfaces.
In our research, we have succcessfully implanted Trojans in eight devices including smart speakers, cameras, driving recorders and mobile translators with IoT-Implant-Toolkit.
A demo video below:
We collected characteristics of those devices and ran IoT-Home-Guard. All devices implanted Trojans have been detected. We believe that malicious behaviors of more devices can be identified with high accuracy after supplement of fingerprint database.