skip to main content
research-article

Toward Automatically Connecting IoT Devices with Vulnerabilities in the Wild

Published: 19 October 2023 Publication History

Abstract

With the increasing number of Internet of Things (IoT) devices connected to the internet, the industry and research community have become increasingly concerned about their security impact. Adversaries or hackers often exploit public security flaws to compromise IoT devices and launch cyber attacks. However, despite this growing concern, little effort has been made to investigate the detection of IoT devices and their underlying risks. To address this gap, this article proposes to automatically establish relationships between IoT devices and their vulnerabilities in the wild. Specifically, we construct a deep neural network (DNN) to extract semantic information from IoT packets and generate fine-grained fingerprints of IoT devices. This enables us to annotate IoT devices in cyberspace, including their device type, vendor, and product information. We collect vulnerability reports from various security sources and extract IoT device information from these reports to automatically match vulnerabilities with the fingerprints of IoT devices. We implemented a prototype system and conducted extensive experiments to validate the effectiveness of our approach. The results show that our DNN model achieved a 98% precision rate and a 95% recall rate in IoT device fingerprinting. Furthermore, we collected and analyzed over 13,063 IoT-related vulnerability reports and our method automatically built 5,458 connections between IoT device fingerprints and their vulnerabilities. These findings shed light on the ongoing threat of cyber-attacks on IoT systems as both IoT devices and disclosed vulnerabilities are targets for malicious attackers.

References

[1]
Ahmet Aksoy and Mehmet Hadi Gunes. 2019. Automated iot device identification using network traffic. In Proceedings of the IEEE International Conference on Communications (ICC’19). IEEE, 1–7.
[2]
Fadele Ayotunde Alaba, Mazliza Othman, Ibrahim Abaker Targio Hashem, and Faiz Alotaibi. 2017. Internet of things security: A survey. Journal of Network and Computer Applications 88 (2017), 10–28.
[3]
Manos Antonakakis, Tim April, Michael Bailey, Matthew Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the mirai botnet. In Proceedings of the 26th USENIX Conference on Security Symposium (SEC’17). 1093–1110.
[4]
Bruhadeshwar Bezawada, Maalvika Bachani, Jordan Peterson, Hossein Shirazi, Indrakshi Ray, and Indrajit Ray. 2018. Behavioral fingerprinting of IoT devices. In Proceedings of the 2018 Workshop on Attacks and Solutions in Hardware Security (ASHES’18). Association for Computing Machinery, New York, NY, 41–50.
[5]
Elias Bou-Harb, Mourad Debbabi, and Chadi Assi. 2016. A novel cyber security capability: Inferring internet-scale infections by correlating malware and probing activities. Comput. Netw. 94 (2016), 327–343.
[6]
Censys. 2015. A Search Engine Based on Internet-wide Scanning for the Devices and Networks. Retrieved from https://censys.io/
[7]
CVE. 2023. CVE, Common Vulnerabilities and Exposures. Retrieved from http://cve.mitre.org/
[8]
CVSS. 2023. A Free and Open Industry Standard for Assessing the Severity of Computer System Security Vulnerabilities.Retrieved from https://nvd.nist.gov/vuln-metrics/cvss
[9]
CWE. 2023. A Community-developed List of Common Software Security Weaknesses.Retrieved from https://cwe.mitre.org/
[10]
DevTag. 2021. Number of Connected IoT Devices Will Surge to 125 Billion by 2030. Retrieved from https://www.iot-now.com/tag/ihs-markit/
[11]
Ying Dong, Wenbo Guo, Yueqi Chen, Xinyu Xing, Yuqing Zhang, and Gang Wang. 2019. Towards the detection of inconsistencies in public security vulnerability reports. In Proceedings of the 28th USENIX Security Symposium (USENIX Security’19). 869–885.
[12]
Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2013. ZMap: Fast internet-wide scanning and its security applications. In Proceedings of the USENIX Security Symposium, Vol. 8.605–620.
[13]
Claude Fachkha, Elias Bou-Harb, Anastasis Keliris, Nasir D. Memon, and Mustaque Ahamad. 2017. Internet-scale probing of CPS: Inference, characterization and orchestration analysis. In Proceedings of the Network and Distributed System Security (NDSS) Symposium (NDSS’17).
[14]
Xuan Feng, Qiang Li, Haining Wang, and Limin Sun. 2016. Characterizing industrial control system devices on the internet. In Proceedings of the IEEE 24th International Conference on Network Protocols (ICNP’16). IEEE, 1–10.
[15]
Xuan Feng, Qiang Li, Haining Wang, and Limin Sun. 2018. Acquisitional rule-based engine for discovering internet-of-things devices. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). Baltimore, MD, 327–341.
[16]
Xuan Feng, Xiaojing Liao, XiaoFeng Wang, Haining Wang, Qiang Li, Kai Yang, Hongsong Zhu, and Limin Sun. 2019. Understanding and securing device vulnerabilities through automated bug report analysis. In Proceedings of the 28th USENIX Security Symposium (USENIX Security’19). USENIX Association, Berkeley, CA, 887–903.
[17]
Guidelines for Security Vulnerability Reporting and Response.2016. Retrieved from https://www.symantec.com/security/OIS_Guidelines%20for%20responsible%20disclosure.pdf
[18]
David Formby, Preethi Srinivasan, Andrew M. Leonard, Jonathan D. Rogers, and Raheem A. Beyah. 2016. Who’s in control of your control system? Device fingerprinting for cyber-physical systems. In Proceedings of the Network and Distributed System Security (NDSS) Symposium (NDSS’16).
[19]
GoogleScraper. 2023. GoogleScraper. Retrieved from https://github.com/NikolaiT/GoogleScraper
[20]
Jorge Granjal, Edmundo Monteiro, and Jorge Sá Silva. 2015. Security for the internet of things: A survey of existing protocols and open research issues. IEEE Commun. Surv. Tutor. 17, 3 (2015), 1294–1312.
[21]
Ayyoob Hamza, Dinesha Ranathunga, Hassan Habibi Gharakheili, Theophilus A. Benson, Matthew Roughan, and Vijay Sivaraman. 2020. Verifying and monitoring iots network behavior using mud profiles. IEEE Trans. Depend. Sec. Comput. (2020).
[22]
Fabiha Hashmat, Syed Ghazanfar Abbas, Sadaf Hina, Ghalib A Shah, Taimur Bakhshi, and Waseem Abbas. 2022. An automated context-aware IoT vulnerability assessment rule-set generator. Comput. Commun. 186 (2022), 133–152.
[23]
Jaidip Kotak and Yuval Elovici. 2019. Iot device identification using deep learning. In Computational Intelligence in Security for Information Systems Conference. Springer, 76–86.
[24]
Frank Li and Vern Paxson. 2017. A large-scale empirical study of security patches. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’17). ACM, New York, NY, 2201–2215.
[25]
Yongxin Liu, Jian Wang, Jianqiang Li, Shuteng Niu, and Houbing Song. 2021. Machine learning for the detection and identification of internet of things devices: A survey. IEEE IoT J. 9, 1 (2021), 298–320.
[26]
Samuel Marchal, Markus Miettinen, Thien Duc Nguyen, Ahmad-Reza Sadeghi, and N. Asokan. 2019. Audi: Toward autonomous iot device-type identification using periodic communication. IEEE J. Select. Areas Commun. 37, 6 (2019), 1402–1412.
[27]
Markus Miettinen, Samuel Marchal, Ibbad Hafeez, N. Asokan, Ahmad-Reza Sadeghi, and Sasu Tarkoma. 2017. Iot sentinel: Automated device-type identification for security enforcement in iot. In Proceedings of the IEEE 37th International Conference on Distributed Computing Systems (ICDCS’17). IEEE, 2177–2184.
[28]
Tomas Mikolov, Kai Chen, Greg Corrado, and Jeffrey Dean. 2013. Efficient estimation of word representations in vector space. arXiv:1301.3781. Retrieved from https://arxiv.org/abs/1301.3781
[29]
Arsalan Mosenia and Niraj K. Jha. 2016. A comprehensive study of security of internet-of-things. IEEE Trans. Emerg. Top. Comput. 5, 4 (2016), 586–602.
[30]
Nizar Msadek, Ridha Soua, and Thomas Engel. 2019. Iot device fingerprinting: Machine learning based encrypted traffic analysis. In Proceedings of the IEEE Wireless Communications and Networking Conference (WCNC’19). IEEE, 1–8.
[31]
Dongliang Mu, Alejandro Cuevas, Limin Yang, Hang Hu, Xinyu Xing, Bing Mao, and Gang Wang. 2018. Understanding the reproducibility of crowd-reported security vulnerabilities. In Proceedings of the 27th \(\lbrace\)USENIX\(\rbrace\) Security Symposium (\(\lbrace\)USENIX\(\rbrace\) Security’18). 919–936.
[32]
Viet Hung Nguyen and Fabio Massacci. 2013. The (un) reliability of nvd vulnerable versions data: An empirical experiment on google chrome vulnerabilities. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. 493–498.
[33]
NLTK. 2001. A Suite of Libraries and Programs for Symbolic and Statistical Natural Language Processing. Retrieved fromhttp://www.nltk.org/
[34]
Nmap. 1997. Network Security Scanner Tool.
[35]
Pascal Oser, Rens W. van der Heijden, Stefan Lüders, and Frank Kargl. 2022. Risk prediction of IoT devices based on vulnerability analysis. ACM Trans. Priv. Secur. 25, 2 (2022), 1–36.
[36]
Linning Peng, Aiqun Hu, Junqing Zhang, Yu Jiang, Jiabao Yu, and Yan Yan. 2018. Design of a hybrid RF fingerprint extraction and device classification scheme. IEEE IoT J. 6, 1 (2018), 349–360.
[37]
Adam C. Polak and Dennis L. Goeckel. 2015. Wireless device identification based on RF oscillator imperfections. IEEE Trans. Inf. Forens. Secur. 10, 12 (2015), 2492–2501.
[38]
Pytorch. 2018. An Open Source Machine Learning Framework That Accelerates the Path from Research Prototyping to Production Deployment. Retrieved fromhttps://pytorch.org/
[39]
Mirai Report. 2016. The Cyber Attack Disrupts Internet Service across Europe and US via Mirai.
[40]
Shamnaz Riyaz, Kunal Sankhe, Stratis Ioannidis, and Kaushik Chowdhury. 2018. Deep learning convolutional neural networks for radio identification. IEEE Commun. Mag. 56, 9 (2018), 146–152.
[41]
Carl Sabottke, Octavian Suciu, and Tudor Dumitraş. 2015. Vulnerability disclosure in the age of social media: Exploiting twitter for predicting real-world exploits. In Proceedings of the 24th USENIX Security Symposium. USENIX Association, Berkeley, CA, 1041–1056.
[42]
Zain Shamsi, Daren B. H. Cline, and Dmitri Loguinov. 2017. Faulds: A non-parametric iterative classifier for internet-wide OS fingerprinting. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. 971–982.
[43]
Zain Shamsi, Ankur Nandwani, Derek Leonard, and Dmitri Loguinov. 2014. Hershel: Single-packet Os fingerprinting. In Proceedings of the ACM International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS’14). 195–206.
[44]
Shodan. 2009. The Search Engine for Internet-connected Devices. Retrieved from https://www.shodan.io/
[45]
Rahul Shokeen, Bharanidharan Shanmugam, Krishnan Kannoorpatti, Sami Azam, Mirjam Jonkman, and Mamoun Alazab. 2019. Vulnerabilities analysis and security assessment framework for the internet of things. In Proceedings of the Cybersecurity and Cyberforensics Conference (CCC’19). IEEE, 22–29.
[46]
Sabrina Sicari, Alessandra Rizzardi, Luigi Alfredo Grieco, and Alberto Coen-Porisini. 2015. Security, privacy and trust in internet of things: The road ahead. Comput. Netw. 76 (2015), 146–164.
[47]
Arunan Sivanathan. 2020. IoT behavioral monitoring via network traffic analysis. arXiv:2001.10632. Retrieved from https://arxiv.org/abs/2001.10632
[48]
Arunan Sivanathan, Hassan Habibi Gharakheili, Franco Loi, Adam Radford, Chamith Wijenayake, Arun Vishwanath, and Vijay Sivaraman. 2018. Classifying IoT devices in smart environments using network traffic characteristics. IEEE Trans. Mob. Comput. 18, 8 (2018), 1745–1759.
[49]
Arunan Sivanathan, Hassan Habibi Gharakheili, and Vijay Sivaraman. 2020. Managing IoT cyber-security using programmable telemetry and machine learning. IEEE Trans. Netw. Serv. Manage. 17, 1 (2020), 60–74.
[50]
Jinke Song, Qiang Li, Haining Wang, and Limin Sun. 2020. Under the concealing surface: Detecting and understanding live webcams in the wild. In Proceedings of the ACM on Measurement and Analysis of Computing Systems, SIGMETRICS ’20. 4, 1 (2020), 1–25.
[51]
Beautiful Soup. 2012. Package for Parsing HTML and XML Documents. Retrieved from https://www.crummy.com/software/BeautifulSoup/
[52]
Vijayanand Thangavelu, Dinil Mon Divakaran, Rishi Sairam, Suman Sankar Bhunia, and Mohan Gurusamy. 2018. DEFT: A distributed IoT fingerprinting technique. IEEE IoT J. 6, 1 (2018), 940–952.
[53]
Shobha Venkataraman, Juan Caballero, Pongsin Poosankam, Min Gyung Kang, and Dawn Xiaodong Song. 2007. Fig: Automatic fingerprint generation. In Proceedings of the Network and Distributed System Security Symposium (NDSS’07).
[54]
Rolf H. Weber and Evelyne Studer. 2016. Cybersecurity in the internet of things: Legal aspects. Comput. Law Secur. Rev. 32, 5 (2016), 715–728.
[55]
Ryan Williams, Emma McMahon, Sagar Samtani, Mark Patton, and Hsinchun Chen. 2017. Identifying vulnerabilities of consumer internet of things (IoT) devices: A scalable approach. In Proceedings of the IEEE International Conference on Intelligence and Security Informatics (ISI’17). IEEE, 179–181.
[56]
Yake. 2023. Yake. Retrieved from https://github.com/LIAAD/yake
[57]
Kai Yang, Qiang Li, and Limin Sun. 2019. Towards automatic fingerprinting of IoT devices in the cyberspace. Comput. Netw. 148 (2019), 318–327.
[58]
Jiabao Yu, Aiqun Hu, Guyue Li, and Linning Peng. 2019. A robust RF fingerprinting approach using multisampling convolutional neural network. IEEE IoT J. 6, 4 (2019), 6786–6799.
[59]
Tianhang Zheng, Zhi Sun, and Kui Ren. 2019. FID: Function modeling-based data-independent and channel-robust physical-layer identification. In Proceedings of the IEEE Conference on Computer Communications (INFOCOM’19). IEEE, 199–207.
[60]
Xinyu Zhou, Aiqun Hu, Guyue Li, Linning Peng, Yuexiu Xing, and Jiabao Yu. 2019. Design of a robust RF fingerprint generation and classification scheme for practical device identification. In Proceedings of the IEEE Conference on Communications and Network Security (CNS’19). IEEE, 196–204.
[61]
Fangzhou Zhu, Liang Liu, Weizhi Meng, Ting Lv, Simin Hu, and Renjun Ye. 2020. Scaffisd: A scalable framework for fine-grained identification and security detection of wireless routers. In Proceedings of the IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom’20). IEEE, 1194–1199.
[62]
ztag. 2023. ZTag, an Utility for Annotating Raw Scan Data with Additional Metadata. Retrieved from http://github.com/zmap/ztag

Cited By

View all
  • (2024)Investigating Threats Posed by SMS Origin Spoofing to IoT DevicesDigital Threats: Research and Practice10.1145/36960115:4(1-12)Online publication date: 13-Sep-2024

Index Terms

  1. Toward Automatically Connecting IoT Devices with Vulnerabilities in the Wild

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Transactions on Sensor Networks
      ACM Transactions on Sensor Networks  Volume 20, Issue 1
      January 2024
      717 pages
      EISSN:1550-4867
      DOI:10.1145/3618078
      Issue’s Table of Contents

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Journal Family

      Publication History

      Published: 19 October 2023
      Online AM: 17 July 2023
      Accepted: 20 June 2023
      Revised: 20 June 2023
      Received: 19 May 2023
      Published in TOSN Volume 20, Issue 1

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. Internet-of-Things
      2. fingerprinting
      3. online devices
      4. vulnerability

      Qualifiers

      • Research-article

      Funding Sources

      • National Natural Science Foundation of China

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)266
      • Downloads (Last 6 weeks)32
      Reflects downloads up to 20 Jan 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)Investigating Threats Posed by SMS Origin Spoofing to IoT DevicesDigital Threats: Research and Practice10.1145/36960115:4(1-12)Online publication date: 13-Sep-2024

      View Options

      Login options

      Full Access

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Full Text

      View this article in Full Text.

      Full Text

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media