With the wide adoption, Linux-based IoT devices have emerged as one primary target of
today’s cyber attacks. While traditional malware-based attacks (e.g., Mirai) can quickly
spread across these devices, they are well-understood threats with defense techniques
such as malware fingerprinting coupled with community-based fingerprint sharing.
Recently, fileless attacks—attacks that do not rely on malware files—have been increasingly
occurring on Linux-based IoT devices. Such attacks pose significant threats to the security
and privacy of IoT systems; however, little has been known in terms of their characteristics
and attack vectors, which hinders research and development efforts to defend against them.
In this study, we present our endeavor in understanding fileless attacks on Linux-based
IoT devices in the wild. Over a span of 12 months, we deployed four hardware IoT honeypots
and 108 specially designed software IoT honeypots, which successfully attracted a wide
variety of real-world IoT attacks. We present our measurement study on these attacks, with a
focus on fileless attacks, including the prevalence, exploits, environments, and impacts.
Our study further leads to multi-fold insights towards actionable defense strategies which can
be adopted by IoT vendors and end users.
Our paper has been accepted for
ACM MobiSys 2019.
We provide the customization code of HoneyCloud on GitHub.
We provide the login attemps data on
GitHub.
The dataset of SSH and Telnet is hosted here.
Please cite this study when using the data:
@inproceedings{DBLP:conf/mobisys/DangLLZCXCY19, title = {{Understanding Fileless Attacks on Linux-based IoT Devices with HoneyCloud}}, author = {Fan Dang and Zhenhua Li and Yunhao Liu and Ennan Zhai and Qi Alfred Chen and Tianyin Xu and Yan Chen and Jingyu Yang}, year = 2019, booktitle = {{Proceedings of the 17th ACM MobiSys}}, pages = {482--493} }
dangfan [AT] tsinghua.edu.cn
lizhenhua1983 [AT] tsinghua.edu.cn