With the wide adoption, Linux-based IoT devices have emerged as one primary target of
today’s cyber attacks. While traditional malware-based attacks (e.g., Mirai) can quickly
spread across these devices, they are well-understood threats with defense techniques
such as malware fingerprinting coupled with community-based fingerprint sharing.
Recently, fileless attacks—attacks that do not rely on malware files—have been increasingly
occurring on Linux-based IoT devices. Such attacks pose significant threats to the security
and privacy of IoT systems; however, little has been known in terms of their characteristics
and attack vectors, which hinders research and development efforts to defend against them.
In this study, we present our endeavor in understanding fileless attacks on Linux-based IoT devices in the wild. Over a span of 12 months, we deployed four hardware IoT honeypots and 108 specially designed software IoT honeypots, which successfully attracted a wide variety of real-world IoT attacks. We present our measurement study on these attacks, with a focus on fileless attacks, including the prevalence, exploits, environments, and impacts. Our study further leads to multi-fold insights towards actionable defense strategies which can be adopted by IoT vendors and end users.
Our paper has been accepted for
ACM MobiSys 2019.
We provide the customization code of HoneyCloud on GitHub.
We provide the login attemps data on
The dataset of SSH and Telnet is hosted here.
Please cite this study when using the data.
dangfan [AT] tsinghua.edu.cn
lizhenhua1983 [AT] tsinghua.edu.cn