AA

Arwa Al Alsadi

info

Please Note

5 records found

Conference paper (2026) - Ryu Kuki, Takayuki Sasaki, Arwa Al Alsadi, Carlos Gañán, Katsunari Yoshioka
In recent years, while the threat of cyber attacks and malware targeting the vulnerabilities of the Internet of Things (IoT) has become more serious, various efforts have been made to mitigate the spread of these threats and the damage they cause. This study aims to understand the mechanisms behind the increase and decrease in HTTP-based exploits targeting IoT devices, and to verify the effectiveness of current prevention and mitigation measures. By integrating attack analysis observed in honeypots, collecting malware samples, and publicly available vulnerability information, we visualize the temporal changes in the number of attacks over the lifetime of vulnerabilities, and identify the impact of life events such as the release of the proof-of-concept (PoC) or the weaponization into malware on changes in attack trends. Comparing attack volumes for vulnerabilities discovered from 2008 to 2024, we discover differences in attack trends depending on the age of the device and vulnerability. Our results show that attacks targeting new devices with adequate security measures tend to decrease relatively quickly, while attacks targeting older devices with inadequate measures often persist until the end of the device's life, by being weaponized in malware. These findings confirm that existing security measures are effective to a limited extent, but at the same time, they also show that continuous improvement and proactive measures are necessary to prevent the exploitation of vulnerabilities from continuing for long periods of time. ...

Piecing Together Factors of IoT Vulnerability Exploitation

Conference paper (2025) - Arwa Abdulkarim Al Alsadi, Mathew Vermeer, Takayuki Sasaki, Katsunari Yoshioka, Michel Van Eeten, Carlos Gañán
The proliferation of Internet of Things (IoT) devices has led to a surge in vulnerabilities, with traditional metrics like CVSS and PoC exploits failing to fully explain exploitation patterns. To address this, we leverage features from the-state-of-the-art prediction model EPSS – such as CVSS, CWE, vendors, external references, vulnerability age, and PoCs – and combine it with new features derived from hacking communities. Our study of 23,373 IoT-related CVEs and 25k posts from 25 hacking forums highlights the importance of including insights on attacker behavior from discussions involving vulnerabilities. We identified 38 features with a p-value < 0.05 that impact attackers’ selection of IoT vulnerabilities. We use two metrics to evaluate our model with features from hacking forums: McFadden’s pseudo R2, which showed a 21% improvement in explaining variance, and the Brier score for prediction accuracy, with a 17% improvement over EPSS. These results emphasize that current state-of-the-art methods struggle to capture the distinct nuances and complexity of IoT threats, and incorporating available information such as insights into attacker behavior can enhance the factors influencing the targeting of IoT vulnerability better. ...

A Comprehensive Analysis of IoT Vulnerability Targeting and Attacker Decision-Making

The rapid growth of Internet-of-Things (IoT) devices, such as smart cameras, home routers, and smart thermostats, has transformed the digital landscape while also introducing new cybersecurity risks. IoT systems are often targeted by attackers due to outdated software, long device lifespans, and fragmented security practices. Although many IoT vulnerabilities are discovered and disclosed, only a small fraction are actually exploited in the wild. This raises important questions about which vulnerabilities are targeted, why attackers choose them, and how long they remain in use.

This dissertation investigates how IoT vulnerabilities are selected for exploitation in practice, with a particular focus on attacker behavior, exploit development, and vulnerability characteristics. It systematically examines the interplay between these factors to understand how they collectively shape exploitation trends in IoT ecosystems. To answer the central research question on What factors shape the exploitation in IoT vulnerabilities, from target selection to exploit development and prediction?, this dissertation presents four peer-reviewed studies.... ...

Analyzing the target selection of IoT vulnerabilities in malware binaries

Conference paper (2023) - Arwa Abdulkarim Al Alsadi, Kaichi Sameshima, Katsunari Yoshioka, Michel van Eeten, Carlos H. Gañán
For years, attackers have exploited vulnerabilities in Internet of Things (IoT) devices. Previous research has examined target selection in cybercrime, but there has been little investigation into the factors that influence target selection in attacks on IoT. This study aims to better understand how attackers choose their targets by analyzing the frequency of specific exploits in 11,893 IoT malware binaries that were distributed between 2018-2021. Our findings indicate that 78% of these binary files did not specifically target IoT vulnerabilities but rather scanned the Internet for devices with weak authentication. To understand the usage of exploits in the remaining 2,629 binaries, we develop a theoretical model from relevant literature to examine the impact of four latent variables, i.e. exposure, vulnerability, exploitability, and patchability. We collect indicators to measure these variables and find that they can explain to a significant extent (?2=0.38) why some vulnerabilities are more frequently exploited than others. The severity of vulnerabilities does not significantly increase the frequency with which they are targeted, while the presence of Proof-of-Concept exploit code does increase it. We also observe that the availability of a patch reduces the frequency of being targeted, yet that more complex patches are associated with higher frequency. In terms of exposure, more widespread device models are more likely to be targeted by exploits. We end with recommendations to disincentivize attackers from targeting vulnerabilities. ...

Quantifying the Lifespan of Exploits in IoT Malware Using Static and Dynamic Analysis

Conference paper (2022) - Arwa Abdulkarim Al Alsadi, Kaichi Sameshima, Jakob Bleier, Katsunari Yoshioka, Martina Lindorfer, Michel Van Eeten, Carlos H. Gañán
The Internet of things (IoT) is composed by a wide variety of software and hardware components that inherently contain vulnerabilities. Previous research has shown that it takes only a few minutes from the moment an IoT device is connected to the Internet to the first infection attempts. Still, we know little about the evolution of exploit vectors: Which vulnerabilities are being targeted in the wild, how has the functionality changed over time, and for how long are vulnerabilities being targeted? Understanding these questions can help in the secure development, and deployment of IoT networks. We present the first longitudinal study of IoT malware exploits by analyzing 17,720 samples collected from three different sources from 2015 to 2020. Leveraging static and dynamic analysis, we extract exploits from these binaries to then analyze them along the following four dimensions: (1) evolution of infection vectors over the years, (2) exploit lifespan, vulnerability age, and the time-to-exploit of vulnerabilities, (3) functionality of exploits, and (4) targeted IoT devices and manufacturers. Our descriptive analysis uncovers several patterns: IoT malware keeps evolving, shifting from simply leveraging brute force attacks to including dozens of device-specific exploits. Once exploits are developed, they are rarely abandoned. The most recent binaries still target (very) old vulnerabilities. In some cases, new exploits are developed for a vulnerability that has been known for years. We find that the mean time-to-exploit after vulnerability disclosure is around 29 months, much longer than for malware targeting other environments. ...