No Spring Chicken

Quantifying the Lifespan of Exploits in IoT Malware Using Static and Dynamic Analysis

Conference Paper (2022)
Author(s)

Arwa Al Alsadi (TU Delft - Organisation & Governance)

Kaichi Sameshima (Yokohama National University)

Jesse Bleij (Technische Universität Wien)

Katsunari Yoshioka (Yokohama National University)

Martina Lindorfer (Technische Universität Wien)

Michel Van Van Eeten (TU Delft - Organisation & Governance)

Carlos Hernandez Ganan (TU Delft - Organisation & Governance)

Research Group
Organisation & Governance
Copyright
© 2022 Arwa Al Alsadi, Kaichi Sameshima, Jakob Bleier, Katsunari Yoshioka, Martina Lindorfer, M.J.G. van Eeten, C. Hernandez Ganan
DOI related publication
https://doi.org/10.1145/3488932.3517408
More Info
expand_more
Publication Year
2022
Language
English
Copyright
© 2022 Arwa Al Alsadi, Kaichi Sameshima, Jakob Bleier, Katsunari Yoshioka, Martina Lindorfer, M.J.G. van Eeten, C. Hernandez Ganan
Research Group
Organisation & Governance
Pages (from-to)
309-321
ISBN (electronic)
978-1-4503-9140-5
Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Abstract

The Internet of things (IoT) is composed by a wide variety of software and hardware components that inherently contain vulnerabilities. Previous research has shown that it takes only a few minutes from the moment an IoT device is connected to the Internet to the first infection attempts. Still, we know little about the evolution of exploit vectors: Which vulnerabilities are being targeted in the wild, how has the functionality changed over time, and for how long are vulnerabilities being targeted? Understanding these questions can help in the secure development, and deployment of IoT networks. We present the first longitudinal study of IoT malware exploits by analyzing 17,720 samples collected from three different sources from 2015 to 2020. Leveraging static and dynamic analysis, we extract exploits from these binaries to then analyze them along the following four dimensions: (1) evolution of infection vectors over the years, (2) exploit lifespan, vulnerability age, and the time-to-exploit of vulnerabilities, (3) functionality of exploits, and (4) targeted IoT devices and manufacturers. Our descriptive analysis uncovers several patterns: IoT malware keeps evolving, shifting from simply leveraging brute force attacks to including dozens of device-specific exploits. Once exploits are developed, they are rarely abandoned. The most recent binaries still target (very) old vulnerabilities. In some cases, new exploits are developed for a vulnerability that has been known for years. We find that the mean time-to-exploit after vulnerability disclosure is around 29 months, much longer than for malware targeting other environments.