Understanding the role of IoT end users in Miria-Like bot remediation

Abstract

Malicious software such as botnets are a threat to society and increasingly so through Internet of Things (IoT) devices. The large volume, pervasiveness and high vulnerability of IoT devices make them low hanging fruit for malicious actors. Currently, the biggest threat for insecure IoT devices is Mirai, a botnet which is deployed for DDoS attacks. Home users often fail to detect and resolve Mirai on their IoT devices. For this reason, Internet Service Providers (ISP) increasingly take efforts to increase remediation. Sending their infected customers a notifications containing cleanup instructions is currently the most feasible measure on a large scale. However, previous studies point out that it is not clear how people process these notifications, if they comply with it and how this effects the remediation rate and speed. The central research question of this study is ‘What is the role of IoT device end users in Mirailike bot remediation?’. We have conducted an eight-week experiment at the KPN Abuse Desk that notifies customers about abuse incidents. 177 Mirai-infected consumers have been randomly assigned to a walled garden notification (i.e., a quarantined environment), an e-mail notification, or control group. All subjects within the experiment have been tracked for two weeks to estimate the infection time and are contacted afterward for interview purposes. Male consumers and consumers younger than 54 years possess relatively more often a Miraiinfected device compared to other consumers. Both e-mail and walled garden notifications are effective in reaching consumers, informing them and encouraging them to take action. The majority of consumers do not follow the recommendations provided by the notification. In contrast, the number of actions that are performed while not mentioned in the notifications is remarkably high. Since many consumers asked for additional help, we conclude that consumers appear don’t have a full understanding of how to tackle the problem. In the control group, several consumers remediated Mirai unintentionally. However, these cases do not explain all observed remediation. Using two survival analysis modeling techniques, we find that consumers placed in a walled garden have a 29% to 85% shorter infection time than other consumers. We conclude that there is a discrepancy between stated behavior and the actual behavior of consumers. Although we cannot observe all cleanup efforts of consumers, we observed that awareness of the Mirai-infection and the intention to comply with the recommended actions influence that unobserved behavior. Gender also influences the unobserved behavior. Women clean up their device quicker than men while their statements during the interviews contradict this. One explanation is that women may unintentionally clean up their device. We conclude that age, consumer market, device type and customer satisfaction have no significant influence on remediation. We believe that it is unlikely that all unexplained remediation can be attributed to the unobserved behavior. We thus cannot explain all observed remediation from the user perspective. Therefore, we argue that future work must also focus on the attacker perspective. Since we only observed Mirai-infections, we cannot exclude the possibility that competing malware confiscated infected devices within our experiment. In addition, novel Mirai variants may have evolved scanning behavior which obstructed proper detection of infected bots.