Stephen Herwig (University of Maryland), Katura Harvey (University of Maryland, Max Planck Institute for Software Systems (MPI-SWS)), George Hughey (University of Maryland), Richard Roberts (University of Maryland, Max Planck Institute for Software Systems (MPI-SWS)), Dave Levin (University of Maryland)

The Internet of Things (IoT) introduces an unprecedented diversity and ubiquity to networked computing. It also introduces new attack surfaces that are a boon to attackers. The recent Mirai botnet showed the potential and power of a collection of compromised IoT devices. A new botnet, known as Hajime, targets many of the same devices as Mirai, but differs considerably in its design and operation. Hajime uses a public peer-to-peer system as its command and control infrastructure, and regularly introduces new exploits, thereby increasing its resilience.

We show that Hajime’s distributed design makes it a valuable tool for better understanding IoT botnets. For instance, Hajime cleanly separates its bots into different peer groups depending on their underlying hardware architecture. Through detailed measurement—active scanning of Hajime’s peer-to-peer infrastructure and passive, longitudinal collection of root DNS backscatter traffic—we show that Hajime can be used as a lens into how IoT botnets operate, what kinds of devices they compromise, and what countries are more (or less) susceptible. Our results show that there are more compromised IoT devices than previously reported; that these devices use an assortment of CPU architectures, the popularity of which varies widely by country; that churn is high among IoT devices; and that new exploits can quickly and drastically increase the size and power of IoT botnets. Our code and data are available to assist future efforts to measure and mitigate the growing threat of IoT botnets.

View More Papers

SANCTUARY: ARMing TrustZone with User-space Enclaves

Ferdinand Brasser (Technische Universität Darmstadt), David Gens (Technische Universität Darmstadt), Patrick Jauernig (Technische Universität Darmstadt), Ahmad-Reza Sadeghi (Technische Universität Darmstadt), Emmanuel Stapf (Technische Universität Darmstadt)

Read More

RFDIDS: Radio Frequency-based Distributed Intrusion Detection System for the...

Tohid Shekari (ECE, Georgia Tech), Christian Bayens (ECE, Georgia Tech), Morris Cohen (ECE, Georgia Tech), Lukas Graber (ECE, Georgia Tech), Raheem Beyah (ECE, Georgia Tech)

Read More

Thunderclap: Exploring Vulnerabilities in Operating System IOMMU Protection via...

A. Theodore Markettos (University of Cambridge), Colin Rothwell (University of Cambridge), Brett F. Gutstein (Rice University), Allison Pearce (University of Cambridge), Peter G. Neumann (SRI International), Simon W. Moore (University of Cambridge), Robert N. M. Watson (University of Cambridge)

Read More

Latex Gloves: Protecting Browser Extensions from Probing and Revelation...

Alexander Sjösten (Chalmers University of Technology), Steven Van Acker (Chalmers University of Technology), Pablo Picazo-Sanchez (Chalmers University of Technology), Andrei Sabelfeld (Chalmers University of Technology)

Read More