Phase II Amount
$1,326,192
Internet of Things (IoT) devices, ranging from common household objects to medical assets and industrial equipment have enabled a wide range of attractive use cases through their feedback loops of sensing and actuating. Their low cost and promise of automation has resulted in skyrocketing adoption, with projections placing the total number of IoT devices in the tens of billions by 2023. From a security and network-management perspective, IoT devices are single-purpose, Internet-connected computers that expand the boundaries of networks and increase their attack surface, through their sheer number as well as the difficulty of managing a medley of different hardware and network protocols, with varying levels of outdated software. These vulnerable IoT devices have already been abused for spying upon their users as well as creating botnets that can launch record-breaking DDoS attacks. In this project, we propose to design, implement, and evaluate IoTPanorama, a scalable system for the passive identification of IoT devices. Unlike typical reconnaissance approaches that involve active scanning, IoTPanorama can detect the presence of IoT devices by analyzing the by-product communications that these devices already perform, as part of their normal operation. Namely, our system takes advantage of DNS resolutions and NetFlow records to create device-specific signatures that can then be used to identify IoT devices, even when origin-obfuscating technologies (such as NATs) are in place. We propose methods to not only detect IoT devices, but also their status, differentiating between benign IoT devices, IoT devices that have been orphaned, and those that have been already compromised. In addition to the aforementioned passive identification techniques, IoTPanorama will support non-intrusive methods for passive-to-active hand-offs that cause IoT devices to contact designated monitoring servers (as opposed to external systems trying to contact the IoT devices), enabling IoTPanorama to derive fine-grained device signatures and, if/when necessary, mitigate compromised devices.