Traditional intrusion detection technology has encountered many new challenges in the IoT field, including:
Traditional solutions, such as setting up monitoring agents on devices, are not applicable in the world of IoT.
In this talk, we propose a new approach which is based on a hypothesis: the inevitability of memory accessing. After an IoT device is hacked, the attacker has to store the attack payload in a non-volatile memory (NVM), thereby preventing the back door from disappearing after the device is restarted. The type of NVM is limited. Currently, SPI Flash or eMMC is commonly used and the interface is relatively unified. More advantageously, the file system in the NVM is also limited, such as jffs2, squashfs, ubi, etc. This will save us from the problem of fragmentation of IoT devices.
We developed an intrusion-detection system called IoT Woodpecker for the hardware bus between memory and CPU/SoC. After real-time monitoring of the memory used in common IoT devices, we can effectively extract the following features:
a) NVM read and write behaviors
b) Contents of files read and written in the file system
c) hashes of related files.
In addition, for mass deployment, we also designed a hardware gadget that is easy to load and unload. At present, experiments have been conducted on a variety of smart speakers and wireless routers and the results are very promising. We will demonstrate the analysis results on some targets.
Further, we also try to combine this method with the traditional risk control system as a supplementary decision factor. At the same time, we also introduce machine learning approaches that automate the intelligent analysis of traffic collected by IoT Woodpecker.