Model-Based Framework for exploiting sensors of IoT devices using a Botnet: A case study with Android

TL;DR

This paper presents a modular, communication-agnostic botnet framework for IoT devices, highlighting how sensors can be exploited maliciously and proposing privacy-preserving design considerations.

Contribution

It introduces a novel, centralized, domain fluxing-based botnet framework for IoT, demonstrating its implementation and emphasizing privacy protection during device design.

Findings

Framework is communication channel independent

Proof of concept botnet is successfully implemented

Highlights privacy risks and mitigation strategies in IoT design

Abstract

Botnets have become a serious security threat not only to the Internet but also to the devices connected to it. Factors like the exponential growth of IoT, the COVID-19 pandemic that's sweeping the planet, and the ever-larger number of cyber-criminals who now have access to or have developed increasingly more sophisticated tools are incentivizing the growth of botnets in this domain. The recent outbreak of botnets like Dark Nexus (derived from Qbot and Mirai), Mukashi, LeetHozer, Hoaxcalls, etc. shows the alarming rate at which this threat is converging. The botnets have attributes that make them an excellent platform for malicious activities in IoT devices. These IoT devices are used by organizations that need to both innovate and safeguard the personal and confidential data of their customers, employees, and business partners. The IoT devices have built-in sensors or actuators which can be exploited to monitor or control the physical environment of the entities connected to them thereby violating the fundamental concept of privacy-by-design of these devices. In this paper, we design and describe a modular botnet framework for IoT. Our framework is communication channel independent because it utilizes various available communication channels for command and control of an IoT device. The framework uses an enhanced centralized architecture associated with a novel Domain Fluxing Technique. The proposed framework will provide insights into how privacy in IoT devices can be incorporated at design time to check the sensors and actuators in these devices against malicious exploitation consequently preserving privacy. This paper includes design considerations, command and control structures, characteristics, capabilities, intrusion, and other related work. Furthermore, proof of concept Botnet is implemented and explained using the developed framework.