Blog

Sniff Me Web Service

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 

Reading around in the news today and there seems to be so much more talk concerning the era of IoT devices and how much of a part they appear to be playing in the increase in DDoS attacks against corporations.  This got me thinking, at the moment, there is very little that can be easily done to control things as most people have no idea whatsoever that their devices have been compromised.

This is where the Sniff Me web service idea started - imagine a service that takes uploaded traffic files and assess these against a known profile.

The Idea

The idea is simple enough; provide a facility for people to use that allows them to upload traffic capture files for selected devices - most probably .pcap due to the popularity of these.  The traffic capture file would be analysed, extracting all public IP addresses.  These would then be checked against a database of known 'approved' IP addresses for that device.

As an example, somebody could upload a 5 minuet traffic capture file of their Samsung smart TV, specifying this on the website.  After a few moments, all IP addresses that the smart TV were found communicating with will be checked against a list of known / approved addresses that are known to be used by that particular model of TV.  Any unauthorised connections the device is making will potentially show up and can be flagged to the user.

I often say and do believe that we all need to take a certain amount of responsibility with our information security - most countries mandate driving licences due to the damage that can be done with improper use; to a certain extent, the same applies elsewhere.  I'm certainly not saying we need computer licences :) but we do need to make sure we understand how we are using them and what happened when they're used improperly.  A service such as this would allow consumers to start taking that control and hopefully drastically reduce the success of IoT compromisation.

 

Some Hurdles

There are a few issues and questions to resolve before starting this type of service:

  1. How consistent are the communications over the same devices - we need to make sure that IoT devices can actually be profiled and that they will all have the same profile.  This is more than likely the case due to the manufacturing process but there may be minor differences worth thinking about.
     
  2. Ease of Use - It is all well and good offering such a service but we would need to make sure it is usable.  I mention this as typically, the type of person that performs traffic capture on their IoT devices is usually the type of person that will already have an idea if their device is infected.
     
  3. High Numbers - There are simply too many devices to instantly profile along with multiple revisions and versions of the same devices.  We also need to consider what variations may occur between different regions or markets.

 

The Next Step

As a research team, we are certainly eager to see if something like this can be done.  The next step is to therefore start profiling as many devices as we can; this is where we ask for your help!  The best way of doing something like this is to ask and encourage others to upload a 5 minute packet capture file in the .pcap format for us to analyse.  There are a few requirements here though:

  • Make sure the device(s) are not being actively used at the time - we don't want a list of 200+ IP's only to find that this is because you were also browsing the web or using a streaming service at the time.
  • Inspect the file first or logout of any authenticated services - more on our policy regarding data protection in a moment; you still ideally don't want anything personal being shared if you can help it!
  • Be as accurate as possible - we need to know as much as possible about the device including things like model, version, revision and / or firmware version along with the make, model and any other unique characteristic.

In the very near future, we will create a project entry where we will formally invite you to participate and upload your own traffic capture files via a web form.  At the same time, stay tuned for another blog post on how to sniff the traffic of your IoT devices!

UPDATE FEB 21ST 2017

We have now opened up public submission for the capture files.  To participate, check out our project page with instructions at https://www.tssec.co.uk/team/projects/item/14-sniff-me-web-service.

 

A quick mention

We do of course take the privacy of any participants with the highest priority and greatest sensitivity.  We would rather not see anything personal being uploaded but should we encounter something we do not feel comfortable with, it will be removed and remain undisclosed.  We will not at any point attempt (or allow anybody else) to identify you or your devices based on any uploaded capture files or sumbitted information.  In addition to this, any uploaded capture files will be encrypted and will not be stored on a publicly accessible server.

About TSSec

We are Digger and Odskee, a small information security research team based in the UK.  We love breaking and fixing things and enjoy getting our hands dirty in the field of infoSec.

Odskee tends to focus on the theoretical, software based aspects while Digger finds himself at home with the raw electronics.  We both have a number of years of experience within a number of similar roles and think these work best as a team.

Latest News

©2018 TSSec

Search