Inferring Software Composition and Credentials of Embedded Devices from Partial Knowledge

Internet-of-Things (loT) devices or more generally embedded devices are nowadays commonly deployed in public, personal or work spaces despite suffering from security issues often related to their bad design and/ or configuration. For instance, loT botnets such as Mirai successfully compromised thousands of devices using a bruteforce method on a set of known credentials. Although brute-force attacks against a particular service (e.g. SSH, telnet) generate many packets which can be easily detected and mitigated, attackers can easily rely on TCP scans to assess the services present on a device while maintaining a high level of stealthiness. In this paper, we present a method to reconstruct precise information about an loT device configuration (brand name, usernames, passwords, software components) from partial knowledge such as open ports revealed by a TCP scan. It relies on constituting a knowledge base from a large dataset of publicly accessible firmware serving as training multiple Random Forest (RF) classifiers. Using a dataset of 6935 embedded devices, the HTTP, SSH or DNS software names can be predicted with a precision higher than 80% with a limited knowledge. The correct HTTP, SSH or DNS versions can be inferred in more than 95% of cases after 1.4 trials on average. Similarly, our technique also predicts the password of at least one valid user in more than 97% of the cases after 1.15 trials on average.