A new approach has been devised by security teams that leverage electromagnetic field emanations to detect evasive malware on IoT devices. The approach works even in obfuscation scenarios.

What’s the fuss about?

The recent findings are presented by researchers from the Research Institute of Computer Science and Random Systems (IRISA) at the Annual Computer Security Applications Conference (ACSAC).
  • Hackers use the side channel details to detect anomalies in emanations when they differ from previously observed patterns and suspicious behavior in the system’s normal state.
  • Without any on-device modification, the method enables detection along with the classification of kernel-level rootkits, ransomware, or unseen variants.
  • The electromagnetic emanation calculated from the device is nearly undetectable by the malware. Thus, in this case, malware evasion tactics cannot be applied directly unlike for dynamic software monitoring.
  • Further, malware usually does not have any sort of control on outside hardware-level, and a protection system using hardware features cannot be taken down, even when malware has maximum privilege.

Equipment used

During the experiment, researchers used Raspberry Pi 2B as a target device with 1GB memory and a 900MHz quad-core ARM Cortex A7 processor, with a combination of a PA 303 BNC preamplifier and oscilloscope. This setup was able to detect three malware and their families with an accuracy of 99.82% and 99.61%.

How it works

The approach works in three phases, including measuring electromagnetic emanations when executing 30 different malware binaries, performing benign activities to train a Convolutional Neural Network (CNN) model to classify malware samples. 
  • In particular, the framework takes an executable as input and exports malware labels using the side-channel information.
  • Using simple neural network models, researchers gained good information regarding the state of a monitored device.
  • It works against various code obfuscation/transformations, such as random junk insertion, virtualization, and packing, along with a transformation that was previously not known to the system.

Concluding notes

The rapid development and growth in the adoption of IoT appliances make them a lucrative target for cybercriminals. The attack surface is much wider and makes it harder to detect stealthy malware. However, researchers are expected to improve malware analysis techniques to mitigate potential security risks.

Cyware Publisher

Publisher

Cyware