Skip to content
IotShark - Monitoring and Analyzing IoT Traffic
Python HTML JavaScript CSS
Branch: master
Clone or download
Latest commit e2401eb Jan 7, 2020
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
code-playground Added Flask dyanic and static graph generation Nov 26, 2019
csv Add live graphs for 5 packet traces from Alexa Echo Dot. Dec 3, 2019
report Add final report Dec 10, 2019
static Misc updates to html Dec 4, 2019
templates Misc updates to html Dec 4, 2019
tools
.gitignore
ArpSpoofing.py Add static analysis code and update gitignore Nov 28, 2019
DiscoverHosts.py Add inbound, outbound and total bytes to graph Nov 27, 2019
PySharkCapture.py
README.md Update readme Jan 7, 2020
StaticCSVAnalysis.py Update static graph Nov 28, 2019
UserState.py Add 'is user speaking now' data to the Chart.js graph on a separate y… Dec 2, 2019
app.py Merge branch 'master' of https://github.com/sahilmgandhi/cs219-f19-fi… Dec 4, 2019
mitm_main.py
requirements.txt Update requirements Nov 28, 2019

README.md

cs219-f19-final-project

IoTShark

This is our final project for CS 219 for the Fall 2019 quarter.

IoTShark is a IOT monitoring service that allows users to monitor their IOT devices for trends in data sent/received. Ordinarily, setting up a man in the middle attack with proper configurations can take up quite a bit of time, and may seem dauntingly impossible for those with little to no experience in computer security or even computer science.

IoTShark aims to provide a [nearly] fully automated solution for a user to monitor their IOT devices by simply running a single script. The user merely has to select which device they wish to monitor, and this program takes care of the rest of the heavy work by starting the ARP poisoning, setting up the packet forwarding and the man in the middle packet sniffer. It also has an easy to understand and interactive web UI where a user can filter the packets based on the ports, types, and timestamps to get a broader understanding of how much and when things are being transmitted.

We also aim to classify certain kinds of data such as heartbeat messages, data transfers, and anomalies, though the last one will likely be demonstrated on the un-encrypted RPi test since it is difficult to do anomaly detection without huge amounts of data (and we would require many devices and individuals to gather that much data).

How to run:

  1. Install the required libraries: $pip3 -r requirements.txt
  2. Set up the ip forwarding: $sudo sysctl net.inet.ip.forwarding=1
  3. Run the app: sudo python3 mitm_main.py

The Main Script

Create a Python virtual envionment and install dependency packages.

virtualenv --python=`which python3` venv
source venv/bin/activate
python -r requirements.txt

Make sure packet forwarding is enabled on your local machine. This is necessary for man-in-the-middle attack to work. On macOS this can be done with:

sudo sysctl net.inet.ip.forwarding=1

Run the main program mitm_main.py. See that script for accepted options.

Currently this program does three things:

  1. Scan for all hosts either in the given subnet by the -s option or a set of common residential subnets
  2. Discover the hardware vendor and OS of each host
  3. Perform ARP poisoning between the selected host and gateway router
  4. Output graphs of past captured data by the -f option followed by relative path to csv file

After ARP poisoning is running, you can examine traffic from the target device by Wireshark with a display filter like:

(ip.src==192.168.0.215 or ip.dst==192.168.0.215) and tcp.port != 443

Data File Format

The captured data is stored in a csv file with the following format:

{timestamp, incoming_bytes, outgoing_bytes, srcport, dstport, transfer_protocol, connection_protocol, srcip, dstip}

123123213, 0, 240, 36, 80, 65124, HTTP, UDP, 192.168.0.215, 104.24.4.5
123123240, 300, 0, 800, 443, 65125, HTTPS, TCP, 104.24.4.5, 192.168.0.215

Using the Tool to Sniff IoT Devices

For example, here is a long string that we can say to Alexa Echo Dot/Google Home while sniffing their traffic. Pay attention if the device is transmitting data before the wake word.

It is a dark and stormy night. My friends and I just came back from the Yosemite National Park, where the quick brown fox jumps over the lazy dog. Next week is Thanksgiving. Black Friday in 2019 is coming as well. It's a good time to do something exciting, such as taking a Computer Security class or a Programming Language class at UCLA. By the way, the first Airbus A380 jumbo jet is retiring. We like flying in that plane.

WAKE_WORD, what is the weather like in Los Angeles on Thanksgiving?

Anyways, we have Boeing 787 Dreamliners for cross-continental flights. The Web and Mobile System class with Ravi is amazing. We should upgrade the commercial laundry machine during the Black Friday sale. The bright and sunny weather is coming back and a trip to Joshua Tree National Park awaits. Well, I just saw a slow cat crashed into a new Android robot. There are some other robots made by Apple and Amazon too.
You can’t perform that action at this time.