Setting out to sink the internet's digital ghost ships

Our love affair with smart devices has led to an explosive growth in the number of devices we surround ourselves with. But whereas they allow us to keep an eye on our homes when we are away or help us track the expiry date of items stored in our fridges, they also leave us vulnerable to intruders, who can use them to hack their way into our homes.

For instance, if we choose weak passwords for our internet-connected smart devices or fail to update their security systems, we risk creating access points for hackers.

Once a malicious mind has entered your network via devices such as security cameras or fridges, they can try to exploit you by taking charge of your computer and encrypting files until you pay a ransom to have them decrypted. Or they could use your network as a gateway to harm others by orchestrating attacks from hundreds of thousands of hacked devices simultaneously.

Identifying digital ghost ships

In a new project, DTU Associate Professor Emmanouil Vasilomanolakis aims to develop a method that can detect such ‘digital ghost ships’—devices in the sea of smart electronics that have been neglected and pose a security threat. As he explains: Knowing where they are is crucial to alerting the owner so they can either make them safe to use or disable them.

“We believe that digital ghost ships are a real security threat,” he says.

Emmanouil Vasilomanolakis coined the term digital ghost ship, which references the ghost ships of the seas—vessels that have no crew on board to safely steer them.

It’s not just in people’s homes that gadgets with poorly maintained security features pose a problem. In fact, the stakes are often much higher for businesses and organizations that use and rely on smart devices if an intruder gets through and creates havoc.

Emmanouil Vasilomanolakis points out that the healthcare industry is a good example: “Hospitals use more and more devices that need internet connectivity. If these devices are hacked and stop functioning, we may have a life and death situation.”

He explains that even cheap devices such as surveillance cameras for your home that can’t do much can be powerful tools for hackers – especially if they gain access to a large number of devices at the same time and use them to stage an attack on another target:

“If you can access only one device, it’s not a very powerful attack. But of course, if you can use one million devices, that creates a serious security threat.”

Such attacks can be used to e.g., force authorities’ websites offline, as was seen when Chinese hackers  managed to temporarily force Taiwanese government websites offline during the visit of US speaker of the House of Representatives, Nancy Pelosi, to Taiwan in August. Hackers can also use it to cause significant disruption to commercial sites, effectively blocking actual customers from purchasing goods for periods of time.

A more finely meshed safety net

Commercial services are already available that allow users to scan the internet and identify internet-connected devices. Emmanouil Vasilomanolakis aims to create a much more finely meshed safety net that scans and detects only actual digital ghost ships while omitting properly maintained gadgets.

The system will also be trained to avoid so-called honeypots and other false positives. A honeypot is a detection system that developers create to attract attackers to a secure system to study their behaviour.

The researchers will investigate novel ways of creating network signatures of digital ghost ships. A network signature is a footprint that has been left following unauthorized access. The aim is to enrich these signatures with device fingerprinting capabilities. Collecting such fingerprints provides information about the software and hardware of the device in question, making it easier to identify its type.

DTU will collaborate with the University of Cambridge for this part of the project.