Page 234 - Kaleidoscope Academic Conference Proceedings 2024
P. 234
2024 ITU Kaleidoscope Academic Conference
created a taxonomy by classifying the products according to d. search by location
their applications and finally listing the classified products. Search regions with the most farmland.
Figure 3 shows the taxonomy of devices. The taxonomy The search query is country: "JP" city: "Regions
of system/service is based on the classification of products Name".
consisting of multiple devices rather than devices alone. e. search by LTE telecommunication companies
"System" is a generic term for a system in which various In Japan, agricultural businesses often use domestic
devices interact with each other to achieve a specific purpose. carriers as they provide coverage in remote areas. In
A service satisfies user needs by providing a particular addition, lighttpd is a web server used in many camera
function or value. Services are often offered using systems, GUIs such as DVRs and NVRs.
and users can use services without being aware of the system. The search query is org: "Carrier Name" lighttpd.
In other words, the system is the foundation of the service,
and the service is the value provided to the user using the We matched the IP addresses of the devices with source IP
system. The taxonomy was created by classifying products addresses emitting Mirai-infected communications for the
into "System" and "Service" on the basis of their uses. Figure year 2023, obtained using the darknet observation system
4 shows the system/service taxonomy. NICTER [19]. However, while there were several matches,
As Figures 3 and 4 show, the device taxonomy is more none could be conclusively identified as products related to
hierarchical than that of system/service. This means that agricultural IoT. Therefore, it is plausible that agricultural IoT
devices for agricultural use have a wide range of applications is not a primary target for Mirai infections.
and are segmented. In addition, there are no network
devices specific to agriculture, and we verified that the 4.2 Shodan search for AGRI NEXT products
products commonly used in other industries are also used
Next, we searched 175 products exhibited at AGRI NEXT
in agriculture.
using Shodan. If Shodan hit many of the products surveyed
in this study, many agricultural products in widespread use
4. SURVEY OF ACTUAL SITUATION USING
today may be vulnerable. On the other hand, if the number
CYBERSECURITY OBSERVATION NETWORK
of hits is small, the security risk may not have been revealed
Shodan [11] is a search engine that searches for to the public. The search date is 2023/11/10, and the search
Internet-connected devices and systems, similar to how method is keyword search, i.e., searching by character strings.
a conventional Web search engine searches for websites, In this case, the search query is query="product name," and
and can be used to identify security risks and network we searched 175 products exhibited at AGRI NEXT. We used
vulnerabilities. Shodan search results include device and the Corporate plan offered by Shodan, which includes all
service type, version information, location, IP address, search filters.
and open port numbers. In addition, the IP address Out of the 175 products, 31 were returned as hits. However,
and open port number can be verified through the search, the keyword search outputs all devices that contain the
enabling an attacker to determine if the hit product has a searched string. This means that the searched keywords may
security vulnerability. If the number of hits for a searched have hits in parts other than the product name. Therefore,
product is high, it means that the product is widely used a keyword search hit may differ from the expected product.
in agriculture, has a large number of users, and is of We then checked the JSON files of the search hits to see if
high-security importance. However, Shodan search has they were identical to the products we had searched for. The
limitations. Shodan cannot search for devices that are offline JSON files contain the product and vendor names, and we
or in private networks. In addition, periodic scanning and can check whether the product is the same as the product
tracking of dynamic IP addresses is necessary because IP under investigation by reviewing the JSON files. Table 2
fluctuations occur in practice. shows the information for five products: one sensor, one
service, and three systems. Many products hit by the search
4.1 Shodan search for all available products were systems and services, and a few were edge devices such
as sensors and drones. The countries were also scattered,
First, we did not limit our search to AGRI NEXT products but with two from Japan and Korea and one from the United
rather to all devices searchable by Shodan. The seven search States. Furthermore, the IP addresses identified by System
criteria are as follows. C were IPv6, while others were IPv4. We also checked the
a. html containing "agriculture" or "farm" IP addresses of the products listed in Table X against the IP
The search query is http.html: "agriculture", and addresses obtained using NICTER, as in 4.1. However, no IP
http.html: "farm" addresses matched.
b. html containing "smart" In this work, wesearched Shodanfor 175products exhibitedat
In Japan, IoT in agriculture is called "smart farming", AGRI NEXT. In addition, we investigated the Mirai infection
so the product names were expected to contain similar status using NICTER, a darknet observation system. The
words. results showed that most of the products were not hit by the
The search query is http.html: "smart". Shodan search. Furthermore, the survey results on the Mirai
c. search by agricultural products with WebGUI screen infection status using NICTER did not provide evidence that
Search query: http.html: "agri" port:443 (also port:80) agricultural IoT products are Mirai’s primary target. These
– 190 –
