TORCHLIGHT: Shedding LIGHT on Real-World Attacks on Cloudless IoT Devices Concealed within the Tor Network
Yumingzhi Pan
34th USENIX Security Symposium (USENIX Security '25) · Day 1 · System Security 2: Trusted and Robust Computing
The internet of things (IoT) has rapidly expanded, bringing convenience but also a vast attack surface. While many IoT devices rely on cloud services, a significant category, termed **cloudless IoT devices** such as network video recorders (NVRs) and digital video recorders (DVRs), are directly exposed to the internet. This direct exposure, intended to give users more control and reduce privacy concerns associated with cloud providers, inadvertently makes them prime targets for cyberattacks. This talk, presented by Yumingzhi Pan from Southeast University, delves into a particularly concerning aspect of this threat landscape: the use of the **Tor network** by malicious actors to anonymize their exploitation attempts against these vulnerable cloudless IoT devices.
AI review
Legitimate empirical research with a clever observation at its core: Tor exit nodes as passive honeypots for IoT zero-day discovery. Twenty-nine previously unknown exploitation patterns, 25 CVEs, and 26TB of real attack traffic give this weight that most IoT talks completely lack. The LLM-based traffic analyzer is the methodological wildcard — it either earns its place or it's a gimmick, and the 93%+ accuracy numbers suggest it earns it.