Three years of honeypot experience with simulated low interaction IoT devices of various types and locations gives a clear idea of why players are targeting specific devices.
Specifically, the honeypot was intended to create a sufficiently diverse ecosystem and to aggregate the data generated in such a way as to determine the objectives of the adversaries.
IoT (Internet of Things) devices are a growing market that includes small devices connected to the Internet such as cameras, lights, doorbells, smart TVs, motion sensors, speakers, thermostats and many others.
It is estimated that by 2025, more than 40 billion of these devices will be connected to the internet, providing network entry points or computational resources that can be used in unauthorized cryptocurrency mining or as part of DDoS swarms.
The three components of the honeypot ecosystem put together by researchers at NIST and the University of Florida included server farms, a verification system, and infrastructure for data capture and analysis.
To create a diverse ecosystem, researchers installed Cowrie, Dionaea, KFSensor, and HoneyCamera, which are out-of-the-box IoT honeypot emulators.
Researchers configured their instances to appear as real devices on Censys and Shodan, two specialist search engines that find services connected to the Internet.
The three main types of honey jars were:
- HoneyShell – Busybox emulation
- HoneyWindowsBox – Emulation of IoT devices under Windows
- HoneyCamera – Emulation of various IP cameras from Hikvision, D-Link and other devices.
A new element of this experiment is that the honeypots have been adjusted to respond to attacker traffic and attack methods.
The researchers used the collected data to alter the configuration and defenses of the IoT, and then collect new data reflecting the actor’s response to those changes.
The experiment yielded data from 22.6 million massive visits, the vast majority targeting the HoneyShell honeypot.
The different actors exhibited similar attack patterns, probably because their goals and the means to achieve them were common.
For example, most actors run commands like “masscan” to find open ports and “/etc/init.d/iptables stop” to disable firewalls.
Additionally, many actors run “free -m”, “lspci grep VGA” and “cat / proc / cpuinfo”, all of which aim to collect hardware information about the target device.
Interestingly, nearly a million results tested the “admin / 1234” username-password combination, reflecting overuse of credentials in IoT devices.
As for the end goals, the researchers found that the HoneyShell and HoneyCamera honeypots were primarily targeted for DDoS recruiting and were often also infected with a Mirai variant or a coin miner.
Coin miner infections were the most common sighting on the Windows honeypot, followed by viruses, droppers, and Trojans.
In the case of the HoneyCamera, researchers intentionally created a vulnerability to reveal credentials and noticed that 29 actors were manually exploiting the vulnerability.
“Only 314,112 (13%) unique sessions were detected with at least one successful command fulfillment inside the honeypots,” the research paper explains.
“This result indicates that only a small portion of the attacks took their next step, and the rest (87%) only tried to find the correct username / password combination.”
How to secure your devices
To prevent hackers from taking over your IoT devices, follow these basic steps:
- Change the default account to something unique and strong (long).
- Configure a separate network for IoT devices and keep it isolated from critical assets.
- Make sure to apply any available firmware or other security updates as soon as possible.
- Actively monitor your IoT devices and look for signs of exploitation.
Most importantly, if a device doesn’t need to be exposed to the internet, make sure it’s behind a firewall or VPN to prevent unauthorized remote access.