To understand why threat actor targets specific devices, researchers at the National Institute of Standards and Technology (NIST) and the University of Florida conducted a three-year-long honeypot experiment involving simulated low-interaction IoT devices of diverse sorts and locations. The honeypot was intended to create a fairly diverse ecosystem and gather the data to determine the aim of the opponent.
According to researchers, IoT (Internet of Things) devices, which include tiny internet-linked gadgets like cameras, lights, doorbells, smart TVs, motion sensors, speakers, thermostats, and more, constitute an expanding business. Over 40-billion of these devices are expected to be linked to the Internet by 2025, providing network access points or computing resources that can be used in unauthorized encryption or as part of DDoS assaults.
Server farms, a vetting system, and data collection and processing infrastructure were among the three components of the honeypot ecosystem designed by researchers. The researchers installed Cowrie, Dionaea, KFSensor, and HoneyCamera, which are off-the-shelf IoT honeypot emulators to create a diverse ecosystem.
The researchers designed their appearances to look like actual devices on censys and Shodan, two specialized search engines that find the internet-linked services. The following were the three primary types of honeypots:
• HoneyShell – Emulating Busybox
• HoneyWindowsBox – Emulating IoT devices running Windows
• HoneyCamera – Emulating various IP cameras from Hikvision, D-Link, and other devices.
The trial yielded data from 22.6 million hits, with the vast majority targeting the HoneyShell honeypot. The various actors used comparable attack patterns because their objectives and means of achieving them were identical.
For example, the majority of attackers implement commands such as “masscan” to scan for open doors and“/etc/init.d/iptables stop” to deactivate the firewalls. In addition, many attackers execute "free -m", "lspci grep VGA", and "cat /proc/cpuinfo", all three aiming to gather hardware information about the target device.
Interestingly, nearly a million hits were discovered when the “admin / 1234” username-password combination was tested, suggesting that the credentials are overused in IoT devices. In terms of end goals, the researchers unearthed that the HoneyShell and the HoneyCamera honeypots were targeted mainly for DDoS recruitment and were frequently infected with a Mirai version or a coin miner.
“Only 314 112 (13 %) unique sessions were detected with at least one successful command execution inside the honeypots,” reads the research paper. “This result indicates that only a small portion of the attacks executed their next step, and the rest (87 %) solely tried to find the correct username/password combination.”