ThingPot: an interactive Internet-of-Things honeypot · 1 ThingPot: an interactive...

1

ThingPot: an interactive Internet-of-Things honeypot

Meng Wang, Javier Santillan, and Fernando Kuipers Nov. 23, 2017

2

Motivation

•  IoT becomes more and more popular Popularity

•  Limited resources of IoT devices •  Large number of diverse devices

Security challenges

•  IoT-related attacks (e.g. Mirai) have already emerged

Serious consequences

Motivation Background ThingPot Results Conclusion

3

Questions

What are the most common protocols used by IoT devices?

Which vulnerabilities and attacks on IoT protocols are known?

Can honeypots be harnessed to identify attack vectors w.r.t. IoT?

What can be done to prevent observed IoT attacks?


Whatisahoneypot?WhatisXMPP?

WhatisanIoTplatform?

5

Ø Emulation of a real device Ø Detect, deflect or counteract

Honeypot: learn by deception!

In XMPP/REST/… language Hey! “I’m a …” •  SmartTV •  Home appliance •  Medical device •  Sensor system •  Automotive device


6

Honeypot: learn by deception!

l Advantages: l Collect data on actual attacks l Take advantage of emulation l Can help IoT security development

l Classification: l High Interaction Honeypot (HIH) l Low Interaction Honeypot (LIH) l Medium Interaction Honeypots (MIH)


7

XMPP: eXtensible Messaging and Presence Protocol

l  Application-layer protocol for instant messaging l  Jabber ID (JID): XMPP account l  Extension for IoT (XEP-0323, 0324, 0325, 0326)

Application 1 Application 2 Application 3 Application 4 Application 5


8

XMPP: eXtensible Messaging and Presence Protocol

l  Application-layer protocol for instant messaging l  Jabber ID (JID): XMPP account l  Extension for IoT (XEP-0323, 0324, 0325, 0326)

JID 1 JID 2 JID 3 JID 4 JID 5


Application

9

IoT platform

Work and communicate

with the devices

Communication between users and

API

Users/developers

BackendAPI

IoTPlatform

Clients

InstantCommuni-cation

Protocols


10

IoT platform simulation

Backend API

Device simulation

Instant communication protocols

Clients

Servers Frontend

ThingPot PoC & use case

ThingPot


11

IoT platform simulation

Backend API Instant communication protocols

Clients

Servers Frontend


ThingPot


XMPP

REST API

Philips Hue

12


Node 1 REST

Node 2 REST

Node 3 REST

Node 4 XMPP Clients

Node 5 XMPP Server

REST API

XMPP

Attacker Controller

Device Simulation

Physical topology


13

Philips Hue

PhilipsHue&XMPPIntegrationPlatform


ThingPot implementation & use case

14

Philips Hue

PhilipsHue&XMPPIntegrationPlatform

DeviceSimulation


ThingPot implementation & use case

15

Attacker

REST API

XMPP

Device Simulation

Attack path 1

Attack path 2

Attack paths ThingPot implementation & use case


ThingPotinthewild!

17

Data

Ø  46 days (from June 22nd to August 7th, 2017) Ø  113,741 backend requests in total Ø  619 different IPs involved


18

Findings 1.  Targeted attack trying to take control

“shooter”31567requestsonthehoneypot

92IPsinvolved"/api/"withthePOSTmethod


19

Findings 1.  Targeted attack trying to take control 2.  Attack with the body following the multipart/form-data format

“000modscan”,“mass”,“botlight”HTTPPOSTwithinterestingbody5392requestsonthehoneypot

33IPsinvolvedURL:withtargetedkeyword


20

Findings 1.  Targeted attack trying to take control 2.  Attack with the body following the multipart/form-data format 3.  Attack with url

HTTPGET:1./api/philips/hue/{32_chars}2./api/phi/light/{32_chars}3./api/philips1/hue/{32_chars}4./api/philips2/hue-link/{32_chars}5./api/belkin/wemo/{32_chars}6./api/tplink/light/{32_chars}7./api/hue/{0-750}8./api/phi/light/{32_chars}/tokens9./api/{32_chars}/tokens10./api/{32_chars}


21

Findings 1.  Targeted attack trying to take control 2.  Attack with the body following the multipart/form-data format 3.  Attack with url 4.  General scanning tools or libraries

•skipfish•Nikto•Jorgee:•masscan:•Pythonlibrary:urllib[9]•/http:/testp3.pospr.waw.pl/testproxy.php•Proxyradar:Onhttps://proxyradar.com/


22

Findings 1.  Targeted attack trying to take control 2.  Attack with the body following the multipart/form-data format 3.  Attack with url 4.  General scanning tools or libraries 5.  Other unrelated attacks


23

Conclusion


Ø XMPP ü  Integration of different components

in multi-node communications ü  May provide additional layers of

security ü  Attacker activities are very limited

Ø REST ü  Large number of attacker

activities

Attacker

REST API

XMPP

Device Simulation

Attack path 1

Attack path 2

24

Conclusion


Ø  ThingPot: First IoT platform honeypot (https://github.com/Mengmengada/ThingPot)

Ø Five types of attacks were found: ü  Attackers are looking (e.g. via Shodan.io) for devices like

Philips Hue, Belkin Wemo, TPlink, etc. ü  Attackers are interested to obtain information about the smart

devices and to take control of them ü  Attackers are using the TOR network to mask their real source

address

25

Thank you for your attention!

ThingPot: an interactive Internet-of-Things honeypot · 1 ThingPot: an interactive...

Documents

Transcript of ThingPot: an interactive Internet-of-Things honeypot · 1 ThingPot: an interactive...