ThingPot: an interactive Internet-of-Things honeypot · 1 ThingPot: an interactive...
Transcript of ThingPot: an interactive Internet-of-Things honeypot · 1 ThingPot: an interactive...
1
ThingPot: an interactive Internet-of-Things honeypot
Meng Wang, Javier Santillan, and Fernando Kuipers Nov. 23, 2017
2
Motivation
• IoT becomes more and more popular Popularity
• Limited resources of IoT devices • Large number of diverse devices
Security challenges
• IoT-related attacks (e.g. Mirai) have already emerged
Serious consequences
Motivation Background ThingPot Results Conclusion
3
Questions
What are the most common protocols used by IoT devices?
Which vulnerabilities and attacks on IoT protocols are known?
Can honeypots be harnessed to identify attack vectors w.r.t. IoT?
What can be done to prevent observed IoT attacks?
Motivation Background ThingPot Results Conclusion
Whatisahoneypot?WhatisXMPP?
WhatisanIoTplatform?
5
Ø Emulation of a real device Ø Detect, deflect or counteract
Honeypot: learn by deception!
In XMPP/REST/… language Hey! “I’m a …” • SmartTV • Home appliance • Medical device • Sensor system • Automotive device
Motivation Background ThingPot Results Conclusion
6
Honeypot: learn by deception!
l Advantages: l Collect data on actual attacks l Take advantage of emulation l Can help IoT security development
l Classification: l High Interaction Honeypot (HIH) l Low Interaction Honeypot (LIH) l Medium Interaction Honeypots (MIH)
Motivation Background ThingPot Results Conclusion
7
XMPP: eXtensible Messaging and Presence Protocol
l Application-layer protocol for instant messaging l Jabber ID (JID): XMPP account l Extension for IoT (XEP-0323, 0324, 0325, 0326)
Application 1 Application 2 Application 3 Application 4 Application 5
Motivation Background ThingPot Results Conclusion
8
XMPP: eXtensible Messaging and Presence Protocol
l Application-layer protocol for instant messaging l Jabber ID (JID): XMPP account l Extension for IoT (XEP-0323, 0324, 0325, 0326)
JID 1 JID 2 JID 3 JID 4 JID 5
Motivation Background ThingPot Results Conclusion
Application
9
IoT platform
Work and communicate
with the devices
Communication between users and
API
Users/developers
BackendAPI
IoTPlatform
Clients
InstantCommuni-cation
Protocols
Motivation Background ThingPot Results Conclusion
10
IoT platform simulation
Backend API
Device simulation
Instant communication protocols
Clients
Servers Frontend
ThingPot PoC & use case
ThingPot
Motivation Background ThingPot Results Conclusion
11
IoT platform simulation
Backend API Instant communication protocols
Clients
Servers Frontend
ThingPot PoC & use case
ThingPot
Motivation Background ThingPot Results Conclusion
XMPP
REST API
Philips Hue
12
ThingPot PoC & use case
Node 1 REST
Node 2 REST
Node 3 REST
Node 4 XMPP Clients
Node 5 XMPP Server
REST API
XMPP
Attacker Controller
Device Simulation
Physical topology
Motivation Background ThingPot Results Conclusion
13
Philips Hue
PhilipsHue&XMPPIntegrationPlatform
Motivation Background ThingPot Results Conclusion
ThingPot implementation & use case
14
Philips Hue
PhilipsHue&XMPPIntegrationPlatform
DeviceSimulation
Motivation Background ThingPot Results Conclusion
ThingPot implementation & use case
15
Attacker
REST API
XMPP
Device Simulation
Attack path 1
Attack path 2
Attack paths ThingPot implementation & use case
Motivation Background ThingPot Results Conclusion
ThingPotinthewild!
17
Data
Ø 46 days (from June 22nd to August 7th, 2017) Ø 113,741 backend requests in total Ø 619 different IPs involved
Motivation Background ThingPot Results Conclusion
18
Findings 1. Targeted attack trying to take control
“shooter”31567requestsonthehoneypot
92IPsinvolved"/api/"withthePOSTmethod
Motivation Background ThingPot Results Conclusion
19
Findings 1. Targeted attack trying to take control 2. Attack with the body following the multipart/form-data format
“000modscan”,“mass”,“botlight”HTTPPOSTwithinterestingbody5392requestsonthehoneypot
33IPsinvolvedURL:withtargetedkeyword
Motivation Background ThingPot Results Conclusion
20
Findings 1. Targeted attack trying to take control 2. Attack with the body following the multipart/form-data format 3. Attack with url
HTTPGET:1./api/philips/hue/{32_chars}2./api/phi/light/{32_chars}3./api/philips1/hue/{32_chars}4./api/philips2/hue-link/{32_chars}5./api/belkin/wemo/{32_chars}6./api/tplink/light/{32_chars}7./api/hue/{0-750}8./api/phi/light/{32_chars}/tokens9./api/{32_chars}/tokens10./api/{32_chars}
Motivation Background ThingPot Results Conclusion
21
Findings 1. Targeted attack trying to take control 2. Attack with the body following the multipart/form-data format 3. Attack with url 4. General scanning tools or libraries
•skipfish•Nikto•Jorgee:•masscan:•Pythonlibrary:urllib[9]•/http:/testp3.pospr.waw.pl/testproxy.php•Proxyradar:Onhttps://proxyradar.com/
Motivation Background ThingPot Results Conclusion
22
Findings 1. Targeted attack trying to take control 2. Attack with the body following the multipart/form-data format 3. Attack with url 4. General scanning tools or libraries 5. Other unrelated attacks
Motivation Background ThingPot Results Conclusion
23
Conclusion
Motivation Background ThingPot Results Conclusion
Ø XMPP ü Integration of different components
in multi-node communications ü May provide additional layers of
security ü Attacker activities are very limited
Ø REST ü Large number of attacker
activities
Attacker
REST API
XMPP
Device Simulation
Attack path 1
Attack path 2
24
Conclusion
Motivation Background ThingPot Results Conclusion
Ø ThingPot: First IoT platform honeypot (https://github.com/Mengmengada/ThingPot)
Ø Five types of attacks were found: ü Attackers are looking (e.g. via Shodan.io) for devices like
Philips Hue, Belkin Wemo, TPlink, etc. ü Attackers are interested to obtain information about the smart
devices and to take control of them ü Attackers are using the TOR network to mask their real source
address
25
Thank you for your attention!