Next Generation Honeypot for IoT

The exponential growth of the number of IoT devices in the last years will increase the number of attacks perpetrated against IoT devices, since more IoT devices will be used to carry out illegal activities on the Internet. An example may be Mirai, a botnet composed of 200.000 and 300.000 infections with a peak of 600.000 infected devices, mainly routers and cameras. In 2016 it was able to launch DDoS attacks against Krebs on Security and Deutsche Telekom leaving 900.000 Germans offline. This poses a great threat for all the systems and infrastructures connected to Internet since they may be of vital importance for human daily activities. Nowadays many solutions have been developed to identify a threat from the Internet such as Firewalls, Honeypots, Intrustion Detection Systems. On the other hand, given the limited number of Honeypot solutions for IoT devices, we present a methodology to build a digital twin of an IoT device only by using network traffic and then use it as honeypot. A digital twin gives a logical representation of a physical device and is able to emulate its internal state. We developed a software to automatically parse the packets captured during the interaction between a user and an IoT device, extract statistics and store the packet extracted fields in a database. This database represents the dictionary of requests and responses used to build the digital twin of a given device. We applied this methodology on a testbed environment composed of an heterogeneous set of popular IoT home network devices connected through the Internet via a router instrumented with our tool. We also tried to perform man in the middle in order to increase the amount of plain text traffic exchanged from each device using mitmproxy with no success, since no app trusted the mitmproxy self signed certificate. We performed some analysis on the captured traffic for all the devices and we found out that all of them exchanged traffic mainly with respect to remote hosts than directly with their companion app although they were in the same LAN network. Moreover they contacted a handful of remote ports for both TCP and UDP protocols. The analysis of the TLS version used showed that although it is considered a recommendation to not support prior version than TLSv1.2, the vast majority of devices were still using TLSv1.0 during the Client Hello handshake, whereas the servers presented most of the times at least a TLSv1.2 version in Server Hello handshake. A few of them supported also TLSv1.0 and TLSv1.3. In order to have a proof of the effectiveness of this methodology we have built a first digital twin based on a Philips Hue Bridge that we have used as honeypot. We put this honeypot on the wild and we collected traffic from August to mid November. We then compared the traffic received from this honeypot with respect to other two honeypots that are Tanner and CameraObcura running in the same months. Tanner is a generic honeypot that emulates basic web sites running on port 80 whereas CameraObscura is impersonating a D-Link camera. From the results obtained our honeypot was contacted by the highest number of different IPs and the highest number of requests received with respect to Tanner and CameraObscura. In the end the analysis of the CVEs discovered in the requests sent from remote hosts revealed that our honeypot was able to detect more threats related to IoT devices such as cameras or home routers than the other two honeypots.