U-PoT: A Honeypot Framework for UPnP-Based IoT Devices

The ubiquitous nature of the IoT devices has brought serious security implications to its users. A lot of consumer IoT devices have little to no security implementation at all, thus risking user's privacy and making them target of mass cyber-attacks. Indeed, recent outbreak of Mirai botnet and its variants have already proved the lack of security on the IoT world. Hence, it is important to understand the security issues and attack vectors in the IoT domain. Though significant research has been done to secure traditional computing systems, little focus was given to the IoT realm. In this work, we reduce this gap by developing a honeypot framework for IoT devices. Specifically, we introduce U-PoT: a novel honeypot framework for capturing attacks on IoT devices that use Universal Plug and Play (UPnP) protocol. A myriad of smart home devices including smart switches, smart bulbs, surveillance cameras, smart hubs, etc. uses the UPnP protocol. Indeed, a simple search on Shodan IoT search engine lists 1,676,591 UPnP devices that are exposed to public network. The popularity and ubiquitous nature of UPnP-based IoT device necessitates a full-fledged IoT honeypot system for UPnP devices. Our novel framework automatically creates a honeypot from UPnP device description documents and is extendable to any device types or vendors that use UPnP for communication. To the best of our knowledge, this is the first work towards a flexible and configurable honeypot framework for UPnP-based IoT devices. We released U-PoT under an open source license for further research on IoT security and created a database of UPnP device descriptions. We also evaluated our framework on two emulated deices. Our experiments show that the emulated devices are able to mimic the behavior of a real IoT device and trick vendor-provided device management applications or popular IoT search engines while having minimal performance ovherhead.

[1]  Yuval Elovici,et al.  SIPHON: Towards Scalable High-Interaction Physical Honeypots , 2017, CPSS@AsiaCCS.

[2]  Mitsuaki Akiyama,et al.  Design and Implementation of High Interaction Client Honeypot for Drive-by-Download Attacks , 2010, IEICE Trans. Commun..

[3]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[4]  Omer F. Rana,et al.  Honeyware: A Web-Based Low Interaction Client Honeypot , 2010, 2010 Third International Conference on Software Testing, Verification, and Validation Workshops.

[5]  Tongbo Luo,et al.  IoTCandyJar : Towards an Intelligent-Interaction Honeypot for IoT Devices , 2017 .

[6]  Ian Welch,et al.  HoneyC - The low-interaction client honeypot , 2006 .

[7]  Radu State,et al.  Adaptive and self-configurable honeypots , 2011, 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops.

[8]  Raheem A. Beyah,et al.  Active deception model for securing cloud infrastructure , 2014, 2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[9]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[10]  Felix C. Freiling,et al.  The Nepenthes Platform: An Efficient Approach to Collect Malware , 2006, RAID.

[11]  Meng Wang,et al.  ThingPot: an interactive Internet-of-Things honeypot , 2018, ArXiv.

[12]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[13]  Victor Valeriu Patriciu,et al.  CASSHH - Case Adaptive SSH Honeypot , 2014, SNDS.

[14]  Jose Nazario,et al.  PhoneyC: A Virtual Client Honeypot , 2009, LEET.

[15]  Tsutomu Matsumoto,et al.  IoTPOT: Analysing the Rise of IoT Compromises , 2015, WOOT.