ThingPot: an interactive Internet-of-Things honeypot
This work addresses security vulnerabilities in IoT devices, which are critical for preventing attacks like Mirai DDoS, but it is incremental as it builds on existing honeypot technology.
The authors tackled the problem of understanding attacker strategies against IoT devices by proposing ThingPot, a novel IoT honeypot that mimics a full IoT platform, and deployed it for 1.5 months to capture data revealing five types of attacks and attack vectors.
The Mirai Distributed Denial-of-Service (DDoS) attack exploited security vulnerabilities of Internet-of-Things (IoT) devices and thereby clearly signalled that attackers have IoT on their radar. Securing IoT is therefore imperative, but in order to do so it is crucial to understand the strategies of such attackers. For that purpose, in this paper, a novel IoT honeypot called ThingPot is proposed and deployed. Honeypot technology mimics devices that might be exploited by attackers and logs their behavior to detect and analyze the used attack vectors. ThingPot is the first of its kind, since it focuses not only on the IoT application protocols themselves, but on the whole IoT platform. A Proof-of-Concept is implemented with XMPP and a REST API, to mimic a Philips Hue smart lighting system. ThingPot has been deployed for 1.5 months and through the captured data we have found five types of attacks and attack vectors against smart devices. The ThingPot source code is made available as open source.