A three-year-long honeypot experiment featuring simulated low-interaction IoT devices of various types and locations gives a clear idea of why actors target specific devices. More specifically, the honeypot was meant to create a sufficiently diverse ecosystem and cluster the generated data in a way that determines the goals of adversaries. IoT (Internet of Things) devices are a booming market that includes small internet-connected devices such as cameras, lights, doorbells, smart TVs, motion sensors, speakers, thermostats, and many more. It is estimated that by 2025, over 40 billion of these devices will be connected to the Internet, providing network entry points or computational resources that can be used in unauthorized crypto mining or as part of Distributed Denial of Service (DDoS) swarms. The experiment produced data from a massive 22.6 million hits. The various actors exhibited similar attack patterns, likely because their objectives and the means to achieve them were common. For example, most actors run commands such as “masscan” to scan for open ports and “/etc/init.d/iptables stop” to disable firewalls. Additionally, many actors run “free -m”, “lspci grep VGA”, and “cat /proc/cpuinfo”, all three aiming to collect hardware information about the target device. Interestingly, almost a million hits tested “admin / 1234” username-password combination, reflecting an overuse of the credentials in IoT devices. As for end goals, the researchers found that the honeypots were targeted mainly for DDoS recruitment and were often also infected with a Mirai variant or a coin miner. Coin miner infections were the most common observation on the Windows honeypot, followed by viruses, droppers, and trojans. “Only 314 112 (13 %) unique sessions were detected with at least one successful command execution inside the honeypots,” explains the research paper. “This result indicates that only a small portion of the attacks executed their next step, and the rest (87 %) solely tried to find the correct username/password combination.”
To prevent hackers from taking over IoT devices, follow these basic measures:
• Change the default account name and password to something unique and strong (long).
• Set up a separate network for IoT devices and keep it isolated from critical assets.
• Make sure to apply any available firmware or other security updates as soon as possible.
• Actively monitor your IoT devices and look for signs of exploitation.
Most importantly, if a device does not need to be exposed to the Internet, ensure it is located behind a firewall or a virtual private network (VPN) to prevent unauthorized remote access.