Automated Device Independent Honeypot Generation of IoT and Industrial IoT Devices
The interconnection of physical devices, vehicles, household appliances and other objects with electronics, software, sensors and actuators has become an integral part of our modern lives. The indus- trial sector is also undergoing a change in device communication. Traditionally, automated factories and critical infrastructure were strictly separated from the Internet. However, since the advent of Indus- try 4.0, devices at control as well as supervisor level are frequently connected to the Internet to collect analytic data. The resulting network is called the “Internet of Things” (IoT) and “Industrial Internet of Things” (IIoT). Attackers seek to compromise such interconnected devices with malware campaigns to use them for spam distribution, Distributed Denial of Service (DDoS) attacks, cryptomining, or as an attack vector in Advanced Persistent Threat (APT) attacks. For this reason, interconnected devices are exposed to continuous threats and ongoing attacks. The large set of diverse hardware and soft- ware combined with the neglection of security best practices, such as the use of the same default credentials on all devices, the often non-existent update policies, and the lack of software hardening techniques render IoT and IIoT devices an ideal target for attackers. Many solutions have already been proposed to monitor the Internet for malware infections. So-called “honeypots” are a common practice, but due to the heterogeneity of the devices they are substantially harder to implement in the IoT and IIoT domain than in the field of commodity systems (e.g., desktop computers, smartphones). The heterogeneous landscape of IoT and IIoT devices poses new challenges to the deployment of honeypots that still need to be solved. However, so far no generic honeypot framework exists that is capable of attracting attacks for the wide variety of hardware and software architectures. Our goal is to provide a framework that automatically creates target device tailored honeypots for the (Industrial) Internet of Things which are capable of convincing an adversary that she actually breached a real device instead of a decoy. Our honeypots will be executed in an emulation environment that is able to interact with the outside world over common IoT and IIoT communication channels and allow us to apply fine-grained supervision techniques to monitor an adversary’s behavior throughout his entire attack.