Honware: IoT honeypot for detecting zero-day exploits

Two researchers have created a solution that could help security researchers and IoT manufacturers with detecting zero-day exploits targeting internet-connected devices more speedily than ever before.

It’s called honware, and it’s a virtual honeypot framework that can emulate Linux-based Customer Premise Equipment (CPE) and IoT devices by using devices’ firmware image.

“Honware automatically processes a standard firmware image (as is commonly provided for updates), customises the filesystem and runs the system with a special pre-built Linux kernel. It then logs attacker traffic and records which of their actions led to a compromise,” Alexander Vetterl and Richard Clayton, with the University of Cambridge’s Computer Laboratory, explained.

Solving a long-standing problem

There are several IoT honeypot systems available for researchers out there, but they all have one or more crucial limitations: they are based on physical devices (meaning: the researchers need to buy them), cannot monitor a large number of attackers, or are just a generic representation of a vulnerable platform and, thus, generally fail to detect and capture new attack patterns.

Honware, on the other hand:

• Does not require physical devices to work
• Can easily be made to emulate hundreds and thousands of different devices with different firmware versions
• Allows attackers full control of a machine (i.e., it’s high-interaction), meaning the operators can see and understand how the exploit works.
• Is more fingerprint resistant. It prevents fingerprinting attacks based on protocol deviations or those that identify configurations specific to honeypots and is not susceptible to trivial fingerprinting based on timing attacks.

Vetterl and Clayton have tested honware by rapidly deploying multiple honeypots on the Internet including four brands of ADSL modems, TP-Link, D-Link, Eminent and ipTIME, and detected both known and previously unknown attacks.

“In particular, whilst emulating a router from ipTIME, we observed an unknown attack in which the default DNS setting in the router is changed to a rogue IP address – which we subsequently found to affect not only ipTIME, but also other brands,” they noted.

What’s next?

“The current problem is that attackers exploit a growing number of vulnerable devices and we see that in the growth of IoT-based botnets. However, we often do not know how these devices are actually exploited,” Vetterl told Help Net Security.

“At the moment, we run generic honeypots for various protocols, but they do often not return the appropriate payloads to learn the later parts of an attack. This is not only a problem for us, but it also became apparent in 2018 when Netlab360 was tracking UPnPHunter. They said that they had ‘to tweak and customize our honeypot quite a few times’. This obviously puts us on the backfoot and as we now have fast-stateless scanning (and Shodan, Censys.io, Thingful, etc.) and so vulnerable devices are swept up into a botnet really fast. The only substantive cost for the attackers is detecting the vulnerability itself, but finding vulnerable devices is now trivial and fast.”

Honware has the potential to make life easier for defenders and harder for attackers: a faster discovery of exact attack vectors and procurement of copies of malware means that manufacturers can deploy countermeasures faster and with more precision.

One downside of the framework is that it can’t work without firmware images, and manufacturers often do not make it easy for third parties to get hold of their firmware or get access to the files/binaries inside the devices.

Honware is currently limited to Linux-based devices for ARM and MIPS architectures and, according to Vetterl, they don’t have any plans to add additional architectures for the moment. Still, as other architectures become more prevalent, recompiling the Linux kernel should not be difficult.

“We definitely need to look into further fingerprinting issues, i.e., how would attackers detect our honeypots if we would deploy them at scale,” he noted.

They also won’t be open-sourcing honware (for now), as that would make it substantially easier for the bad guys to detect honeypots that are using the solution and potentially avoid them all together.

“We are, however, definitely interested to work with manufacturers and other researchers to get a better understanding how devices are attacked and running them at scale. It would also be interesting to see if there are areas in which we could improve honware so it works better for certain devices/manufacturers (something the manufacturers should also be interested in). Working with manufacturers would have the additional benefit to get access to firmware images and manufacturers resources (e.g., monitor potential abuses and help to better understand the observed attacks),” he added.

Finally, for those who end up using honware, close monitoring of outgoing traffic and connections is a must.

“Honware emulates the devices as is, meaning that any vulnerability present in the firmware version will also be present in the emulation. Without close monitoring, it could be used as a proxy, serving malware, mining cryptocurrency or ‘attacking’ other systems.”