An IoT Honeypot Device for Malware Forensics

Jingyu Yang , Senior Security Researcher , Tencent

Fan Dang, Ph.D. Candidate , Tsinghua University

We have been observing the boom of IoT device-oriented malware against a backdrop of surging IoT device deployment. The targets of cybercrimes have been gradually turned to IoT devices rather than traditional PC or mobile phones, and the out-of-date honeypot technology cannot provide sufficient evidence during the malware investigation. In response to the emerging challenges, Tencent has developed a brand-new kind of IoT honeypot for IoT malware forensics.

Comparing to the traditional honeypot technology, it is a high interaction honeypot (HIH) that provides more information for IoT malware investigation and forensics. Firstly, the bi-direction network traffic will be captured, which means that the recorded data contains not only the traffic aiming to attack the device, but also the traffic initialized by the infected device itself. Secondly, common network services are provided, including SSH, Telnet, HTTP, UPnP, and even video streaming. All the services contain dedicated remote code execution vulnerabilities. Once they are compromised, the exploits and malicious actions will be monitored and reported to the management center as digital forensics. Finally, a net flow proxy module can be optionally deployed on the front layer. Instead of deploying the device everywhere, the module will redirect and aggregate attacking flow to pre- set honeypots to increase the coverage of capturing the attacks globally. The honeypot cluster also benefits from this proxy module for scalability.

The speech starts with addressing the disadvantages of traditional honeypots under the IoT enviro nment. Then the architecture and the implementation will be introduced, followed by the reasons why the IoT honeypot solution help solve the aforementioned challenges. At the end of the speech, a case study of a real IoT attack captured by the honeypot will be presented.

Jingyu Yang
Jingyu YANG received MSc in Information Security at Royal Holloway, University of London. Now, he is a senior security researcher at Tencent Anti-Virus Laboratory. He is also the maintainer of the BlackHat Arsenal project HaboMalHunter. His research interests include malware analysis and IoT security.
Fan Dang
Fan Dang received the B.E. degree from the School of Software at Tsinghua University in 2013.He is currently pursuing the Ph.D. degree in the School of Software, Tsinghua University. His research interests include mobile computing and security.