Why buy, if you can DIY ? Developing an effective, cost-efficient IoT Honeypot System through Virtualization

Andrew L. Go , Virus Analyst Manager , G Data AV Lab

Wren Fer M. Balangcod , Virus Analyst , G Data AV Lab

At the of end 2017, there is an estimated 8.4 billion devices connected to the Internet with an equivalent expenditure of $2 trillion from both business and consumer sectors as reported by Gartner, Inc. These devices commonly known as Internet of Things (IoT), are expected to balloon to 20 billion with a spending value of $3 trillion by 2020 [1].

With such an enormous market, malicious actors will also be interested in jumping into the IoT bandwagon since most IoT devices are without basic protection such as the use of default credentials, inability and or lack of firmware updates, which resulted in the proliferation of recent, infamous IoT malware such as Mirai, Brickerbot, Tsunami and among others as noted by AV Test [2].

Given the forecast on the meteoric rise and plethora of IoT devices in the coming years, and witnessing the security challenges from recent incidents, there are only a handful of systems designed and built to collect malware and comprehend its behavior specifically targeting the “smart devices”.

One major reason for this is the heterogeneity of IoT devices, wherein it is too costly to purchase and deploy real devices of various functionalities and operating systems that may serve as sample collectors and analysis systems such as honeypots.

Deploying a basic smart security surveillance system would cost around $300 to $500, [3][4] but to simulate a lavish smart home with Danalock smart locks [5], Rachio smart sprinkler controllers [6], and a matching Tesla Model S smart car [7], the overall price will deter any thoughts of pursuing it. Hence, taking only a “slice of the pie” is more cost-efficient and realistic.

That is why we initially thought of researching how attackers and malwares are currently using the IoT devices to perform its covert and malicious activities, what specific smart devices, identify common architecture and operating systems. Moreover, we utilized existing, open-source concepts, technologies and even purpose, but designed in an innovative approach, thus the development of the Virtualized IoT Honeypot.

This research work focuses primarily on imparting knowledge in designing and building virtualized and high interaction IoT honeypot, with the following scope based from latest industry reports [8]:

  • Virtualization: QEMU and KVM
  • IoT Device: IP Camera
  • Architecture: ARM
  • Operating System: Linux – Raspbian Jessy Lite
  • Protocols: HTTP, SSH and Telnet

In addition to this, we will demonstrate usual attacks on IP Camera, both from an attacker’s point of view and of an existing ARM-based IoT malware. More importantly, we will leverage the use of the Virtualized IoT as a security platform through the deployment of honeypots such as Cowrie and Dionaea. To reinforce this setup, IDS such as Snort and Wireshark are implemented to monitor and detect possible malicious network activities.

This proof-of-concept technology may use conventional applications and techniques, and we believe that it is fit in combatting the evolving threats and motives of cybercriminals. As one would say, the battlefield may have changed, but the tools for waging war has remained the same.


[1] hxxps://www.gartner.com/newsroom/id/3598917
[2] hxxps://www.av-test.org/fileadmin/pdf/security_report/AV-TEST_Security_Report_2016-2017.pdf
[3] hxxps://www.cnet.com/news/smart-security-buying-guide/hxxp://shop.danalock.com/products/7-danalock-v3/
[4] hxxps://www.samsung.com/us/smart-home/home-monitoring/security-systems/s/_/n-10+11+hv1xa+zq232/
[5] hxxp://shop.danalock.com/products/7-danalock-v3/
[6] hxxp://rachio.com/store
[7] hxxps://www.tesla.com/models
[8] hxxps://securelist.com/honeypots-and-the-internet-of-things/787

Andrew L. Go

With over 10 years of experience in the Information Security Industry focusing primarily on application and systems development, he has developed pattern generation and delivery system for the Application Control product and a custom AV scanner deployed to global business units of his previous AV organization. He is currently overseeing the AV Operations in G DATA AV Lab Inc, the Philippine subsidiary of G DATA Software AG. In addition to this, he is leading the research and development of systems for malicious sample collection and Threat Intelligence, and is driving IT Security Awareness Campaigns to both the academe and corporate worlds.

Wren Fer M. Balangcod

With more than 6 years of experience in the Information Security industry, Wren specializes in the detection and remediation of malware threats (Trojans, Viruses, and Exploits). Some of his previous accomplishments include creation of detections on four of the leaked vulnerabilities created by the company, Hacking Team. In addition to this, he developed high-interaction honeypot systems for sourcing in-the-wild malware samples and threat information.