Honeypot research: this is what hackers do with vulnerable IoT devices

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

Using various decoy servers (honeypots), a three-year study has mapped out what hackers do after breaking into the Internet of Things (IoT) devices. The researchers managed to set up a diverse IoT ecosystem and collect data in smart ways. This allowed them to find out what the ultimate purpose of the hacks is.

In principle, IoT devices comprise all kinds of ‘normal’ equipment that can be connected to the internet. For example, think of smart lamps, cameras, doorbells, Smart TVs, refrigerators, speakers and much more. Billions of these devices will be added in the coming years.

These devices are intended to be managed via a network (and therefore often at home). Yet these devices are often inadvertently connected to the Internet itself. The combination of accessible and generally weak security makes it an interesting target for hackers.

To lure hackers, the IoT Honeypots University Florida has set up 3 types of honeypots that mimic real IoT devices like in customers’ homes.

HONEYPOT TYPE ACTIVITY NUMBER OF CONNECTION ATTEMPTS HoneyShell 12 months 17.3 million HoneyWindowsBox 7 months 1.6 million HoneyCamera 25 months 3.6 million


HoneyShellemulated Busybox, a popular version of Linux that runs on many IoT devices. HoneyWindowsBoxemulated Windows-based IoT devices. HoneyCamera emulated internet cameras. By using specific ports, the researchers were able to mimic specific vulnerable or popular devices. Better camouflage

The researchers ensured that the honeypots could be found as legitimate devices on specialized search engines such as Shodan and Censys. These search engines allow users to search for devices that are connected to the Internet.

These search engines also give an ‘authenticity score’, so the researchers had to take extra measures to appear as real as possible. In addition, hackers are usually very careful; if they don’t trust things, they ignore a device. After all, they also know that honeypots are active. To compensate for this, the study was conducted in 2 or 3 phases.

The data from phase 1 (6 months) was used to better camouflage the honeypots. In phase 2, data was collected with the improved camouflage.

Read more

Explore the site

More from the blog

Latest News