ThingGate: A Gateway for Managing Traffic of Bare-metal IoT Honeypot

Abstract

The Internet of Things (IoT) malware keep evolving and utilize multiple vulnerabilities to infect IoT devices. Besides malware, human attackers also utilize various tools to access and collect variable information on the device. For instances, web UI of IP Cameras and routers are constantly searched and accessed if vulnerable. In order to observe and analyze such a variety of attacks in depth, there is an increasing need for bare-metal IoT devices as a honeypot, since it is costly to emulate device-specific vulnerabilities and complex functionalities from dedicated services. However, operating bare-metal IoT honeypots has unique technical challenges mostly coming from their low configurability as an embedded system. A bare-metal honeypot needs proper access control while it is allowing attackers to access its inside to some degree, such as filter out bricking commands and changes of critical configuration. From this observation, we propose ThingGate, a gateway for flexible operation of bare-metal IoT honeypot. ThingGate employs a man-in-the-middle proxy to control and manage inbound and outbound traffic of the bare-metal IoT honeypot. Moreover, it adds the functionality of web tracking, which is not provided by the web UI of the original devices. We evaluate ThingGate with seven bare-metal IoT devices and show that it successfully blocks unwanted incoming attacks, masks wireless access point information of the devices, and tracks attackers on the device web UI while showing high observability of various attacks exploiting different vulnerabilities.