Honeypot research: this is what hackers do with vulnerable IoT devices

Using various decoy servers (honeypots), a three-year study has mapped out what hackers do after breaking into the Internet of Things (IoT) devices. The researchers managed to set up a diverse IoT ecosystem and collect data in smart ways. This allowed them to find out what the ultimate purpose of the hacks is.

In principle, IoT devices comprise all kinds of ‘normal’ equipment that can be connected to the internet. For example, think of smart lamps, cameras, doorbells, Smart TVs, refrigerators, speakers and much more. Billions of these devices will be added in the coming years.

These devices are intended to be managed via a network (and therefore often at home). Yet these devices are often inadvertently connected to the Internet itself. The combination of accessible and generally weak security makes it an interesting target for hackers.

To lure hackers, the IoT Honeypots University Florida has set up 3 types of honeypots that mimic real IoT devices like in customers’ homes.

HoneyShell 12 months 17.3 million
HoneyWindowsBox 7 months 1.6 million
HoneyCamera 25 months 3.6 million


    • HoneyShellemulated Busybox, a popular version of Linux that runs on many IoT devices.
    • HoneyWindowsBoxemulated Windows-based IoT devices.
    • HoneyCamera emulated internet cameras. By using specific ports, the researchers were able to mimic specific vulnerable or popular devices.

Better camouflage

The researchers ensured that the honeypots could be found as legitimate devices on specialized search engines such as Shodan and Censys. These search engines allow users to search for devices that are connected to the Internet.

These search engines also give an ‘authenticity score’, so the researchers had to take extra measures to appear as real as possible. In addition, hackers are usually very careful; if they don’t trust things, they ignore a device. After all, they also know that honeypots are active. To compensate for this, the study was conducted in 2 or 3 phases.

The data from phase 1 (6 months) was used to better camouflage the honeypots. In phase 2, data was collected with the improved camouflage. In phase 3, knowledge and data from phases, 1 and 2 were used to develop a special variant of the HoneyShell honeypot. For example, in the event of a break-in, they knew for sure that it would be a human hacker trying to break in manually.


The results of the investigation reveal a number of recurring patterns and objectives of the hackers. For example, most hackers tried to run commands that would give them more information about the hardware they had access to. There was also massive scanning for open ports and attempts were made to disable firewalls.

More than a million attackers tried the most commonly used combination of credentials, username “admin” with password “1234”. The fact that attackers are still trying to do this indicates that people are still weakly securing their devices. In addition to this combination, many standard combinations of manufacturers were also tried.

Once attackers got in, the Linux and camera honeypots were mainly exploited for the following purposes:

      • DDoS networks
      • Bot networks like Mirai
      • crypto miners

With the Windows honeypot there was a little more diversity, namely:

      • crypto miners
      • viruses
      • Malware droppers
      • Trojans
      • Rootkits
      • botnets
      • Remote Access Trojans

Finally, the vast majority of attacks turned out to be from bots and follow-up steps were actually taken after gaining access in only 13% of successful intrusions.

This is how you keep your IoT devices safe

Your own Internet of Things devices can also fall victim to these types of attacks undetected. Fortunately, there are some relatively simple steps that can make you less vulnerable:

      • If a device does not need access to the wider internet, provide a VPN connection and firewall to prevent accidental remote access.
      • Install the latest firmware and security updates as they become available.
      • Give the IoT devices that need to be able to talk to each other their own network.
      • Change the default usernames and passwords to long, secure alternatives

Catch up on more articles here

Follow us on Twitter here


Must read


Related Posts