A ZigBee honeypot to assess IoT cyberattack behaviour

Seamus Dowling; Michael Schukat; Hugh Melvin

doi:10.1109/ISSC.2017.7983603

A ZigBee honeypot to assess IoT cyberattack behaviour

Seamus Dowling, Michael Schukat, Hugh Melvin

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

65 Citations (Scopus)

Abstract

Wireless Personal Area Networks (WPAN) allow for the implementation of applications such as home automation, remote control services, near-field technologies and personal health care management. Security is a critical requirement of the standards and protocols for these environments. One suite of layered protocols within WPAN is ZigBee. ZigBee is a low bit rate protocol utilised in Wireless Sensor Networks (WSN). Attacks such as physical, crypto key interception, injection and replay are perpetrated on ZigBee networks. These attacks can be instigated and controlled within the physical ZigBee WSN location or via a gateway. This paper creates a honeypot that simulates a ZigBee gateway. It is designed to assess the presence of ZigBee attack intelligence on a SSH attack vector. It captures all attack traffic for retrospective analysis. It sandboxes attacks of interest to determine if any attempts are targeting ZigBee specifically. Finally it concludes that all captured mass attacks are mainstream DDoS and bot malware, whereas individual attackers where attracted to and interacted with the ZigBee simulated Honeypot.

Original language	English
Title of host publication	2017 28th Irish Signals and Systems Conference, ISSC 2017
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9781538610466
DOIs	https://doi.org/10.1109/ISSC.2017.7983603
Publication status	Published - 18 Jul 2017
Externally published	Yes
Event	28th Irish Signals and Systems Conference, ISSC 2017 - Killarney, Ireland Duration: 20 Jun 2017 → 21 Jun 2017

Publication series

Name	2017 28th Irish Signals and Systems Conference, ISSC 2017

Conference

Conference	28th Irish Signals and Systems Conference, ISSC 2017
Country/Territory	Ireland
City	Killarney
Period	20/06/17 → 21/06/17

Keywords

Botnet
Honeypot
IoT
SSH
ZigBee

Access to Document

10.1109/ISSC.2017.7983603

Cite this

@inproceedings{264385fbd0a54b15964de931c48c4c20,

title = "A ZigBee honeypot to assess IoT cyberattack behaviour",

abstract = "Wireless Personal Area Networks (WPAN) allow for the implementation of applications such as home automation, remote control services, near-field technologies and personal health care management. Security is a critical requirement of the standards and protocols for these environments. One suite of layered protocols within WPAN is ZigBee. ZigBee is a low bit rate protocol utilised in Wireless Sensor Networks (WSN). Attacks such as physical, crypto key interception, injection and replay are perpetrated on ZigBee networks. These attacks can be instigated and controlled within the physical ZigBee WSN location or via a gateway. This paper creates a honeypot that simulates a ZigBee gateway. It is designed to assess the presence of ZigBee attack intelligence on a SSH attack vector. It captures all attack traffic for retrospective analysis. It sandboxes attacks of interest to determine if any attempts are targeting ZigBee specifically. Finally it concludes that all captured mass attacks are mainstream DDoS and bot malware, whereas individual attackers where attracted to and interacted with the ZigBee simulated Honeypot.",

keywords = "Botnet, Honeypot, IoT, SSH, ZigBee",

author = "Seamus Dowling and Michael Schukat and Hugh Melvin",

note = "Publisher Copyright: {\textcopyright} 2017 IEEE.; 28th Irish Signals and Systems Conference, ISSC 2017 ; Conference date: 20-06-2017 Through 21-06-2017",

year = "2017",

month = jul,

day = "18",

doi = "10.1109/ISSC.2017.7983603",

language = "English",

series = "2017 28th Irish Signals and Systems Conference, ISSC 2017",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

booktitle = "2017 28th Irish Signals and Systems Conference, ISSC 2017",

}

Dowling, S, Schukat, M & Melvin, H 2017, A ZigBee honeypot to assess IoT cyberattack behaviour. in 2017 28th Irish Signals and Systems Conference, ISSC 2017., 7983603, 2017 28th Irish Signals and Systems Conference, ISSC 2017, Institute of Electrical and Electronics Engineers Inc., 28th Irish Signals and Systems Conference, ISSC 2017, Killarney, Ireland, 20/06/17. https://doi.org/10.1109/ISSC.2017.7983603

A ZigBee honeypot to assess IoT cyberattack behaviour. / Dowling, Seamus; Schukat, Michael; Melvin, Hugh.
2017 28th Irish Signals and Systems Conference, ISSC 2017. Institute of Electrical and Electronics Engineers Inc., 2017. 7983603 (2017 28th Irish Signals and Systems Conference, ISSC 2017).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - A ZigBee honeypot to assess IoT cyberattack behaviour

AU - Dowling, Seamus

AU - Schukat, Michael

AU - Melvin, Hugh

PY - 2017/7/18

Y1 - 2017/7/18

N2 - Wireless Personal Area Networks (WPAN) allow for the implementation of applications such as home automation, remote control services, near-field technologies and personal health care management. Security is a critical requirement of the standards and protocols for these environments. One suite of layered protocols within WPAN is ZigBee. ZigBee is a low bit rate protocol utilised in Wireless Sensor Networks (WSN). Attacks such as physical, crypto key interception, injection and replay are perpetrated on ZigBee networks. These attacks can be instigated and controlled within the physical ZigBee WSN location or via a gateway. This paper creates a honeypot that simulates a ZigBee gateway. It is designed to assess the presence of ZigBee attack intelligence on a SSH attack vector. It captures all attack traffic for retrospective analysis. It sandboxes attacks of interest to determine if any attempts are targeting ZigBee specifically. Finally it concludes that all captured mass attacks are mainstream DDoS and bot malware, whereas individual attackers where attracted to and interacted with the ZigBee simulated Honeypot.

AB - Wireless Personal Area Networks (WPAN) allow for the implementation of applications such as home automation, remote control services, near-field technologies and personal health care management. Security is a critical requirement of the standards and protocols for these environments. One suite of layered protocols within WPAN is ZigBee. ZigBee is a low bit rate protocol utilised in Wireless Sensor Networks (WSN). Attacks such as physical, crypto key interception, injection and replay are perpetrated on ZigBee networks. These attacks can be instigated and controlled within the physical ZigBee WSN location or via a gateway. This paper creates a honeypot that simulates a ZigBee gateway. It is designed to assess the presence of ZigBee attack intelligence on a SSH attack vector. It captures all attack traffic for retrospective analysis. It sandboxes attacks of interest to determine if any attempts are targeting ZigBee specifically. Finally it concludes that all captured mass attacks are mainstream DDoS and bot malware, whereas individual attackers where attracted to and interacted with the ZigBee simulated Honeypot.

KW - Botnet

KW - Honeypot

KW - IoT

KW - SSH

KW - ZigBee

UR - http://www.scopus.com/inward/record.url?scp=85027862740&partnerID=8YFLogxK

U2 - 10.1109/ISSC.2017.7983603

DO - 10.1109/ISSC.2017.7983603

M3 - Conference contribution

AN - SCOPUS:85027862740

T3 - 2017 28th Irish Signals and Systems Conference, ISSC 2017

BT - 2017 28th Irish Signals and Systems Conference, ISSC 2017

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 28th Irish Signals and Systems Conference, ISSC 2017

Y2 - 20 June 2017 through 21 June 2017

ER -

A ZigBee honeypot to assess IoT cyberattack behaviour

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this