Honware: A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days

Existing solutions are ineffective in detecting zero day exploits targeting Customer Premise Equipment (CPE) and Internet of Things (IoT) devices. We present honware, a high-interaction honeypot framework which can emulate a wide range of devices without any access to the manufacturers' hardware. Honware automatically processes a standard firmware image (as is commonly provided for updates), customises the filesystem and runs the system with a special pre-built Linux kernel. It then logs attacker traffic and records which of their actions led to a compromise. We provide an extensive evaluation and show that our framework improves upon existing emulation strategies which are limited in their scalability, and that it is significantly better both in providing network functionality and in emulating the devices' firmware applications - a crucial aspect as vulnerabilities are frequently exploited by attackers in `front-end' functionalities such as web interfaces. Honware's design precludes most honeypot fingerprinting attacks, and as its performance is comparable to that of real devices, fingerprinting with timing attacks can be made far from trivial. We provide four case studies in which we demonstrate that honware is capable of rapid deployment to capture the exact details of attacks along with malware samples. In particular we identified a previously unknown attack in which the default DNS for an ipTIME N604R wireless router was changed. We believe that honware is a major contribution towards re-balancing the economics of attackers and defenders by reducing the period in which attackers can exploit zero days at Internet scale.