A ZigBee honeypot to assess IoT cyberattack behaviour

Wireless Personal Area Networks (WPAN) allow for the implementation of applications such as home automation, remote control services, near-field technologies and personal health care management. Security is a critical requirement of the standards and protocols for these environments. One suite of layered protocols within WPAN is ZigBee. ZigBee is a low bit rate protocol utilised in Wireless Sensor Networks (WSN). Attacks such as physical, crypto key interception, injection and replay are perpetrated on ZigBee networks. These attacks can be instigated and controlled within the physical ZigBee WSN location or via a gateway. This paper creates a honeypot that simulates a ZigBee gateway. It is designed to assess the presence of ZigBee attack intelligence on a SSH attack vector. It captures all attack traffic for retrospective analysis. It sandboxes attacks of interest to determine if any attempts are targeting ZigBee specifically. Finally it concludes that all captured mass attacks are mainstream DDoS and bot malware, whereas individual attackers where attracted to and interacted with the ZigBee simulated Honeypot.