HosTaGe

HosTaGe – a Low-Interaction Honeypot for Mobile Devices

Motivation

Recent security reports indicate an increase in sophisticated cyber attacks. With the advancements in mobile devices (smartphones, tablets, etc.) as well as the increased number of available wireless networks many challenges arise from the security perspective. People tend to utilize unknown, in terms of trustworthiness, wireless networks in their daily life. They connect to these networks, e.g., airports and coffee shops offering Internet access, without knowledge of whether they are safe or infected with actively propagating malware.

In traditional networks, malicious behavior can be detected via Intrusion Detection Systems (IDSs).

However, IDSs cannot be applied easily to mobile environments and to resource constrained devices. Another common defense mechanism is honeypots, i.e., systems that pretend to be an attractive target to attract malware and attackers. As a honeypot has no productive use, each attempt to access it can be interpreted as an attack. Hence, they can provide an early indication on malicious network environments. Since low interaction honeypots do not demand high CPU or memory requirements, they are suitable to resource constrained devices like smartphones or tablets.

Approach

Thumbnail Honeypot

HosTaGe is a lightweight, low-interaction, portable, and generic honeypot for mobile devices that aims on the detection of malicious, wireless network environments. As most malware propagate over the network via specific protocols, a low-interaction honeypot located at a mobile device can check wireless networks for actively propagating malware. We envision such honeypots running on all kinds of mobile devices, e.g., smartphones and tablets, to provide a quick assessment on the potential security state of a network.

HosTaGe is developed in Java for Android OS devices. The project can be accessed from the public repository here.

Students that are interested in conducting their Bachelorpraktikum project, Bachelor or Master thesis in this area may contact us for more details.

HosTaGe Portbinder

Note: Current HosTaGe version (v.3.0) includes automatic installation of the 'Portbinder' as well as support for utilizing Android's IP-Tables for binding provileded ports!

For previous versions (not supported any more) you can manually install the 'Portbinder':

To unlock the full functionality of HosTaGe, users need to have a rooted Android device with 'Portbinder' installed. It allows binding of privileged ports, i.e., < 1024, to allow some services to be emulated.

Portbinder (or formerly known as Porthack) can be compiled from source (Look under the folder 'native') using Android NDK or copied from the list of pre-compiled binaries below (with your own risk).

Pre-compiled Portbinder Binaries

Device Architecture Zip File Tar File
ARM .zip not available
x86 .zip not available
MIPS .zip not available

In each of the compressed files above, there is a binary file (filename:bind) that has to be extracted and stored in the following location in your rooted Android device: /data/local/bind

You can check out the video tutorial on how to copy the binary into your device from a computer.

Feel free to contact us (hostage [at] tk [dot] informatik [dot] tu-darmstadt [dot] de) if you have any questions!

People

  • Dr. Emmanouil Vasilomanolakis
  • Dr. Shankar Karuppayah
  • Dr. Mathias Fischer

Demos

HosTaGe and its detection capabilities have been demonstrated in various IT security events worldwide, including:

  • International Conference on Security of Information and Networks (SIN), Glasgow/UK, 2014
  • Intel Workshop on Cyberphysical and Mobile Security, Darmstadt/Germany, 2014