Yesterday, I noticed a new URL in our honeypots: /v5/device/heartbeat. But I have no idea what this URL may be associated with. Based on some googleing, I came across Balena, a platform to manage IoT devices [1]. Does anybody have any experience with this software and know what an attacker would attempt to gain from the URL above? Maybe just fingerprinting devices? I do not see recent vulnerabilities anywhere, but there is a good chance that vulnerable components are being used by the software.
All requests originate from a single IP address, 24.114.52.95. This IP address shows no other activity in our honeypot and appears to be a Canadian consumer IP address.
Looking back in our data, there are a couple of other URLs that may be related, for example, /v5/search, /v5/.env, and variables of /v5/search/???????/place/[integer number] .
Balena (or Open Balena) offers an API to manage fleets of IoT devices. A system like this, managing many IoT devices, would certainly be an attractive target. Balena also distributes an "Etcher" tool that is often recommended to create bootable USB sticks from ISO files to install operating systems on devices. But the Etcher tool is a desktop application without network access, and unrelated to the IoT management API.
[1] https://docs.balena.io/reference/api/overview/
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|