Towards a Framework for Testing the Security of IoT Devices Consistently
The Internet of Things (IoT) permeates society in many areas, such as automotive, smart-homes, smart-cities, healthcare, and critical infrastructures. Even if the IoT promises economic growth as well as convenience for users, the security (and safety) implications of the IoT are equally significant. In fact, weak security in IoT devices could have dangerous consequences, such as to a car crash, or an intruder entering in our home. As an example, in October 2016, the distributed denial of service attack on Dyn, a company controlling and managing several DNS services, brought down most of America’s Internet, and was caused by an IoT botnet (Mirai). This is mainly due to an increasing number of vulnerabilities in IoT devices being discovered on a daily basis, and that are the consequence of poor IoT security practices. To properly address the security and testing of IoT devices, the first step is the description of a threat model. However, few IoT manufactures base their testing on sound threat modelling techniques and comprehensive IoT security guidelines.
For these reasons, in this paper we propose a methodological approach for IoT security testing, which extends the OWASP IoT framework to include threat models to guide the selection of tests used to evaluate IoT attack surfaces and associated vulnerabilities. In addition, the proposed extended framework includes indications on how to actually test a given vulnerability and a set of recommended tools for performing the tests. To this end, we have devised a set of procedures associated with the tests, e.g. accessing device hardware or resetting the device. We also describe a set of tests based on the framework we have performed on IoT devices to test their security. In particular, we have tested the framework on a home router, a relatively cheap baby monitor, and a pricey security system. The methodological testing of the devices reported that the baby monitor showed signs of inadequate security, the router patching any known vulnerabilities as expected from a well-known manufacturer, and the security system quashing any penetration testing attempts.
KeywordsInternet of Things OWASP Attack surfaces Testing methodology
This work was partially supported by the European Union’s Horizon 2020 research and innovation programme under grant agreement No 779391 (FutureTPM).
- 1.Fernandes, E., Jung, J., Prakash, A.: Security analysis of emerging smart home applications. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 636–654. IEEE (2016)Google Scholar
- 2.Ronen, E., Shamir, A.: Extended functionality attacks on IoT devices: the case of smart lights. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 3–12. IEEE (2016)Google Scholar
- 3.Min, B., Varadharajan, V.: Design and evaluation of feature distributed malware attacks against the Internet of Things (IoT). In: 2015 20th International Conference on Engineering of Complex Computer Systems (ICECCS), pp. 80–89. IEEE (2015)Google Scholar
- 4.Ho, G., Leung, D., Mishra, P., Hosseini, A., Song, D., Wagner, D.: Smart locks: lessons for securing commodity Internet of Things devices. In: Proceedings of the 11th ACM on Asia conference on Computer and Communications Security, pp. 461–472. ACM (2016)Google Scholar
- 6.Xu, H., Sgandurra, D., Mayes, K., Li, P., Wang, R.: Analysing the resilience of the internet of things against physical and proximity attacks. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, K.-K.R. (eds.) SpaCCS 2017. LNCS, vol. 10658, pp. 291–301. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-72395-2_27CrossRefGoogle Scholar
- 9.Rouffineau, T.: Consumers are terrible at updating their connected devices (2016). https://blog.ubuntu.com/2016/12/15/research-consumers-are-terrible-at-updating-their-connected-devices
- 10.Shipulin, K.: Practical ways to misuse a router. Positive Technologies (2017). http://blog.ptsecurity.com/2017/06/practical-ways-to-misuse-router.html
- 11.Antonakakis, M., et al.: Understanding the mirai botnet. In: USENIX Security Symposium, pp. 1092–1110 (2017)Google Scholar
- 12.OWASP: IoT attack surface areas (2015). https://www.owasp.org/index.php/IoT_Attack_Surface_areas
- 13.OWASP: Top 10 2017: The Ten Most Critical Web Application Security Risks. Sl: The OWASP Foundation (2013)Google Scholar
- 14.Trendall, S.: Labour MP: if a device is called ‘smart’ – don’t buy it. PublicTechnology.net (2018). https://publictechnology.net/articles/news/labour-mp-if-device-called-%E2%80%98smart%E2%80%99-%E2%80%93-don%E2%80%99t-buy-it
- 15.Ranger, S.: Internet of Things: finding a way out of the security nightmare. ZDNet (2016). https://www.zdnet.com/article/internet-of-things-finding-a-way-out-of-the-security-nightmare/
- 16.Paul: Mirai Redux: a year’s worth of DVR passwords published online. The Security Ledger (2017). https://securityledger.com/2017/01/mirai-redux-a-years-worth-of-dvr-passwords-published-online/