Advertisement

Towards a Framework for Testing the Security of IoT Devices Consistently

  • Gurjan Lally
  • Daniele Sgandurra
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11263)

Abstract

The Internet of Things (IoT) permeates society in many areas, such as automotive, smart-homes, smart-cities, healthcare, and critical infrastructures. Even if the IoT promises economic growth as well as convenience for users, the security (and safety) implications of the IoT are equally significant. In fact, weak security in IoT devices could have dangerous consequences, such as to a car crash, or an intruder entering in our home. As an example, in October 2016, the distributed denial of service attack on Dyn, a company controlling and managing several DNS services, brought down most of America’s Internet, and was caused by an IoT botnet (Mirai). This is mainly due to an increasing number of vulnerabilities in IoT devices being discovered on a daily basis, and that are the consequence of poor IoT security practices. To properly address the security and testing of IoT devices, the first step is the description of a threat model. However, few IoT manufactures base their testing on sound threat modelling techniques and comprehensive IoT security guidelines.

For these reasons, in this paper we propose a methodological approach for IoT security testing, which extends the OWASP IoT framework to include threat models to guide the selection of tests used to evaluate IoT attack surfaces and associated vulnerabilities. In addition, the proposed extended framework includes indications on how to actually test a given vulnerability and a set of recommended tools for performing the tests. To this end, we have devised a set of procedures associated with the tests, e.g. accessing device hardware or resetting the device. We also describe a set of tests based on the framework we have performed on IoT devices to test their security. In particular, we have tested the framework on a home router, a relatively cheap baby monitor, and a pricey security system. The methodological testing of the devices reported that the baby monitor showed signs of inadequate security, the router patching any known vulnerabilities as expected from a well-known manufacturer, and the security system quashing any penetration testing attempts.

Keywords

Internet of Things OWASP Attack surfaces Testing methodology 

Notes

Acknowledgment

This work was partially supported by the European Union’s Horizon 2020 research and innovation programme under grant agreement No 779391 (FutureTPM).

References

  1. 1.
    Fernandes, E., Jung, J., Prakash, A.: Security analysis of emerging smart home applications. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 636–654. IEEE (2016)Google Scholar
  2. 2.
    Ronen, E., Shamir, A.: Extended functionality attacks on IoT devices: the case of smart lights. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 3–12. IEEE (2016)Google Scholar
  3. 3.
    Min, B., Varadharajan, V.: Design and evaluation of feature distributed malware attacks against the Internet of Things (IoT). In: 2015 20th International Conference on Engineering of Complex Computer Systems (ICECCS), pp. 80–89. IEEE (2015)Google Scholar
  4. 4.
    Ho, G., Leung, D., Mishra, P., Hosseini, A., Song, D., Wagner, D.: Smart locks: lessons for securing commodity Internet of Things devices. In: Proceedings of the 11th ACM on Asia conference on Computer and Communications Security, pp. 461–472. ACM (2016)Google Scholar
  5. 5.
    Bertino, E., Islam, N.: Botnets and internet of things security. Computer 2, 76–79 (2017)CrossRefGoogle Scholar
  6. 6.
    Xu, H., Sgandurra, D., Mayes, K., Li, P., Wang, R.: Analysing the resilience of the internet of things against physical and proximity attacks. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, K.-K.R. (eds.) SpaCCS 2017. LNCS, vol. 10658, pp. 291–301. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-72395-2_27CrossRefGoogle Scholar
  7. 7.
    Sgandurra, D., Lupu, E.: Evolution of attacks, threat models, and solutions for virtualized systems. ACM Comput. Surv. (CSUR) 48(3), 46 (2016)CrossRefGoogle Scholar
  8. 8.
    Sgandurra, D., Karafili, E., Lupu, E.: Formalizing threat models for virtualized systems. In: Ranise, S., Swarup, V. (eds.) DBSec 2016. LNCS, vol. 9766, pp. 251–267. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-41483-6_18CrossRefGoogle Scholar
  9. 9.
    Rouffineau, T.: Consumers are terrible at updating their connected devices (2016). https://blog.ubuntu.com/2016/12/15/research-consumers-are-terrible-at-updating-their-connected-devices
  10. 10.
    Shipulin, K.: Practical ways to misuse a router. Positive Technologies (2017). http://blog.ptsecurity.com/2017/06/practical-ways-to-misuse-router.html
  11. 11.
    Antonakakis, M., et al.: Understanding the mirai botnet. In: USENIX Security Symposium, pp. 1092–1110 (2017)Google Scholar
  12. 12.
    OWASP: IoT attack surface areas (2015). https://www.owasp.org/index.php/IoT_Attack_Surface_areas
  13. 13.
    OWASP: Top 10 2017: The Ten Most Critical Web Application Security Risks. Sl: The OWASP Foundation (2013)Google Scholar
  14. 14.
    Trendall, S.: Labour MP: if a device is called ‘smart’ – don’t buy it. PublicTechnology.net (2018). https://publictechnology.net/articles/news/labour-mp-if-device-called-%E2%80%98smart%E2%80%99-%E2%80%93-don%E2%80%99t-buy-it
  15. 15.
    Ranger, S.: Internet of Things: finding a way out of the security nightmare. ZDNet (2016). https://www.zdnet.com/article/internet-of-things-finding-a-way-out-of-the-security-nightmare/
  16. 16.
    Paul: Mirai Redux: a year’s worth of DVR passwords published online. The Security Ledger (2017). https://securityledger.com/2017/01/mirai-redux-a-years-worth-of-dvr-passwords-published-online/

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Department of Computer ScienceRoyal Holloway, University of LondonEghamUK
  2. 2.Information Security GroupRoyal Holloway, University of LondonEghamUK

Personalised recommendations