Skip to main content
Springer Nature Link
Log in

Towards a Framework for Testing the Security of IoT Devices Consistently

  • Conference paper
  • First Online:
Emerging Technologies for Authorization and Authentication (ETAA 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11263))

  • 1076 Accesses

Abstract

The Internet of Things (IoT) permeates society in many areas, such as automotive, smart-homes, smart-cities, healthcare, and critical infrastructures. Even if the IoT promises economic growth as well as convenience for users, the security (and safety) implications of the IoT are equally significant. In fact, weak security in IoT devices could have dangerous consequences, such as to a car crash, or an intruder entering in our home. As an example, in October 2016, the distributed denial of service attack on Dyn, a company controlling and managing several DNS services, brought down most of America’s Internet, and was caused by an IoT botnet (Mirai). This is mainly due to an increasing number of vulnerabilities in IoT devices being discovered on a daily basis, and that are the consequence of poor IoT security practices. To properly address the security and testing of IoT devices, the first step is the description of a threat model. However, few IoT manufactures base their testing on sound threat modelling techniques and comprehensive IoT security guidelines.

For these reasons, in this paper we propose a methodological approach for IoT security testing, which extends the OWASP IoT framework to include threat models to guide the selection of tests used to evaluate IoT attack surfaces and associated vulnerabilities. In addition, the proposed extended framework includes indications on how to actually test a given vulnerability and a set of recommended tools for performing the tests. To this end, we have devised a set of procedures associated with the tests, e.g. accessing device hardware or resetting the device. We also describe a set of tests based on the framework we have performed on IoT devices to test their security. In particular, we have tested the framework on a home router, a relatively cheap baby monitor, and a pricey security system. The methodological testing of the devices reported that the baby monitor showed signs of inadequate security, the router patching any known vulnerabilities as expected from a well-known manufacturer, and the security system quashing any penetration testing attempts.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://www.postscapes.com/internet-of-things-history/.

  2. 2.

    For the sake of conciseness, the Table shown here briefly summarizes “IoT Security Considerations” and “Methodologies and Tools”.

  3. 3.

    https://www.wireshark.org/.

  4. 4.

    https://www.fing.io/.

  5. 5.

    https://linux.die.net/man/8/netstat.

  6. 6.

    http://sqlninja.sourceforge.net/.

  7. 7.

    https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture.

  8. 8.

    https://www.offensive-security.com/metasploit-unleashed/msfconsole/.

  9. 9.

    https://www.ettercap-project.org/.

  10. 10.

    https://www.kali.org/.

  11. 11.

    https://www.theinternetofthings.eu/.

References

  1. Fernandes, E., Jung, J., Prakash, A.: Security analysis of emerging smart home applications. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 636–654. IEEE (2016)

    Google Scholar 

  2. Ronen, E., Shamir, A.: Extended functionality attacks on IoT devices: the case of smart lights. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 3–12. IEEE (2016)

    Google Scholar 

  3. Min, B., Varadharajan, V.: Design and evaluation of feature distributed malware attacks against the Internet of Things (IoT). In: 2015 20th International Conference on Engineering of Complex Computer Systems (ICECCS), pp. 80–89. IEEE (2015)

    Google Scholar 

  4. Ho, G., Leung, D., Mishra, P., Hosseini, A., Song, D., Wagner, D.: Smart locks: lessons for securing commodity Internet of Things devices. In: Proceedings of the 11th ACM on Asia conference on Computer and Communications Security, pp. 461–472. ACM (2016)

    Google Scholar 

  5. Bertino, E., Islam, N.: Botnets and internet of things security. Computer 2, 76–79 (2017)

    Article  Google Scholar 

  6. Xu, H., Sgandurra, D., Mayes, K., Li, P., Wang, R.: Analysing the resilience of the internet of things against physical and proximity attacks. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, K.-K.R. (eds.) SpaCCS 2017. LNCS, vol. 10658, pp. 291–301. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-72395-2_27

    Chapter  Google Scholar 

  7. Sgandurra, D., Lupu, E.: Evolution of attacks, threat models, and solutions for virtualized systems. ACM Comput. Surv. (CSUR) 48(3), 46 (2016)

    Article  Google Scholar 

  8. Sgandurra, D., Karafili, E., Lupu, E.: Formalizing threat models for virtualized systems. In: Ranise, S., Swarup, V. (eds.) DBSec 2016. LNCS, vol. 9766, pp. 251–267. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-41483-6_18

    Chapter  Google Scholar 

  9. Rouffineau, T.: Consumers are terrible at updating their connected devices (2016). https://blog.ubuntu.com/2016/12/15/research-consumers-are-terrible-at-updating-their-connected-devices

  10. Shipulin, K.: Practical ways to misuse a router. Positive Technologies (2017). http://blog.ptsecurity.com/2017/06/practical-ways-to-misuse-router.html

  11. Antonakakis, M., et al.: Understanding the mirai botnet. In: USENIX Security Symposium, pp. 1092–1110 (2017)

    Google Scholar 

  12. OWASP: IoT attack surface areas (2015). https://www.owasp.org/index.php/IoT_Attack_Surface_areas

  13. OWASP: Top 10 2017: The Ten Most Critical Web Application Security Risks. Sl: The OWASP Foundation (2013)

    Google Scholar 

  14. Trendall, S.: Labour MP: if a device is called ‘smart’ – don’t buy it. PublicTechnology.net (2018). https://publictechnology.net/articles/news/labour-mp-if-device-called-%E2%80%98smart%E2%80%99-%E2%80%93-don%E2%80%99t-buy-it

  15. Ranger, S.: Internet of Things: finding a way out of the security nightmare. ZDNet (2016). https://www.zdnet.com/article/internet-of-things-finding-a-way-out-of-the-security-nightmare/

  16. Paul: Mirai Redux: a year’s worth of DVR passwords published online. The Security Ledger (2017). https://securityledger.com/2017/01/mirai-redux-a-years-worth-of-dvr-passwords-published-online/

Download references

Acknowledgment

This work was partially supported by the European Union’s Horizon 2020 research and innovation programme under grant agreement No 779391 (FutureTPM).

Author information

Authors and Affiliations

  1. Department of Computer Science, Royal Holloway, University of London, Egham, UK

    Gurjan Lally

  2. Information Security Group, Royal Holloway, University of London, Egham, UK

    Gurjan Lally & Daniele Sgandurra

Authors
  1. Gurjan Lally
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniele Sgandurra
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gurjan Lally .

Editor information

Editors and Affiliations

  1. IIT-CNR, Pisa, Italy

    Andrea Saracino

  2. IIT-CNR, Pisa, Italy

    Paolo Mori

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lally, G., Sgandurra, D. (2018). Towards a Framework for Testing the Security of IoT Devices Consistently. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2018. Lecture Notes in Computer Science(), vol 11263. Springer, Cham. https://doi.org/10.1007/978-3-030-04372-8_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-04372-8_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-04371-1

  • Online ISBN: 978-3-030-04372-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation