А.І. Abakumov, V.S. Kharchenko

Èlektron. model. 2022, 44(4):79-104


The spread of the Internet of Things (IoT) and IoT based systems is accompanied by an increa­sing the rate and types of cyberattacks on the system assets. The potential threats and negative consequences of attacks on various types of IoT devices btcome critical. This circumstance determines the urgency of improving the methods of IoT cyber security assessment, in particular, by use penetration testing (PT) based on the simulation of real attacks. The purpose of the study is to analyze the threats and vulnerabilities of IoT systems, methods and stages of PT implementation. The analysis of the features of IoT systems as objects of PT was carried out. Rating threats and vulnerabilities of IoT systems are determined based on the analysis of references classified on five main areas. The consequences of attacks were assessed using the IMECA method and modified risk table and matrix. The main countermeasures and their effectiveness in reducing the consequences of attacks are analyzed. The stages of IoT systems PT are specified and analyzed. Directions of future research, development and improving IoT systems PT effectiveness are formulated.


Internet of Things, penetration testing, threats, cyberattacks, IMECA analysis.


  1. IoT Analytics. (2022), State of IoT—Spring 2022. Available at:
  2. Jurcut, A.D., Ranaweera, P. and Xu, L. (2019), "Introduction to IoT Security" in Liyanage, M., Braeken, A., Kumar, P. and Ylianttila, M. (Ed.), IoT Security: Advances in Authentication, John Wiley & Sons Ltd, pp. 27–64. Available at: ch2
  3. Rak, M., Salzillo, G. and Romeo, C. (2020), "Systematic IoT Penetration Testing: Alexa Case Study", ITASEC, 2597(17). Available at:
  4. Symantec Enterprise Blog (2019), ISTR 2019: Internet of Things Cyber Attacks Grow More Diverse. Available at:
  5. Yadav, G., Paul, K., Allakany, A. and Okamura, K. (2020), "IoT-PEN: An E2E Penetration Testing Framework for IoT", Journal of Information Processing, 28, PP.633–642. Available at:
  6. Kolias, C., Kambourakis, G., Stavrou, A. and Voas, J. (2017), "DDoS in the IoT: Mirai and Other Botnets", Computer, 50(7),80–84.
  7. Певнев, В.Я., Торяник, В.В. та Харченко, В.С. (2020), "Кібербезпека безпроводових смарт-систем: канали втручань та радіочастотні вразливості", Radioelectronic and Computer Systems, 4, рр.79–92.
  8. Ahmad, A. (2018), Model-Based Testing for IoT Systems: Methods and tools.,D Thesis, University of Franche-Comté. Available at: 332010452_Model-Based_Testing_for_IoT_Systems_Methods_and_tools
  9. Ahmad, W., Rasool, A., Javed, A. R., Baker, T. and Jalil, Z. (2021), "Cyber Security in IoT-Based Cloud Computing: A Comprehensive Survey", Electronics, 11(1), PP.16.
  10. Abdul-Ghani, H. A. and Konstantas, D. (2019), "A Comprehensive Study of Security and Privacy Guidelines, Threats, and Countermeasures: An IoT Perspective", Journal of Sensor and Actuator Networks, 8(2), PP.22.
  11. Burhan, M., Rehman, R., Khan, B. and Kim, B.-S. (2018), "IoT Elements, Layered Architectures and Security Issues: A Comprehensive Survey", Sensors, 18(9), PP.2796.
  12. Mashal, I., Alsaryrah, O., Chung, T.-Y., Yang, C.-Z., Kuo, W.-H. and Agrawal, D.P. (2015), "Choices for interaction with things on Internet and underlying issues", Ad Hoc Networks, 28, PP.68–90.
  13. Yun, M. and Yuxin, B. (2010), "Research on the architecture and key technology of Internet of Things (IoT) applied on smart grid", in Proceedings of the 2010 International Conference on Advances in Energy Engineering, Available at: 5557611
  14. Singh, D., Tripathi, G. and Jara, A. J. (2014), "A survey of Internet of Things: Future vision, architecture, challenges and services", in Proceedings of the 2014 IEEE World Forum on Internet of Things (WF-IoT), 287-292,
  15. Madakam, S., Ramaswamy, R. and Tripathi, S. (2015), "Internet of Things (IoT): A literature review", Journal of Computer and Communications, 3, PP.164-173.
  16. Darwish, D. "Improved Layered Architecture for Internet of Things" (2015), International Journal of Computing Academic Research (IJCAR), 4(4), PP.214–223. Available at:
  17. Khan, R., Khan, S.U., Zaheer, R. and Khan, S. (2012), "Future Internet: The Internet of Things architecture, possible applications and key challenges", in Proceedings of the 2012 10th International Conference on Frontiers of Information Technology (FIT), PP. 257–260.
  18. Sethi, P. and Sarangi, S.R. (2017), "Internet of Things: Architectures, Protocols, and Applications", Journal of Electrical and Computer Engineering 2017, 1, pp.1-25.
  19. Ferrara, P., Mandal, A. K., Cortesi, A. and Spoto F. (2021), "Static analysis for discovering IoT vulnerabilities", International Journal on Software Tools for Technology Transfer, 23, pp.71–88.
  20. Johari, R., Kaur, I., Tripathi, R. and Gupta, K. (2020), "Penetration Testing in IoT Network", 2020 5th International Conference on Computing, Communication and Security (ICCCS).
  21. Chantzis, F., Stais, I., Calderon, P., Deirmentzoglou, E. and Woods, B. (2021), Practical IoT Hacking The Definitive Guide to Attacking the Internet of Things. / No Starch Press.
  22. Leite, C., Gondim, J. J., Solis, P. S., Caetano, M.F. and Alchieri, E. A. (2019), "Pentest on Internet of Things Devices", 2019 XLV Latin American Computing Conference (CLEI), 1-10.
  23. Visoottiviseth, V., Akarasiriwong, P., Chaiyasart S. and Chotivatunyu, S. (2017), "PENTOS: Penetration testing tool for Internet of Thing devices", TENCON 2017-2017 IEEE Region 10 Conference, 2017, pp. 2279-2284.
  24. Chu, G. and Lisitsa, A. (2018), "Penetration Testing for Internet of Things and Its Automation", in Proceedings of the 2018 IEEE 20th International Conference on High Performance Computing and Communications; IEEE 16th International Conference on Smart City; IEEE 4th International Conference on Data Science and Systems (HPCC/SmartCity/ DSS), pp. 1479-1484.
  25. Bjørneset, K. J. W. (2017), Testing Security for Internet of Things, Master’s Thesis, University of Oslo. Available at: 2017/Kim_Jonatan_Wessel_Bjorneset/kim_jonatan_wessel_bjorneset_testing_security_for_internet_of_things_a_survey_on_vulnerabilities_in_ip_cameras.pdf
  26. Scarfone, K., Souppaya M., Cody, A. and Orebaugh A. (2008), Technical Guide to Information Security Testing and Assessment: Recommendations of the National Institute of Standards and Technology, National Institute of Standards and Technology, Gaithersburg, MD, NIST Special Publication 800-115.
  27. Herzog, P. (2010), OSSTMM 3: The open-source security testing methodology manual-contemporary secutiy testing and analysis. Available at: 3.pdf
  28. (2011), PTES Technical Guidelines - The Penetration Testing Execution Standard. Available at:
  29. Busleiman, A., Martorella, C., Sarrazyn, D., Racciatti, H. M. and Asgarally, K. (2005), Information Systems Security Assessment Framework (ISSAF). Available at: https://untrusted­
  30. Radholm, F. and Abefelt, N. (2020), Ethical Hacking of an IoT-device: Threat Assessment and Penetration Testing : A Survey on Security of a Smart Refrigerator. Independent thesis Basic level, KTH Royal Institute of Technology. Available at: http://www.diva-portal. org/smash/record.jsf?pid=diva2%3A1472577&dswid=4305
  31. Fernández-Caramés, T. M. and Fraga-Lamas, P. (2020), "Teaching and Learning IoT Cybersecurity and Vulnerability Assessment with Shodan through Practical Use Case", Sensors, 20 (11), pp.
  32. Kovalenko, A., Yaroshevich, R. and Balenko, O. (2021), "Internet of Things: проблеми інформаційної безпеки та методи покращення", Системи управління, навігації та зв’язку. Збірник наукових праць., 2(64), pp. 78-80.
  33. EC-Council (2020), Penetration Testing Procedures & Methodologies. 1st Ed. / Course Technology. Available at:
  34. Tayag, M.I., Napalit, F. and Napalit, A. (2020), "IoT Security: Penetration Testing of White-label Cloud-based IoT Camera Compromising Personal Data Privacy", International Journal of Computer Science and Information Technology, 12(5), pp. 29–40.
  35. Gupta, A. (2019), The IoT Hacker’s Handbook. / Apress Berkeley, CA.
  36. Guzman A. and Gupta, A. (2017), IoT Penetration Testing Cookbook: Identify vulnerabilities and secure your smart devices. / Packt Publishing Ltd. Available at: https://
  37. Jain, P., Jha, K. and Patwa, S. (2017). "Architecture of Internet of Things (IoT)", International Journal for Scientific Research & Development,| 5(9). Available at: https://
  38. Rytel, M., Felkner, A. and Janiszewski M. (2020), "Towards a Safer Internet of Things—A Survey of IoT Vulnerability Data Sources", Sensors, 20(21), pp.
  39. Said, O. and Masud, M. (2013), "Towards Internet of things: Survey and future vision", International Journal of Computer Networks (IJCN), 5, pp. 1–17. Available at:
  40. Kumar, S. A., Vealey, T. and Srivastava, H. (2016), "Security in Internet of Things: Challenges, Solutions and Future Directions", in Proceedings of the 49th Hawaii International Conference on System Sciences (HICSS), pp. 5772-5781.
  41. HackMD (2018), Real World Implications of OWASP IoT Top 10. Available at: https:// io/@oDfzlUPiRg2DrSP35fcd3A/r14HAnJqE>
  42. OWASP Project (2018), OWASP Internet of Things Top 10 vulnerabilities. Available at:
  43. com (n.d.) Silex malware is affecting the IoT devices. Available at: https://
  44. Journey Notes (2019), Threat Spotlight: IoT application vulnerabilities. Available at:
  45. Security cameras vulnerable to hijacking (n.d.), Security cameras vulnerable to hijacking. Available at:
  46. CVEcom (n.d.), CWE Definitions list and vulnerabilities for CWE entries. Available at: [Accessed 6 Aug. 2022].
  47. org (n.d.), CWE - Common Weakness Enumeration. Available at:
  48. io (2014), OWASP IoT Top 10 2014 - OWASP IoT Top 10 2018 Mapping Project. Available at: owasp-iot-top-10-2014.
  49. Androulidakis, I., Kharchenko V. and Kovalenko, A. (2016), "IMECA-based Technique for Security Assessment of Private Communications: Technology and Training"; Information & Security: An International Journal, 35(1), pp. 99-120.
  50. Illiashenko, O., Kharchenko, V., Kovalenko, A., Sklayr V. and Boyarchuk, A. (2014), "Security informed safety assessment of NPP I&C systems: Gap-IMECA technique" in Proceedings of the 2014 22nd International Conference on Nuclear Engineering. Volume 3: Next Generation Reactors and Advanced Reactors; Nuclear Safety and Security.
  51. net (n.d.), Securing the Internet of Things: Mapping Attack Surface Areas Using the OWASP IoT Top 10. Available at:
  52. Speaker Deck (2018.), La sécurité dans l’IoT : difficultés, failles et contre-mesures. Available at: mesures-at-snowcamp2018
  53. AppSealing (2021), Guide to OWASP IoT Top 10 for proactive security"=. Available at:
  54. Denis, M., Zena, C., and Hayajneh, T. (2016), "Penetration testing: Concepts, attack methods, and defense strategies" in Proceedings of the 2016 IEEE Long Island Systems, Applications and Technology Conference (LISAT), pp. 1-6.
  55. Bharathi, M.V., Tanguturi, R.C., Jayakumar, C. and Selvamani, K. (2012), "Node capture attack in Wireless Sensor Network: A survey", In Proceedings of the 2012 IEEE International Conference on Computational Intelligence & Computing Research (ICCIC), pp. 1-3.
  56. Puthal, D., Nepal, S., Ranjan, R. and Chen, J. (2016), "Threats to networking cloud and edge datacenters in the Internet of Things", IEEE Cloud Computing, (3), pp. 64-71.
  57. Brumley, D. and Boneh, D. (2005), "Remote timing attacks are practical", Computer Networks, 48, PP. 701–716.
  58. Costa Gondim, J., de Oliveira Albuquerque, R., Clayton Alves Nascimento, A., García Villalba, L. and Kim, T.-H. (2016), "A Methodological Approach for Assessing Amplified Reflection Distributed Denial of Service on the Internet of Things". Sensors, 16(11), pp.
  59. Russell, B. and Duren, D. V. (2018), Practical internet of things security design a security framework for an Internet connected ecosystem. 2nd Ed. / Packt Publishing. Available at: https://
  60. Gupta, S. and Gupta, B.B. (2017), "Cross-Site Scripting (XSS) attacks and defense mechanisms: Classification and state-of-the-art", International Journal of System Assurance Enginee­ring and Management, 8, PP.512–530. Available at: 281823720_Cross-Site_Scripting_XSS_attacks_and_defense_mechanisms_classification_ and_state-of-the-art
  61. Robberts, C. (2019), Finding Vulnerabilities in IoT Devices: Ethical Hacking of Electronic Locks. Independent thesis Basic level. KTH Royal Institute of Technology. Available at:
  62. Forsberg, A.L. and Olsson, T. (2019), IoT Offensive Security Penetration Testing: Hacking a Smart Robot Vacuum Cleaner. Independent thesis Basic level. KTH Royal Institute of Technology. Available at:!/Olsson_ Larsson-Forsberg_vacuum.pdf
  63. Torres N., Pinto P. and Lopes S. I. (2021), "Security Vulnerabilities in LPWANs: An Attack Vector", Applied Sciences, 11(7), pp.
  64. Djenna, A., Harous, S. and Sidouni, D. E. (2021), "Internet of Things Meet Internet of Threats New Concern - New Concern Cyber Security issues of Critical Cyber Infrastructure", Applied Sciences, 11(10), pp. 4580
  65. Yu, M., Zhuge, J., Cao, M., Shi. Z. and Jiang, L. (2020), "A Survey of Security Vulnerability Analysis, Discovery, Detection, and Mitigation on IoT Devices", Future Internet, 12(2), pp. 27.

Full text: PDF