PENETRATION TESTING FOR INTERNET OF THINGS SYSTEMS: CYBER THREATS, METHODS AND STAGES

А.І. Abakumov, V.S. Kharchenko

Èlektron. model. 2022, 44(4):79-104

https://doi.org/10.15407/emodel.44.04.079

ABSTRACT

The spread of the Internet of Things (IoT) and IoT based systems is accompanied by an increa­sing the rate and types of cyberattacks on the system assets. The potential threats and negative consequences of attacks on various types of IoT devices btcome critical. This circumstance determines the urgency of improving the methods of IoT cyber security assessment, in particular, by use penetration testing (PT) based on the simulation of real attacks. The purpose of the study is to analyze the threats and vulnerabilities of IoT systems, methods and stages of PT implementation. The analysis of the features of IoT systems as objects of PT was carried out. Rating threats and vulnerabilities of IoT systems are determined based on the analysis of references classified on five main areas. The consequences of attacks were assessed using the IMECA method and modified risk table and matrix. The main countermeasures and their effectiveness in reducing the consequences of attacks are analyzed. The stages of IoT systems PT are specified and analyzed. Directions of future research, development and improving IoT systems PT effectiveness are formulated.

KEYWORDS

Internet of Things, penetration testing, threats, cyberattacks, IMECA analysis.

REFERENCES

  1. IoT Analytics. (2022), State of IoT—Spring 2022. Available at: https://iot-analytics.com/product/state-of-iot-spring-2022/
  2. Jurcut, A.D., Ranaweera, P. and Xu, L. (2019), "Introduction to IoT Security" in Liyanage, M., Braeken, A., Kumar, P. and Ylianttila, M. (Ed.), IoT Security: Advances in Authentication, John Wiley & Sons Ltd, pp. 27–64. Available at: http://dx.doi.org/10.1002/ ch2
    https://doi.org/10.1002/9781119527978.ch2
  3. Rak, M., Salzillo, G. and Romeo, C. (2020), "Systematic IoT Penetration Testing: Alexa Case Study", ITASEC, 2597(17). Available at: http://ceur-ws.org/Vol-2597/paper-17.pdf
  4. Symantec Enterprise Blog (2019), ISTR 2019: Internet of Things Cyber Attacks Grow More Diverse. Available at: https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/istr-2019-internet-things-cyber-attacks-grow-more-diverse
  5. Yadav, G., Paul, K., Allakany, A. and Okamura, K. (2020), "IoT-PEN: An E2E Penetration Testing Framework for IoT", Journal of Information Processing, 28, PP.633–642. Available at: 
    https://doi.org/10.2197/ipsjjip.28.633
  6. Kolias, C., Kambourakis, G., Stavrou, A. and Voas, J. (2017), "DDoS in the IoT: Mirai and Other Botnets", Computer, 50(7),80–84.
    https://doi.org/10.1109/MC.2017.201
  7. Певнев, В.Я., Торяник, В.В. та Харченко, В.С. (2020), "Кібербезпека безпроводових смарт-систем: канали втручань та радіочастотні вразливості", Radioelectronic and Computer Systems, 4, рр.79–92. 
    https://doi.org/10.32620/reks.2020.4.07
  8. Ahmad, A. (2018), Model-Based Testing for IoT Systems: Methods and tools.,D Thesis, University of Franche-Comté. Available at: https://www.researchgate.net/publication/ 332010452_Model-Based_Testing_for_IoT_Systems_Methods_and_tools
  9. Ahmad, W., Rasool, A., Javed, A. R., Baker, T. and Jalil, Z. (2021), "Cyber Security in IoT-Based Cloud Computing: A Comprehensive Survey", Electronics, 11(1), PP.16. 
    https://doi.org/10.3390/electronics11010016
  10. Abdul-Ghani, H. A. and Konstantas, D. (2019), "A Comprehensive Study of Security and Privacy Guidelines, Threats, and Countermeasures: An IoT Perspective", Journal of Sensor and Actuator Networks, 8(2), PP.22.
    https://doi.org/10.3390/jsan8020022
  11. Burhan, M., Rehman, R., Khan, B. and Kim, B.-S. (2018), "IoT Elements, Layered Architectures and Security Issues: A Comprehensive Survey", Sensors, 18(9), PP.2796. 
    https://doi.org/10.3390/s18092796
  12. Mashal, I., Alsaryrah, O., Chung, T.-Y., Yang, C.-Z., Kuo, W.-H. and Agrawal, D.P. (2015), "Choices for interaction with things on Internet and underlying issues", Ad Hoc Networks, 28, PP.68–90. 
    https://doi.org/10.1016/j.adhoc.2014.12.006
  13. Yun, M. and Yuxin, B. (2010), "Research on the architecture and key technology of Internet of Things (IoT) applied on smart grid", in Proceedings of the 2010 International Conference on Advances in Energy Engineering, Available at: https://doi.org/10.1109/icaee. 5557611
  14. Singh, D., Tripathi, G. and Jara, A. J. (2014), "A survey of Internet of Things: Future vision, architecture, challenges and services", in Proceedings of the 2014 IEEE World Forum on Internet of Things (WF-IoT), 287-292,
    https://doi.org/10.1109/WF-IoT.2014.6803174
  15. Madakam, S., Ramaswamy, R. and Tripathi, S. (2015), "Internet of Things (IoT): A literature review", Journal of Computer and Communications, 3, PP.164-173. 
    https://doi.org/10.4236/jcc.2015.35021
  16. Darwish, D. "Improved Layered Architecture for Internet of Things" (2015), International Journal of Computing Academic Research (IJCAR), 4(4), PP.214–223. Available at: http://meacse.org/IJCAR/archives/71.pdf
  17. Khan, R., Khan, S.U., Zaheer, R. and Khan, S. (2012), "Future Internet: The Internet of Things architecture, possible applications and key challenges", in Proceedings of the 2012 10th International Conference on Frontiers of Information Technology (FIT), PP. 257–260.
    https://doi.org/10.1109/FIT.2012.53
  18. Sethi, P. and Sarangi, S.R. (2017), "Internet of Things: Architectures, Protocols, and Applications", Journal of Electrical and Computer Engineering 2017, 1, pp.1-25. 
    https://doi.org/10.1155/2017/9324035
  19. Ferrara, P., Mandal, A. K., Cortesi, A. and Spoto F. (2021), "Static analysis for discovering IoT vulnerabilities", International Journal on Software Tools for Technology Transfer, 23, pp.71–88. 
    https://doi.org/10.1007/s10009-020-00592-x
  20. Johari, R., Kaur, I., Tripathi, R. and Gupta, K. (2020), "Penetration Testing in IoT Network", 2020 5th International Conference on Computing, Communication and Security (ICCCS).
    https://doi.org/10.1109/ICCCS49678.2020.9276853
  21. Chantzis, F., Stais, I., Calderon, P., Deirmentzoglou, E. and Woods, B. (2021), Practical IoT Hacking The Definitive Guide to Attacking the Internet of Things. / No Starch Press.
  22. Leite, C., Gondim, J. J., Solis, P. S., Caetano, M.F. and Alchieri, E. A. (2019), "Pentest on Internet of Things Devices", 2019 XLV Latin American Computing Conference (CLEI), 1-10.
    https://doi.org/10.1109/CLEI47609.2019.235111
  23. Visoottiviseth, V., Akarasiriwong, P., Chaiyasart S. and Chotivatunyu, S. (2017), "PENTOS: Penetration testing tool for Internet of Thing devices", TENCON 2017-2017 IEEE Region 10 Conference, 2017, pp. 2279-2284. 
    https://doi.org/10.1109/TENCON.2017.8228241
  24. Chu, G. and Lisitsa, A. (2018), "Penetration Testing for Internet of Things and Its Automation", in Proceedings of the 2018 IEEE 20th International Conference on High Performance Computing and Communications; IEEE 16th International Conference on Smart City; IEEE 4th International Conference on Data Science and Systems (HPCC/SmartCity/ DSS), pp. 1479-1484. 
    https://doi.org/10.1109/HPCC/SmartCity/DSS.2018.00244
  25. Bjørneset, K. J. W. (2017), Testing Security for Internet of Things, Master’s Thesis, University of Oslo. Available at: https://www.mn.uio.no/ifi/english/research/groups/psy/completedmasters/ 2017/Kim_Jonatan_Wessel_Bjorneset/kim_jonatan_wessel_bjorneset_testing_security_for_internet_of_things_a_survey_on_vulnerabilities_in_ip_cameras.pdf
  26. Scarfone, K., Souppaya M., Cody, A. and Orebaugh A. (2008), Technical Guide to Information Security Testing and Assessment: Recommendations of the National Institute of Standards and Technology, National Institute of Standards and Technology, Gaithersburg, MD, NIST Special Publication 800-115. 
    https://doi.org/10.6028/NIST.SP.800-115
  27. Herzog, P. (2010), OSSTMM 3: The open-source security testing methodology manual-contemporary secutiy testing and analysis. Available at: https://www.isecom.org/ 3.pdf
  28. Pentest-standard.org (2011), PTES Technical Guidelines - The Penetration Testing Execution Standard. Available at: http://www.pentest-standard.org/index.php/PTES_Technical_
  29. Busleiman, A., Martorella, C., Sarrazyn, D., Racciatti, H. M. and Asgarally, K. (2005), Information Systems Security Assessment Framework (ISSAF). Available at: https://untrusted­network.net/files/issaf0.2.1.pdf
  30. Radholm, F. and Abefelt, N. (2020), Ethical Hacking of an IoT-device: Threat Assessment and Penetration Testing : A Survey on Security of a Smart Refrigerator. Independent thesis Basic level, KTH Royal Institute of Technology. Available at: http://www.diva-portal. org/smash/record.jsf?pid=diva2%3A1472577&dswid=4305
  31. Fernández-Caramés, T. M. and Fraga-Lamas, P. (2020), "Teaching and Learning IoT Cybersecurity and Vulnerability Assessment with Shodan through Practical Use Case", Sensors, 20 (11), pp. 
    https://doi.org/10.3390/s20113048
  32. Kovalenko, A., Yaroshevich, R. and Balenko, O. (2021), "Internet of Things: проблеми інформаційної безпеки та методи покращення", Системи управління, навігації та зв’язку. Збірник наукових праць., 2(64), pp. 78-80.
    https://doi.org/10.26906/SUNZ.2021.2.078
  33. EC-Council (2020), Penetration Testing Procedures & Methodologies. 1st Ed. / Course Technology. Available at: https://www.eccouncil.org/what-is-penetration-testing/
  34. Tayag, M.I., Napalit, F. and Napalit, A. (2020), "IoT Security: Penetration Testing of White-label Cloud-based IoT Camera Compromising Personal Data Privacy", International Journal of Computer Science and Information Technology, 12(5), pp. 29–40. 
    https://doi.org/10.5121/ijcsit.2020.12503
  35. Gupta, A. (2019), The IoT Hacker’s Handbook. / Apress Berkeley, CA. 
    https://doi.org/10.1007/978-1-4842-4300-8
  36. Guzman A. and Gupta, A. (2017), IoT Penetration Testing Cookbook: Identify vulnerabilities and secure your smart devices. / Packt Publishing Ltd. Available at: https:// packtpub.com/product/iot-penetration-testing-cookbook/9781787280571
  37. Jain, P., Jha, K. and Patwa, S. (2017). "Architecture of Internet of Things (IoT)", International Journal for Scientific Research & Development,| 5(9). Available at: https:// academia.edu/35618176/Architecture_of_Internet_of_Things_IoT
  38. Rytel, M., Felkner, A. and Janiszewski M. (2020), "Towards a Safer Internet of Things—A Survey of IoT Vulnerability Data Sources", Sensors, 20(21), pp. 
    https://doi.org/10.3390/s20215969
  39. Said, O. and Masud, M. (2013), "Towards Internet of things: Survey and future vision", International Journal of Computer Networks (IJCN), 5, pp. 1–17. Available at: https://www.researchgate.net/publication/297141894_Towards_Internet_of_Things_Survey_and_Future_Vision
  40. Kumar, S. A., Vealey, T. and Srivastava, H. (2016), "Security in Internet of Things: Challenges, Solutions and Future Directions", in Proceedings of the 49th Hawaii International Conference on System Sciences (HICSS), pp. 5772-5781. 
    https://doi.org/10.1109/HICSS.2016.714
  41. HackMD (2018), Real World Implications of OWASP IoT Top 10. Available at: https:// io/@oDfzlUPiRg2DrSP35fcd3A/r14HAnJqE>
  42. OWASP Project (2018), OWASP Internet of Things Top 10 vulnerabilities. Available at: https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf
  43. com (n.d.) Silex malware is affecting the IoT devices. Available at: https:// www.iotavenue.com/silex-malware-is-affecting-the-iot-devices/
  44. Journey Notes (2019), Threat Spotlight: IoT application vulnerabilities. Available at: https://blog.barracuda.com/2019/01/24/threat-spotlight-iot-application-vulnerabilities/
  45. Security cameras vulnerable to hijacking (n.d.), Security cameras vulnerable to hijacking. Available at: https://hacked.camera/
  46. CVEcom (n.d.), CWE Definitions list and vulnerabilities for CWE entries. Available at: https://www.cvedetails.com/cwe-definitions.php [Accessed 6 Aug. 2022].
  47. org (n.d.), CWE - Common Weakness Enumeration. Available at: https://cwe.mitre.org/
  48. io (2014), OWASP IoT Top 10 2014 - OWASP IoT Top 10 2018 Mapping Project. Available at: https://scriptingxss.gitbook.io/owasp-iot-top-10-mapping-project/mappings/ owasp-iot-top-10-2014.
  49. Androulidakis, I., Kharchenko V. and Kovalenko, A. (2016), "IMECA-based Technique for Security Assessment of Private Communications: Technology and Training"; Information & Security: An International Journal, 35(1), pp. 99-120. 
    https://doi.org/10.11610/isij.3505
  50. Illiashenko, O., Kharchenko, V., Kovalenko, A., Sklayr V. and Boyarchuk, A. (2014), "Security informed safety assessment of NPP I&C systems: Gap-IMECA technique" in Proceedings of the 2014 22nd International Conference on Nuclear Engineering. Volume 3: Next Generation Reactors and Advanced Reactors; Nuclear Safety and Security.
    https://doi.org/10.1115/ICONE22-31175
  51. net (n.d.), Securing the Internet of Things: Mapping Attack Surface Areas Using the OWASP IoT Top 10. Available at: https://docplayer.net/6278557-Securing-the-internet-of-things-mapping-attack-surface-areas-using-the-owasp-iot-top-10.html
  52. Speaker Deck (2018.), La sécurité dans l’IoT : difficultés, failles et contre-mesures. Available at: https://speakerdeck.com/alexisduque/la-securite-dans-liot-difficultes-failles-et-contre- mesures-at-snowcamp2018
  53. AppSealing (2021), Guide to OWASP IoT Top 10 for proactive security"=. Available at: https://www.appsealing.com/owasp-iot-top-10/
  54. Denis, M., Zena, C., and Hayajneh, T. (2016), "Penetration testing: Concepts, attack methods, and defense strategies" in Proceedings of the 2016 IEEE Long Island Systems, Applications and Technology Conference (LISAT), pp. 1-6.
    https://doi.org/10.1109/LISAT.2016.7494156
  55. Bharathi, M.V., Tanguturi, R.C., Jayakumar, C. and Selvamani, K. (2012), "Node capture attack in Wireless Sensor Network: A survey", In Proceedings of the 2012 IEEE International Conference on Computational Intelligence & Computing Research (ICCIC), pp. 1-3. 
    https://doi.org/10.1109/ICCIC.2012.6510237
  56. Puthal, D., Nepal, S., Ranjan, R. and Chen, J. (2016), "Threats to networking cloud and edge datacenters in the Internet of Things", IEEE Cloud Computing, (3), pp. 64-71. 
    https://doi.org/10.1109/MCC.2016.63
  57. Brumley, D. and Boneh, D. (2005), "Remote timing attacks are practical", Computer Networks, 48, PP. 701–716. 
    https://doi.org/10.1016/j.comnet.2005.01.010
  58. Costa Gondim, J., de Oliveira Albuquerque, R., Clayton Alves Nascimento, A., García Villalba, L. and Kim, T.-H. (2016), "A Methodological Approach for Assessing Amplified Reflection Distributed Denial of Service on the Internet of Things". Sensors, 16(11), pp.
    https://doi.org/10.3390/s16111855
  59. Russell, B. and Duren, D. V. (2018), Practical internet of things security design a security framework for an Internet connected ecosystem. 2nd Ed. / Packt Publishing. Available at: https:// packtpub.com/product/practical-internet-of-things-security-second-edition/9781788625821
  60. Gupta, S. and Gupta, B.B. (2017), "Cross-Site Scripting (XSS) attacks and defense mechanisms: Classification and state-of-the-art", International Journal of System Assurance Enginee­ring and Management, 8, PP.512–530. Available at: https://www.researchgate.net/publication/ 281823720_Cross-Site_Scripting_XSS_attacks_and_defense_mechanisms_classification_ and_state-of-the-art
    https://doi.org/10.1007/s13198-015-0376-0
  61. Robberts, C. (2019), Finding Vulnerabilities in IoT Devices: Ethical Hacking of Electronic Locks. Independent thesis Basic level. KTH Royal Institute of Technology. Available at: http://kth.diva-portal.org/smash/record.jsf?pid=diva2%3A1334605
  62. Forsberg, A.L. and Olsson, T. (2019), IoT Offensive Security Penetration Testing: Hacking a Smart Robot Vacuum Cleaner. Independent thesis Basic level. KTH Royal Institute of Technology. Available at: https://www.kth.se/polopoly_fs/1.914058.1600689128!/Olsson_ Larsson-Forsberg_vacuum.pdf
  63. Torres N., Pinto P. and Lopes S. I. (2021), "Security Vulnerabilities in LPWANs: An Attack Vector", Applied Sciences, 11(7), pp.
    https://doi.org/10.3390/app11073176
  64. Djenna, A., Harous, S. and Sidouni, D. E. (2021), "Internet of Things Meet Internet of Threats New Concern - New Concern Cyber Security issues of Critical Cyber Infrastructure", Applied Sciences, 11(10), pp. 4580
    https://doi.org/10.3390/app11104580
  65. Yu, M., Zhuge, J., Cao, M., Shi. Z. and Jiang, L. (2020), "A Survey of Security Vulnerability Analysis, Discovery, Detection, and Mitigation on IoT Devices", Future Internet, 12(2), pp. 27.
    https://doi.org/10.3390/fi12020027

Full text: PDF