Penetration Testing Framework for IoT

摘要

In the Internet of Things (IoT) environment, objects are connected on a network to share data. However, most of the IoT devices are developed and deployed with poor security consideration. As a result, these devices become a target of attacks. A solution for ensuring the safety and security of a network system is Penetration testing. In this study, we propose a framework for automated and flexible penetration testing for IoT network. Most of the available penetration testing methods are experts based, that select tool and process manually. This kind of Pen-test is a costly, time-consuming and inefficient. Also, the existing automated penetration testing doesn't consider the interaction between system components; it works by testing each component of a system separately. Individual component testing can lead to a security gap that makes the Pen-test inefficient since many low severity vulnerabilities on different inter-connected components can lead the system to an insecure state. Moreover, in some cases testing the individual components can claim that the particular component is secure, but if these individual components are connected in one system, it makes this system insecure. Due to such shortages, our framework will test the End-to-End target system (i.e., end devices, wireless communication, the control unit, then communication to the cloud server, and finally communication from the cloud to end user through mobile app or webpage). The proposed framework will automatically gather the information of the target IoT network and then perform various kinds of penetration testing through the network. Then it will summarize the results of Pentest and gives the recommendations to secure the system.