- 著者
-
Geeta Yadav
Kolin Paul
Alaa Allakany
Koji Okamura
- 出版者
- Information Processing Society of Japan
- 雑誌
- Journal of Information Processing (ISSN:18826652)
- 巻号頁・発行日
- vol.28, pp.633-642, 2020 (Released:2020-09-15)
- 参考文献数
- 19
- 被引用文献数
-
10
The lack of inbuilt security protocols in cheap and resource-constrained Internet of Things (IoT) devices give privilege to an attacker to exploit these device's vulnerabilities and break into the target device. Attacks like Mirai, Wannacry, Stuxnet, etc. show that a cyber-attack often comprises of a series of exploitations of victim device's vulnerabilities. Timely detection and patching of these vulnerabilities can avoid future attacks. Penetration testing helps to identify such vulnerabilities. However, traditional penetration testing methods are not End-to-End, which fail to detect multi-hosts and multi-stages attacks. Even if an individual system is secure under some threat model, the attacker can use a kill-chain to reach the target system. In this paper, we introduced first-of-its-kind, IoT-PEN, a Penetration Testing Framework for IoT. The framework follows a client-server architecture wherein all IoT nodes act as clients and “a system with resources” as a server. IoT-PEN is an End-to-End, scalable, flexible and automatic penetration testing framework for discovering all possible ways an attacker can breach the target system using target-graphs. Finally, the paper recommends patch prioritization order by identifying critical nodes, critical paths for efficient patching. Our analysis shows that IoT-PEN is easily scalable to large and complex IoT networks.