ESSecA: An automated expert system for threat modelling and penetration testing for IoT ecosystems

Rak, Massimiliano; Salzillo, Giovanni; Granata, Daniele

doi:10.1016/j.compeleceng.2022.107721

Cited by 31 publications

(28 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They proposed a general methodology to develop test cases for penetration testing IoT devices and planned to automate the test cases in future studies. Similarly, in a recent 2022 study [ 78 ], researchers proposed an expert system that takes IoT infrastructure details as an input and suggest a threat model and a penetration testing plan. A penetration tester then can utilize the plan to systematically test the IoT infrastructure.…”

Section: Discussionmentioning

confidence: 99%

Automatic Verification and Execution of Cyber Attack on IoT Devices

Færøy

Yamin

Shukla

et al. 2023

Sensors

View full text Add to dashboard Cite

Internet of Things (IoT) devices are becoming a part of our daily life; from health monitors to critical infrastructure, they are used everywhere. This makes them ideal targets for malicious actors to exploit for nefarious purposes. Recent attacks like the Mirai botnet are just examples in which default credentials were used to exploit thousands of devices. This raises major concerns about IoT device security. In this work, we aimed to investigate security of IoT devices through performing automatic penetration test on IoT devices. A penetration test is a way of detecting security problems, but manually testing billions of IoT devices is infeasible. This work has therefore examined autonomous penetration testing on IoT devices. In recent studies, automated attack execution models were developed for modeling automated attacks in cyber ranges. We have (1) investigated how such models can be applied for performing autonomous IoT penetration testing. Furthermore, we have (2) investigated if some well known and severe Wi-Fi related vulnerabilities still exist in IoT devices. Through a case study, we have shown that the such models can be used to model and design autonomous penetration testing agents for IoT devices. In addition, we have demonstrated that well-known vulnerabilities are present in deployed and currently sold products used in IoT devices, and that they can be both autonomously revealed through our developed system.

show abstract

Section: Discussionmentioning

confidence: 99%

Automatic Verification and Execution of Cyber Attack on IoT Devices

Færøy

Yamin

Shukla

et al. 2023

Sensors

View full text Add to dashboard Cite

show abstract

“…A limited number of studies have been conducted on IoT penetration testing; however, those who selected the topic focused on specific penetration tests, such as smart home devices and cameras [68] or an intelligent home voice assistant [69]. Another empirical work illustrated the system's vulnerability to cyberattacks.…”

Section: Penetration Testing Frameworkmentioning

confidence: 99%

“…Rak, Salzillo [73] suggested an expert security assessment (ESSecA) system for security professionals and penetration testers to evaluate the safety of IoT gadgets and networks. The testing methodology contains four stages: (1) system modeling, (2) threat modeling, (3) planning, and (4) penetration testing.…”

Section: Penetration Testing Frameworkmentioning

confidence: 99%

A Raise of Security Concern in IoT Devices: Measuring IoT Security Through Penetration Testing Framework

Jaafar,

Ismail,

Habir

et al. 2024

ijacsa

View full text Add to dashboard Cite

Despite the widespread adoption of IoT devices across different industries to enhance human activities, there is a pressing need to address the vulnerabilities associated with these devices, as they can potentially give rise to a plethora of cyber threats. Cyberattacks targeting IoT devices are predominantly attributed to inadequate patching and security updates. Furthermore, the current atmosphere pertaining to IoT penetration tests primarily focuses on specific devices and sectors while leaving certain fields behind, such as household devices. This study delves into recent penetration testing on IoT devices. Further, it discusses and critically analyzes the significance and issues in conducting IoT penetration tests. The findings of this study reveal a substantial demand for automated IoT penetration testing to serve diverse industries because conducting such testing has the capacity to diminish the consequences of cyber-attacks across numerous industries that utilize IoT devices for various purposes. This study is intended to be a ready reference for the research community to construct effective and innovative solutions in IoT penetration testing, which covers various fields.

show abstract

“…When attacks occurred from either internal or external network, it can be quite challenging for them to quickly take measures and deploy new policies [3], [16]. For example, performing penetration test toward multiple servers in a network can be quite simple [18], such as setting up scripts for automating the attack. However, it is quite an opposite situation for network administrators, since collecting information and deploying security solutions need to be done one-by-one.…”

Section: Introductionmentioning

confidence: 99%

BlockFW -- Towards Blockchain-based Rule-Sharing Firewall

Chiu¹,

Meng²

2023

Preprint

View full text Add to dashboard Cite

Central-managed security mechanisms are often utilized in many organizations, but such server is also a security breaking point. This is because the server has the authority for all nodes that share the security protection. Hence if the attackers successfully tamper the server, the organization will be in trouble. Also, the settings and policies saved on the server are usually not cryptographically secured and ensured with hash. Thus, changing the settings from alternative way is feasible, without causing the security solution to raise any alarms. To mitigate these issues, in this work, we develop BlockFW -a blockchain-based rule sharing firewall to create a managed security mechanism, which provides validation and monitoring from multiple nodes. For BlockFW, all occurred transactions are cryptographically protected to ensure its integrity, making tampering attempts in utmost challenging for attackers. In the evaluation, we explore the performance of BlockFW under several adversarial conditions and demonstrate its effectiveness.

show abstract

ESSecA: An automated expert system for threat modelling and penetration testing for IoT ecosystems

Cited by 31 publications

References 10 publications

Automatic Verification and Execution of Cyber Attack on IoT Devices

Automatic Verification and Execution of Cyber Attack on IoT Devices

A Raise of Security Concern in IoT Devices: Measuring IoT Security Through Penetration Testing Framework

BlockFW -- Towards Blockchain-based Rule-Sharing Firewall

Contact Info

Product

Resources

About