RESUMO
The use of IoT devices has increased rapidly in recent times. While the development of new devices is moving quickly, and as prices are being forced down, the costs of developing such devices also needs to be reduced. IoT devices are now trusted with more critical tasks, and it is important that they behave as intended and that the information they process is protected. It is not always the IoT device itself that is the target of a cyber attack, but rather, it can be a tool for another attack. Home consumers, in particular, expect these devices to be easy to use and set up. However, to reduce costs, complexity, and time, security measures are often cut down. To increase awareness and knowledge in IoT security, education, awareness, demonstrations, and training are necessary. Small changes may result in significant security benefits. With increased awareness and knowledge among developers, manufacturers, and users, they can make choices that can improve security. To increase knowledge and awareness in IoT security, a proposed solution is a training ground for IoT security, an IoT cyber range. Cyber ranges have received more attention lately, but not as much in the IoT field, at least not what is publicly available. As the diversity in IoT devices is large with different vendors, architectures, and components and peripherals, it is difficult to find one solution that fits all IoT devices. To some extent, IoT devices can be emulated, but it is not feasible to create emulators for all types of devices. To cover all needs, it is necessary to combine digital emulation with real hardware. A cyber range with this combination is called a hybrid cyber range. This work surveys the requirements for a hybrid IoT cyber range and proposes a design and implementation of a range that fulfills those requirements.
RESUMO
Internet of Things (IoT) devices are becoming a part of our daily life; from health monitors to critical infrastructure, they are used everywhere. This makes them ideal targets for malicious actors to exploit for nefarious purposes. Recent attacks like the Mirai botnet are just examples in which default credentials were used to exploit thousands of devices. This raises major concerns about IoT device security. In this work, we aimed to investigate security of IoT devices through performing automatic penetration test on IoT devices. A penetration test is a way of detecting security problems, but manually testing billions of IoT devices is infeasible. This work has therefore examined autonomous penetration testing on IoT devices. In recent studies, automated attack execution models were developed for modeling automated attacks in cyber ranges. We have (1) investigated how such models can be applied for performing autonomous IoT penetration testing. Furthermore, we have (2) investigated if some well known and severe Wi-Fi related vulnerabilities still exist in IoT devices. Through a case study, we have shown that the such models can be used to model and design autonomous penetration testing agents for IoT devices. In addition, we have demonstrated that well-known vulnerabilities are present in deployed and currently sold products used in IoT devices, and that they can be both autonomously revealed through our developed system.
Assuntos
Internet das CoisasRESUMO
Information Technology (IT) has become an essential part of our lives and due to the emergence of the Internet-of-Things (IoT), technology has encompassed a majority of things that humans rely on in their daily lives. Furthermore, as IT becomes more relevant in daily lives, the need for IT to serve public emergency services has become more important. However, due to the infancy status of IoT, there is a need for a data consortium that would prove to be best used in servicing policing in a technological driven society. This paper will discuss the plausibility of creating a universal format for use in carrying out public services, such as emergency response by the police and regular law maintenance. In this research we will discuss what the police requires in their line-of-duty and how smart devices can be used to satisfy those needs. A data formatting framework is developed and demonstrated, with the goal of showing what can be done to unifying data from smart city sensors.
