The Internet of Things paradigm arises many issues in terms of privacy and security. Systems that are commonly configured by personnel with limited experience manage incredible amount of personal data and have direct control over home systems (e.g. controlling home lights or home heating system). The purpose of our research is to define a methodology that automates as much as possible the penetration testing actions, in order to help a tester with limited security skills to find possible attacks and demonstrate them clearly to the home user. The core idea is that we rely on an existing automated threat modeling technique in order to build up the possible attacks to the system under test. The threats are concrete and understandable even to a non-expert, like home users, and help them at identifying real risks and possible countermeasures. The paper will demonstrate the proposed approach over a very typical use case, a smart home controlled through the Alexa Voice Assistant, demonstrating how it is possible to find a working attack on such a system, using very cheap dedicated hardware and with common tools.
Systematic IoT penetration testing: ALEXA case study / Rak, M.; Salzillo, G.; Romeo, C.. - 2597:(2020), pp. 190-200. (Intervento presentato al convegno 4th Italian Conference on Cyber Security, ITASEC 2020 tenutosi a ita nel 2020).
Systematic IoT penetration testing: ALEXA case study
Rak M.;
2020
Abstract
The Internet of Things paradigm arises many issues in terms of privacy and security. Systems that are commonly configured by personnel with limited experience manage incredible amount of personal data and have direct control over home systems (e.g. controlling home lights or home heating system). The purpose of our research is to define a methodology that automates as much as possible the penetration testing actions, in order to help a tester with limited security skills to find possible attacks and demonstrate them clearly to the home user. The core idea is that we rely on an existing automated threat modeling technique in order to build up the possible attacks to the system under test. The threats are concrete and understandable even to a non-expert, like home users, and help them at identifying real risks and possible countermeasures. The paper will demonstrate the proposed approach over a very typical use case, a smart home controlled through the Alexa Voice Assistant, demonstrating how it is possible to find a working attack on such a system, using very cheap dedicated hardware and with common tools.| File | Dimensione | Formato | |
|---|---|---|---|
|
ITASEC2020camera.pdf
non disponibili
Licenza:
Non specificato
Dimensione
1.77 MB
Formato
Adobe PDF
|
1.77 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
