IoT-PEN: A Penetration Testing Framework for IoT

Geeta Yadav, Kolin Paul, Alaa Allakany, Koji Okamura

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    8 Citations (Scopus)


    With the horizon of 5th generation wireless systems (5G), Internet of Things (IoT) is expected to take the major portion of computing. The lack of inbuilt security and security protocols in cheap IoT devices give privilege to an attacker to exploit these device's vulnerabilities and break into the target device. IoT network security was initially perceived from the perspective of a single, or a few attacks surface only. However, attacks like Mirai, Wannacry, Stuxnet, etc. show that a cyber attack often comprises of a series of attacks on vulnerabilities of victim devices to reach the target device. Penetration testing is generally used to identify the vulnerabilities/ possible attacks on traditional systems periodically. A timely fix of these vulnerabilities can avoid future attacks. Traditional penetration testing methods focus on isolated and manual testing of a host that fails to detect attacks involving multi-hosts and multi-stages.In this paper, we introduced first-of-its-kind, IoT-PEN, a Penetration Testing Framework for IoT. The framework consists of server-client architecture with "a system with resources" as server and all "IoT nodes" as clients. IoT-PEN is an end-to-end, scalable, flexible, and automatic penetration testing framework for IoT. IoT-PEN seeks to discover all possible ways an attacker can breach the target system using target-graphs. It constructs prerequisite and postconditions for each vulnerability using the National Vulnerability Database (NVD). We also demonstrated that even if an individual system is secure under some threat model, the attacker can use a kill-chain (a sequence of exploitation of multiple vulnerabilities on different hosts) to reach the target system.

    Original languageEnglish
    Title of host publication34th International Conference on Information Networking, ICOIN 2020
    PublisherIEEE Computer Society
    Number of pages6
    ISBN (Electronic)9781728141985
    Publication statusPublished - Jan 2020
    Event34th International Conference on Information Networking, ICOIN 2020 - Barcelona, Spain
    Duration: Jan 7 2020Jan 10 2020

    Publication series

    NameInternational Conference on Information Networking
    ISSN (Print)1976-7684


    Conference34th International Conference on Information Networking, ICOIN 2020

    All Science Journal Classification (ASJC) codes

    • Computer Networks and Communications
    • Information Systems


    Dive into the research topics of 'IoT-PEN: A Penetration Testing Framework for IoT'. Together they form a unique fingerprint.

    Cite this