Semi-Automatic PenTest Methodology based on Threat-Model: The IoT Brick Case Study

Integration of the Internet of Things (IoT) with cloud computing has accelerated the emergence of a wide range of new applications in different areas, such as manufacturing, supply chains, commercial, engineering, etc. On the other hand, security represents a severe limitation in the adoption of IoT technology in many contexts. Although the cloud paradigm offers and enables flexible adoptions of on-demand services to a variety of IoT applications, due to limited resources of IoT devices and rapid implementation, IoT-cloud-based infrastructures are prone to numerous security vulnerabilities and threats. Therefore, it has become imperative to develop or enhance security strategies. Ideally, security should be built in from the early stages of a new product's development, which often starts as a prototype for internal use and then becomes an end-user product. Therefore, it is necessary to certify the level of security through vulnerability assessments or penetration tests, before the product is made available to the general public. Since both activities are time- and resource-consuming, a semi-automatic penetration testing technique based on the PETIoT framework has been proposed. The suggested approach can be used to evaluate the security of a system that's already in place. It takes into account potential threats, likely attacks, and provides recommendations for improvements. The methodology has been applied to a common IoT case study: the IoT Brick by Babuino Controllers.