Currently, the widespread diffusion of intelligent objects connected to the Internet and continuously interacting with people is a fact. However, such a paradigm has a side effect in terms of privacy and security: personal data and the control of critical devices (eg. boiler, air conditioning, video surveillance, controlled gates, ...) are often demanded to home automation systems, often managed by non-expert users and, consequently, likely exposed to multiple security threats. This article follows a research line that aims to offer a systematic way to identify threats in the Internet of Things systems, and consequently plan penetration testing procedures, automated as much as possible, that outline possible security holes and help to gain awareness on the issues related to this new technologies. In this paper, we addressed a typical home system, the Open Energy Monitor, to demonstrate our methodology. In this analysis we focus on the MQTT protocol, commonly used for communication between IoT devices, proposing a complete Threat Model for this protocol. The main innovative contribution of this paper relates to the catalog of threats made available for MQTT-based devices (highly reusable in different environments) and on the planning of penetration tests, that relies on the adoption of a cyber threat intelligence database that collects common attack patterns, offered by MITRE.

Threat Modeling based Penetration Testing: The Open Energy Monitor Case study

Rak M.
;
2020

Abstract

Currently, the widespread diffusion of intelligent objects connected to the Internet and continuously interacting with people is a fact. However, such a paradigm has a side effect in terms of privacy and security: personal data and the control of critical devices (eg. boiler, air conditioning, video surveillance, controlled gates, ...) are often demanded to home automation systems, often managed by non-expert users and, consequently, likely exposed to multiple security threats. This article follows a research line that aims to offer a systematic way to identify threats in the Internet of Things systems, and consequently plan penetration testing procedures, automated as much as possible, that outline possible security holes and help to gain awareness on the issues related to this new technologies. In this paper, we addressed a typical home system, the Open Energy Monitor, to demonstrate our methodology. In this analysis we focus on the MQTT protocol, commonly used for communication between IoT devices, proposing a complete Threat Model for this protocol. The main innovative contribution of this paper relates to the catalog of threats made available for MQTT-based devices (highly reusable in different environments) and on the planning of penetration tests, that relies on the adoption of a cyber threat intelligence database that collects common attack patterns, offered by MITRE.
2020
9781450387514
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11591/445420
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 6
  • ???jsp.display-item.citation.isi??? ND
social impact