IoT-PEN: A Penetration Testing Framework for IoT

Geeta Yadav, Kolin Paul, Alaa Allakany, Koji Okamura

Research output: Chapter in Book/Report/Conference proceedingConference contribution


With the horizon of 5th generation wireless systems (5G), Internet of Things (IoT) is expected to take the major portion of computing. The lack of inbuilt security and security protocols in cheap IoT devices give privilege to an attacker to exploit these device's vulnerabilities and break into the target device. IoT network security was initially perceived from the perspective of a single, or a few attacks surface only. However, attacks like Mirai, Wannacry, Stuxnet, etc. show that a cyber attack often comprises of a series of attacks on vulnerabilities of victim devices to reach the target device. Penetration testing is generally used to identify the vulnerabilities/ possible attacks on traditional systems periodically. A timely fix of these vulnerabilities can avoid future attacks. Traditional penetration testing methods focus on isolated and manual testing of a host that fails to detect attacks involving multi-hosts and multi-stages.In this paper, we introduced first-of-its-kind, IoT-PEN, a Penetration Testing Framework for IoT. The framework consists of server-client architecture with "a system with resources" as server and all "IoT nodes" as clients. IoT-PEN is an end-to-end, scalable, flexible, and automatic penetration testing framework for IoT. IoT-PEN seeks to discover all possible ways an attacker can breach the target system using target-graphs. It constructs prerequisite and postconditions for each vulnerability using the National Vulnerability Database (NVD). We also demonstrated that even if an individual system is secure under some threat model, the attacker can use a kill-chain (a sequence of exploitation of multiple vulnerabilities on different hosts) to reach the target system.

Original languageEnglish
Title of host publication34th International Conference on Information Networking, ICOIN 2020
PublisherIEEE Computer Society
Number of pages6
ISBN (Electronic)9781728141985
Publication statusPublished - Jan 2020
Event34th International Conference on Information Networking, ICOIN 2020 - Barcelona, Spain
Duration: Jan 7 2020Jan 10 2020

Publication series

NameInternational Conference on Information Networking
ISSN (Print)1976-7684


Conference34th International Conference on Information Networking, ICOIN 2020

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Information Systems

Fingerprint Dive into the research topics of 'IoT-PEN: A Penetration Testing Framework for IoT'. Together they form a unique fingerprint.

  • Cite this

    Yadav, G., Paul, K., Allakany, A., & Okamura, K. (2020). IoT-PEN: A Penetration Testing Framework for IoT. In 34th International Conference on Information Networking, ICOIN 2020 (pp. 196-201). [9016445] (International Conference on Information Networking; Vol. 2020-January). IEEE Computer Society.