Auditing the iot or how to tame the botnet of things

Abstract

The following project consists of a guide aimed at professionals in the area of cybersecurity. Its purpose is to help them to better understand and work with IoT (Internet of Things) devices, helping them to test and improve the security of any network with IoT integrated in it. Because of their minimalistic nature, IoT devices can be substantially weak systems, easy to penetrate and crack with treacherous intentions. The increasing presence of the Internet of Things in the everyday life threatens not only individuals but governments and big corporations as well as they grow more vulnerable to many security threats. This guide, thus, responds to the increasing demand of security experts specialized on the IoT. The guide contains a set of techniques and policies with the intention of being used to check the accesibility and vulnerability of any IoT device within a network, as well as to identify the threats they suppose for the user or company involved, the measures needed to correct con gurations in devices and networks, and recommendations for a better protection and behaviour for the clients so they could improve their security in the future. Since this guide is mainly aimed at professional analysts and pentesters it's mainly focused on the detection and taxonomy of IoT security vulnerabilities through a specialized kind of penetration tests, and how to report the weaknesses and threats found. Although the guide itself describes techniques, tools and tips on the topic, it is by no means a step-by-step solution to perform any sort of test on its own, since, as described within the guide, these types of pentests are highly dynamic. However, the guide includes some references to di erent sources to aid the unexperienced reader. This guide describes numerous tools and tests available for the reader in order to perform their work, with some explanations, examples and references so they could study their tools. It also contains information on tools and guidelines useful for the creation of reports for these particular kind of tests.