See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/330881119

Penetration Testing for Internet of Things and Its Automation

Conference Paper · January 2019

DOI: 10.1109/HPCC/SmartCity/DSS.2018.00244

CITATIONS READS
7 2,796

2 authors:

Ge Chu Alexei Lisitsa

University of Liverpool University of Liverpool
4 PUBLICATIONS   9 CITATIONS    109 PUBLICATIONS   599 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Knot semigroups View project

Formal Methods View project

All content following this page was uploaded by Ge Chu on 12 February 2019.

The user has requested enhancement of the downloaded file.

 Penetration Testing for Internet of Things and Its Automation
Ge Chu
Department of Computer Science
University of Liverpool
Liverpool, UK
Email: gechu@liverpool.ac.uk
Abstract—The Internet of Things (IoT) is an emerging
technology, an extension of the traditional Internet which
make everything is connected each other based on Radio
Frequency Identification (RFID), Sensor, GPS or Machine to
Machine technologies, etc. The security issues surrounding IoT
have been of detrimental impact to its development and has
consequently attracted research interest. However, there are
very few approaches which assess the security of IoT from the
perspective of an attacker. Penetration testing is widely used
to evaluate traditional internet or systems security to date and
it normally spends numerous cost and time. In this paper, we
analyze the security problems of IoT and propose a penetration
testing approach and its automation based on belief-desire-
intention (BDI) model to evaluate the security of the IoT.
Keywords-Internet of Things; IoT security; penetration test-
ing; belief-desire-intention (BDI) model
I. I NTRODUCTION
The Internet of things(IoT) was proposed by MIT in
1999; this particular period of time heralded an important
part of the new generation of information technology [1].
The Internet of Things is considered an extension of tra-
ditional Internet, whereby a connection can be achieved
between things in the physical world to the internet allow-
ing for ease of information communication transfer along
with recognition, location, tracking information, monitoring
and management based on Radio Frequency Identification
(RFID), Sensor, GPS or Machine to Machine technologies,
etc. According to existing literature, IoT structure consists
of three layers: application, network and perception [2].
The application layer provides various services to users in
different scenarios. The network layer is responsible for
the information transmission and processing. Finally, the
perception layer collects information and identifies objects
in the physical world including various hardware terminals
such as RFID, sensor, GPS, etc. Currently, the use of IoT
technology has been applied in various fields such as smart
grid, intelligent traffic, smart city, smart home, intelligent
healthcare [3], physical activity [4]–[7] and smart building.
However, due to a growing number of attacks, it has received
significant attention with a specific focus on security.
Penetration testing is a widely used methodological ap-
proach which evaluates the traditional Internet or systems
security through simulation of a real attack [8]. According
Alexei Lisitsa
Department of Computer Science
University of Liverpool
Liverpool, UK
Email: lisitsa@liverpool.ac.uk
to PTES (penetration testing execution standard) [9], the
process of penetration testing comprises of Pre-Engagement
Interaction, Information Gathering, Threat Modeling, Vul-
nerability Analysis, Exploitation, Post Exploitation and re-
porting. The main difference between attacker and Pene-
tration testing relies on legal reasons. Penetration testing
aims to improve the security of the system rather than to
destroy or access information illegally and does not affect
the availability of target systems. During the 1970s, the
U.S. military used penetration testing to discover potential
unknown vulnerabilities and hired hackers to probe and
attack mirror targets, which enabled software engineers to
build a more robust computer network system. Arguably,
penetration testing is one of the most effective methods for
improving the security level of a target system. An increas-
ing number of companies and organizations have begun to
take advantage of this method to identify and address any
potential vulnerabilities in their system to prevent future
harm.
The majority of IoT security research focuses on analysis,
defense or attack on a specific device. There is not, as of
yet, an approach to evaluate the overall security of IoT
from the perspective of an attacker. Although penetration
testing is a heavily favored method, the process requires
extensive financial cost and takes a significant amount of
time. The Automation can significantly improve the effi-
ciency of penetration testing. In this paper, we analyze
the security problems of IoT and propose a penetration
testing methodology and its automation based on belief-
desire-intention (BDI) model which is one of the classical
cognitive architecture of agent [10] to evaluate IoT security.
The rest of this paper is organized as follows: Section II
analyzes the security problems of IoT. Section III proposes
the penetration testing methodology for IoT. Section IV, we
discuss the automation by BDI model. Section V, we validate
the automation penetration testing for IoT by a simulation
experiment and we give the conclusion in Section VI.
II. S ECURITY ISSUES IN I NTERNET OF THINGS
Compared to the traditional internet, the security of the
IoT has specialised characteristics because the three-layered
structure causes more vulnerabilities and attack surfaces.
Therefore, the traditional network security solutions are not
sufficient to provide protection for the IoT. In the three-
layered structure of IoT, each layer has specific security
issues, some of which are similar to the traditional network.
This section analyzes the security issues in each individual
layer.
A. Perception layer security
The perception layer, also known as recognition layer or
physical layer, collects information from the real world and
integrates this information into the digital world by RFID,
sensors, GPS and other hardware devices. Normally, the
nodes in the perception layer are light with low power,
limited computing ability, low storage space and remain
unattended. Therefore, the traditional information security
solutions are not adopted at the perception layer. From per-
ception network to nodes, specific security issues cause more
vulnerabilities and attack surfaces. For example, nodes are
vulnerable to attack by skimming, eavesdropping, spoofing,
cloning, killing, jamming and shielding attacks, etc.
B. Network layer security
The network layer is responsible for the transmission of
information between the application layer and the perception
layer. The network layer is a combination of a variety
of networks including the internet, mobile communication
network, satellite, GSM network, GPRS, 3G, 4G, WIFI
network and so on. The security issues of these networks
are similar to traditional ones and are vulnerable to DDOS
attack, sniffing attack, data tampering attack, data replay
attack and signal interference attack, etc. In addition, the mix
of different network architectures also causes new security
issues.
C. Application layer security
The application layer provides a variety of services to
users such as smart grid, intelligent traffic, smart city, smart
home intelligent healthcare and smart building, etc. IoT
can be accessed and managed by users through various
applications in different technological platforms such as
computer, mobile or smart hardware devices. The main
security risk of the application layer (similar to others) is its
vulnerability for attack depending on the IoT scenario (e.g.
attack on the buffer overflow, SQL injection, XSS, password
attack and social engineering attack.
III. P ENETRATION TESTING FOR I OT
Based on established research on IoT-specific security
issues and the IoT attack surface areas project by OWASP
[11], it has been demonstrated that the perception layer is
what distinguishes the traditional penetration testing from
the current penetration testing for IoT. We propose that the
process of IoT penetration testing be considered in terms
of four stages as shown in Figure 1 namely: 1) information
gathering; 2) analysis; 3) exploitation and 4) reporting.
Figure 1. The process of IoT penetration testing
A. Information gathering
The information gathering in the initial stage is a critical
step that determines the success of penetration testing by
probing information from all three IoT structural layers
(perception, network and application).
1) Perception layer: In the perception layer, it is essential
to collect information regarding the physical environment,
location of the node, type of node, range of the node, type
of connection, type of communication protocol, topology of
the node, type of node operation system, power of the node,
the security mechanism, node vulnerability and transmission
protocol vulnerability. Examples of tools include:
• Hardware Bridge API: an IoT penetration testing ex-
tension in Metasploit.
• Nmap: a free and open source utility for network
discovery and security auditing.
• Openvas: an advanced Open Source vulnerability scan-
ner and management system.
• Nessus: a worldwide used vulnerability scanner.
2) Network layer: In network layer, it is critical to collect
information similar to traditional penetration testing such as
the type of network, type of connection, security mechanism,
type of communication and transmission protocol vulnerabil-
ity by network attack tools, for example, the famous wireless
attack suite, Aircrack-ng.
3) Application layer : Although the IoT is widely used in
various application scenarios, application layer information
gathering is similar to traditional information gathering. It is
vital to collect information regarding the type of OS, port,
services information, type of access control, configuration
information and vulnerability information by Nmap, Open-
vas, Nessus. etc.
4) Social engineering information: To improve the prob-
ability of success of penetration testing, social engineering
information also needs to be collected. For example, DNS
information, the email list, application information, etc. The
DNSenum and the Fierce is famous for collecting DNS in-
formation and we can collect the email list by theHarvester.
B. Analysis
In the analysis stage, information regarding the target
must be organized, analysed and subsequently, discern viable
attack paths and planning to obtain access privilege of the
target. Additionally, a validity check is often required and
performed within an experimental environment.
C. Exploitation
At this stage, a real attack will be performed based on
the viable attack paths and planning in the analysis stage.
During penetration testing, the DDOS attack is prohibited
to ensure the availability of the target.
1) Perception layer: The characteristic of IoT node in
the perception layer determines the attack on the perception
layer and is the cause of the difference between traditional
and IoT penetration testing. Specific attacks can be per-
formed by Hardware Bridge API or IoTseeker including
[12]:
• Skimming: reading the node information illegally.
• Eavesdropping: sniffer information between nodes and
router.
• Spoofing: generating fake node data.
• Cloning: cloning the fake node.
• Killing: stealing and destroying the node.
• Buffer overflow attack on the node.
• Access control attack on the node: IoTseeker breaks the
default password of IoT device.
2) Network layer: The attack on the network layer nor-
mally includes network traffic sniffer, signal replay, signal
fake, and signal hijacking in different network communica-
tion protocols such as WIFI, 3G, 4G, GSM, Bluetooth and
so on by wireless attack Aircrack-ng, etc. The description
of these attacks is written below:
• Network traffic sniffer: sniffer information between
networks.
• Signal replay: replaying the legal information to attack
target.
• Signal fake: generating legal information to attack
target.
• Signal hijacking: jamming the target network and forc-
ing the target node to connect to a controllable fake
network.
3) Application layer: The attack on the application layer
is very similar to traditional penetration testing, which
consists of web application attack, software buffer overflow
attack, password attack and so on by using the below tools:
• Metasploit: the most critically acclaimed penetration
testing framework includes thousands of exploitations
load.
• W3af: A web application attack framework.
• John the Ripper: A password cracker.
4) Social engineering attack: Social engineering attack
refers to a type of attack on the general publics lack of
security awareness. In a hypothetical example, employees
can be targeted through the delivery of a malicious email to
them which enables machine access privilege to the targets
sub-network and to further penetration testing objectives.
The ability to perform this type of attack requires Setoolkit,
the most renowned within the field of penetration testing,
consisting of social engineering attack tools.
D. Reporting
A successful penetration testing simulation results in the
identification of vulnerabilities, in which details will be
processed and subsequently reported to the owner of the
target with information to improve future security.
IV. AUTOMATION
Success in penetration testing requires an established set
of goals and plans. In order to achieve automation, the BDI
agent is the ideal model for this problem due to its ability
to interact with the target via perception and action during
penetration testing. This section examines penetration testing
can be modelled for IoT using the BDI model.
The BDI model describes the process of how an agent is
able to choose actions in relation to the target information
during penetration testing. The BDI is characterised by three
logic components: belief, desire and intention. Our model
follows the conventions adopted in the Jason Interpreter, a
model based on Procedural Reasoning System (PRS) [13].
BDI agent is defined as a tuple <Ag, B, D, I, P, A, S>,
where:
• Ag is an agent name;
• B is a belief set, which represents the information about
the target and it will be updated after executing actions;
• D is a desire set, which represents all the options or
possible candidate plans of penetration testing for the
agent;
• I is an Intention set, which represents the agent goals
or which plan the agent decides to carry out.
• P is a plan set, which consists of available plans, each
giving the information about how to achieve the goals.
• A is an action set, which including the actions the agent
can perform.
• S is a perception set, which stored the information from
the environment.
The reasoning cycle of BDI agent is shown in Figure 2
as below:
V. E XPERIMENT
Our model runs on a PC with an Intel I5 CPU at 2.3 GHz
and 8GB of RAM. As we can see in figure 3, The simulation
experiment represents the BDI agent and the three layers
IoT. We use the internal communication actions in Jason
to simulate the interaction between the BDI model and the
 IoT Structure Service Vulnerability
CVE-remote
Linux, App, Ng-
CVE-local,
Application layer inx, MySQL, port,
weak pass-
SSH
word:SSH:456
Network layer WiFi, No encryption
light, lightness
No encryption,
Perception layer sensor Perception
Replay attack
network: ZigBee
Table I
I OT INFORMATION

IoT. Our model is implemented in AgentSpeak Jason [13]

which is a multi-agent system programming language and it
is one of the best known and well-established agent-based
development languages for cognitive agents.
A. IoT target
We pre-define the information of IoT targets in three
layers which including services and corresponding vulner-
abilities as shown in table1 and this information is stored
in belief set. Simulation of the three IoT structural layers
required the need to create 4 agents which represent the
application and network layer, as well as the two nodes
in the perception layer, respectively. Information can be
transmitted between each layer and nodes and the network
layer is responsible for the information transmission between
the application layer and the perception layer. Moreover, to
make the scenario uncertain, we use randomization number
to determine the result of an attack.

Figure 2. The BDI agent reasoning cycle B. BDI agent

In BDI agent, the default value of privilege is none and
the initial goal is root privilege in the application layer or
controls the IoT. We pre-define plans to probe information
and attacks on three layers agents based on the penetration
testing for IoT which was described in the previous section.
For example, the BDI agent can probe OS type, port,
service, vulnerability information and network type as well
as can perform password attack, sniffer attack, replay attack
and buffer overflow attack on three layers.The simulation
experiment is achieved by Jason internal actions which is
askAll and tell. The Jason code is shown in below:
+!probe information: true<−.send(agent name, askAll,
information type(value)).
+!attack action: true<−.send(agent name, tell,
attack action).
C. Simulation
A failed attack on the application layer was assumed
and the attack on the network and perception layer was
successful, showing the difference between the traditional
Figure 3. The interaction between BDI agent and IoT and current penetration testing system for IoT. The basic
information in the three layers was successfully obtained,
this includes OS type, port, services, network type, network
 Figure 6. The belief set of network layer agent

Figure 7. The belief set of application layer agent

security and vulnerabilities. The process of penetration test-

Figure 4. The process of penetration testing for IoT by BDI agent ing for IoT by the BDI agent can be observed in Figure
4. Moreover, the BDI agent was successful in breaking the
SSH password and was able to obtain the users privilege.
However, it is failed to perform local buffer overflow attack
to get root privilege due to the low randomization number.
The BDI agent was successful in performing the sniffer
attack due to the lack of security protection over information
transmission between each layer. This resulted in gaining the
necessary information regarding the light sensor and light
control instructions. The information the BDI agent collected
and stored within the belief set is displayed in Figure 5.
Figure 6 shows the process of information transmission
in the network layer. The command to ”turn on the light”
and the light sensor information was transmitted between
the application and the network layer, which is exhibited in
the belief set of the network layer. Basic information and
the value from the perception layer is contained within the
belief set of the application layer agent displayed in Figure
7. We assume the value of the light sensor is 40. In the
perception layer, two agents represent light and light sensor.
Our BDI agent can perform the replay attack according to
the light sensor information and light control instructions,
Figure 5. The belief set of BDI agent
as shown by the belief set of node1 and node2 displayed in
 [5] J. Qi, P. Yang, M. Hanneghan, D. Fan, Z. Deng, and F. Dong,
“Ellipse fitting model for improving the effectiveness of life-
logging physical activity measures in an internet of things
environment,” IET Networks, vol. 5, no. 5, pp. 107–113, 2016.

[6] J. Qi, P. Yang, D. Fan, and Z. Deng, “A survey of physical

activity monitoring and assessment using internet of things
technology,” in CIT/IUCC/DASC/PICom. IEEE, 2015, pp.
2353–2358.

[7] J. Qi, P. Yang, M. Hanneghan, and S. Tang, “Multiple density

maps information fusion for effectively assessing intensity
Figure 8. The belief set of the Node 1 pattern of lifelogging physical activity,” Neurocomputing, vol.
220, pp. 199–209, 2017.

[8] M. Denis, C. Zena, and T. Hayajneh, “Penetration testing:

Concepts, attack methods, and defense strategies,” in Systems,
Applications and Technology Conference (LISAT), 2016 IEEE
Long Island. IEEE, 2016, pp. 1–6.

[9] “IoT Attack Surface Areas - OWASP.” [Online]. Available:

https://www.owasp.org/index.php/IoT Attack Surfac Areas

[10] A. S. Rao and M. P. Georgeff, “BDI agents: From theory to

practice,” in ICMAS. The MIT Press, 1995, pp. 312–319.

Figure 9. The belief set of Node 2 [11] “IoT Attack Surface Areas - OWASP.” [Online]. Available:
https://www.owasp.org/index.php/IoT Attack Surface Areas

[12] B. Khoo, “RFID as an enabler of the internet of things:

Figure 8 and 9. Issues of security and privacy,” in iThings/CPSCom. IEEE
Computer Society, 2011, pp. 709–712.
VI. C ONCLUSION
[13] R. H. Bordini, J. F. Hübner, and M. Wooldridge, Program-
In this paper, we firstly introduced the concept of IoT ming multi-agent systems in AgentSpeak using Jason. John
and penetration testing. Secondly, we discussed the security Wiley & Sons, 2007, vol. 8.
of the IoT and delineated its security features. Thirdly, we
proposed a methodology to perform penetration testing for
the IoT and we introduced specific tools. Then, to improve
the efficiency, we use BDI model to achieve its automation
and finally, we validate our work by a simulated experiment
in Jason. In the future research, we will extend the model
with more actions and experiment with the real environment.

R EFERENCES
[1] L. D. Xu, W. He, and S. Li, “Internet of things in industries:
A survey,” IEEE Trans. Industrial Informatics, vol. 10, no. 4,
pp. 2233–2243, 2014.

[2] G. Gan, Z. Lu, and J. Jiang, “Internet of things security

analysis,” in Internet Technology and Applications (iTAP),
2011 International Conference on. IEEE, 2011, pp. 1–4.

[3] J. Qi, P. Yang, G. Min, O. Amft, F. Dong, and L. Xu, “Ad-

vanced internet of things for personalised healthcare systems:
A survey,” Pervasive and Mobile Computing, vol. 41, pp.
132–149, 2017.

[4] P. Yang, M. Hanneghan, J. Qi, Z. Deng, F. Dong, and

D. Fan, “Improving the validity of lifelogging physical ac-
tivity measures in an internet of things environment,” in
CIT/IUCC/DASC/PICom. IEEE, 2015, pp. 2309–2314.

View publication stats