Mirage: Towards a Metasploit-Like Framework for IoT

Internet of Things (IoT) devices are nowadays widely used in individual homes and factories. Securing these new systems becomes a priority. However, conducting security audits of these connected objects based on experimental evaluation is a challenging task: it requires the use of heterogeneous hardware components leading to a set of specialised software tools, generally incompatible with each other and often complex to use. In this paper, we present a security audit and penetration testing framework called Mirage. This framework, written in Python, is dedicated to the analysis of wireless communications commonly used by IoT devices, and provides a generic, modular, unified and low level audit environment that is easy to adapt to new protocols. The paper describes the software architecture of Mirage, its goals and main features, and presents a concrete example of security audit performed with this framework.

[1]  Avelino Francisco Zorzo,et al.  Overview and open issues on penetration test , 2017, Journal of the Brazilian Computer Society.

[2]  Joseph P. Cavano,et al.  A framework for the measurement of software quality , 1978, SIGMETRICS Perform. Evaluation Rev..

[3]  Ahmad-Reza Sadeghi,et al.  IoT SENTINEL: Automated Device-Type Identification for Security Enforcement in IoT , 2016, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[4]  Adi Shamir,et al.  IoT Goes Nuclear: Creating a ZigBee Chain Reaction , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[5]  Chong Kuan Chen,et al.  IoT Security: Ongoing Challenges and Research Opportunities , 2014, 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications.

[6]  Shiuh-Pyng Shieh,et al.  Penetration Testing in the IoT Age , 2018, Computer.

[7]  Mike Ryan,et al.  Bluetooth: With Low Energy Comes Low Security , 2013, WOOT.

[8]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[9]  Sergey Bratus,et al.  Packets in Packets: Orson Welles' In-Band Signaling Attacks for Modern Radios , 2011, WOOT.

[10]  Tsutomu Matsumoto,et al.  IoTPOT: Analysing the Rise of IoT Compromises , 2015, WOOT.

[11]  H. Vincent Poor,et al.  BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid , 2018, USENIX Security Symposium.

[12]  Vincent Nicomette,et al.  RadIoT: Radio Communications Intrusion Detection for IoT - A Protocol Independent Approach , 2018, 2018 IEEE 17th International Symposium on Network Computing and Applications (NCA).