PETIoT: PEnetration Testing the Internet of Things

Attackers may attempt exploiting Internet of Things (IoT) devices to operate them unduly as well as to gather personal data of the legitimate device owners’. Vulnerability Assessment and Penetration Testing (VAPT) sessions help to verify the effectiveness of the adopted security measures. However, VAPT over IoT devices, namely VAPT targeted at IoT devices, is an open research challenge due to the variety of target technologies and to the creativity it may require. Therefore, this article aims at guiding penetration testers to conduct VAPT sessions over IoT devices by means of a new cyber Kill Chain (KC) termed PETIoT. Several practical applications of PETIoT confirm that it is general, while its main novelty lies in the combination of attack and defence steps. PETIoT is demonstrated on a relevant example, the best-selling IP camera on Amazon Italy, the TAPO C200 by TP-Link, assuming an attacker who sits on the same network as the device’s in order to assess all the network interfaces of the device. Additional knowledge is generated in terms of three zero-day vulnerabilities found and practically exploited on the camera, one of these with High severity and the other two with Medium severity by the CVSS standard. These are camera Denial of Service (DoS), motion detection breach and video stream breach. The application of PETIoT culminates with the proof-of-concept of a home-made fix, based on an inexpensive Raspberry Pi 4 Model B device, for the last vulnerability. Ultimately, our responsible disclosure with the camera vendor led to the release of a firmware update that fixes all found vulnerabilities, confirming that PetIoT has valid impact in real-world scenarios.

💡 Research Summary

This paper addresses the growing security challenges in the Internet of Things (IoT) domain by introducing a novel, tailored methodology for conducting Vulnerability Assessment and Penetration Testing (VAPT). The core contribution is “PETIoT,” a new Cyber Kill Chain (KC) specifically designed for penetration testing IoT devices. The authors argue that while VAPT is crucial for IoT security, it remains an open challenge due to the technological diversity and creativity required. Existing general-purpose KCs, such as Lockheed Martin’s or MITRE ATT&CK, are considered too verbose or contain redundant steps when applied to the IoT context, where the target device is often physically or logically given to the tester.

PETIoT streamlines the process into a slim, six-phase chain: 1) Setup, 2) Recon & Information Gathering, 3) Vulnerability Assessment, 4) Penetration & Privilege Escalation, 5) Persistence & Impact Expansion, and 6) Fix. Its key innovations are the focus on the IoT device within its network ecosystem (including cloud servers and mobile apps) rather than just as an intrusion target, and the explicit inclusion of a “Fix” phase, combining offensive and defensive steps within a single KC—a novel approach compared to the separate ATT&CK (attack) and D3FEND (defense) frameworks.

The practical utility and generality of PETIoT are demonstrated through a comprehensive case study on the TP-Link TAPO C200, a best-selling IP camera on Amazon Italy at the time of research. Following the PETIoT phases using basic freeware tools (e.g., Nmap, Wireshark), the researchers discovered and practically exploited three previously unknown zero-day vulnerabilities:

1. A Medium-severity (CVSS 6.5) Denial-of-Service vulnerability caused by improper packet handling.
2. A Medium-severity (CVSS 5.4) motion detection breach due to insufficient entropy in encrypted notifications.
3. A High-severity (CVSS 8.8) video stream breach caused by clear-text transmission of video data.

For the critical video stream vulnerability, the paper goes beyond mere identification by presenting a proof-of-concept for a homemade fix. This fix leverages an inexpensive Raspberry Pi 4 Model B to create a cryptographic tunnel, securing the video transmission. The research process culminated in responsible disclosure to the vendor, TP-Link, which led to a firmware update addressing all reported vulnerabilities, thereby validating PETIoT’s real-world impact.

The paper also reviews related work on existing Cyber Kill Chains and IP camera security, positions PETIoT within this landscape, and concludes with lessons learned and recommendations for strengthening IoT security postures. By providing a structured, actionable guide and proving its effectiveness through the discovery and remediation of significant vulnerabilities, PETIoT offers a valuable framework for security professionals and researchers engaging in IoT penetration testing.