Learning from others’ mistakes: penetration testing IoT devices in the classroom

Tom Chothia; Joeri De Ruiter

Learning from others’ mistakes: penetration testing IoT devices in the classroom

Tom Chothia, Joeri De Ruiter

Computer Science

Research output: Contribution to conference (unpublished) › Paper › peer-review

Abstract

This paper shows how it is possible to use commercial off-the-shelf IoT devices in a taught cyber security course. We argue that the current level of IoT device security makes testing them an excellent exercise for students. We have developed a course based around this idea that teaches students basic penetration testing techniques and then sets two rounds of group assignments in which they get hands-on experience with performing a security analysis of an IoT device. In the first round, the students get devices which we know are vulnerable. In the second round, the groups are mixed and they get devices with no previously known vulnerabilities. This approach enables us to provide them enough guidance in the first round to get the experience needed to perform the analysis independently in the second round. This seems to have been successful because our student teams found previously unknown vulnerabilities in five devices in the second round of tests.

Original language	English
Publication status	Published - 9 Aug 2016
Event	USENIX Workshop on Advances in Security Education - Duration: 9 Aug 2016 → 10 Sept 2016 https://www.usenix.org/conference/ase16

Conference

Conference	USENIX Workshop on Advances in Security Education
Period	9/08/16 → 10/09/16
Internet address	https://www.usenix.org/conference/ase16

Keywords

cyber security
education

Access to Document

https://www.usenix.org/conference/ase16/workshop-program/presentation/chothiaLicence: Creative Commons: Attribution (CC BY)

Cite this

@conference{6e27bfbeb4b941ecae6bb3267e447fba,

title = "Learning from others{\textquoteright} mistakes: penetration testing IoT devices in the classroom",

abstract = "This paper shows how it is possible to use commercial off-the-shelf IoT devices in a taught cyber security course. We argue that the current level of IoT device security makes testing them an excellent exercise for students. We have developed a course based around this idea that teaches students basic penetration testing techniques and then sets two rounds of group assignments in which they get hands-on experience with performing a security analysis of an IoT device. In the first round, the students get devices which we know are vulnerable. In the second round, the groups are mixed and they get devices with no previously known vulnerabilities. This approach enables us to provide them enough guidance in the first round to get the experience needed to perform the analysis independently in the second round. This seems to have been successful because our student teams found previously unknown vulnerabilities in five devices in the second round of tests.",

keywords = "cyber security , education",

author = "Tom Chothia and {De Ruiter}, Joeri",

year = "2016",

month = aug,

day = "9",

language = "English",

note = "USENIX Workshop on Advances in Security Education ; Conference date: 09-08-2016 Through 10-09-2016",

url = "https://www.usenix.org/conference/ase16",

}

TY - CONF

T1 - Learning from others’ mistakes

T2 - USENIX Workshop on Advances in Security Education

AU - Chothia, Tom

AU - De Ruiter, Joeri

PY - 2016/8/9

Y1 - 2016/8/9

N2 - This paper shows how it is possible to use commercial off-the-shelf IoT devices in a taught cyber security course. We argue that the current level of IoT device security makes testing them an excellent exercise for students. We have developed a course based around this idea that teaches students basic penetration testing techniques and then sets two rounds of group assignments in which they get hands-on experience with performing a security analysis of an IoT device. In the first round, the students get devices which we know are vulnerable. In the second round, the groups are mixed and they get devices with no previously known vulnerabilities. This approach enables us to provide them enough guidance in the first round to get the experience needed to perform the analysis independently in the second round. This seems to have been successful because our student teams found previously unknown vulnerabilities in five devices in the second round of tests.

AB - This paper shows how it is possible to use commercial off-the-shelf IoT devices in a taught cyber security course. We argue that the current level of IoT device security makes testing them an excellent exercise for students. We have developed a course based around this idea that teaches students basic penetration testing techniques and then sets two rounds of group assignments in which they get hands-on experience with performing a security analysis of an IoT device. In the first round, the students get devices which we know are vulnerable. In the second round, the groups are mixed and they get devices with no previously known vulnerabilities. This approach enables us to provide them enough guidance in the first round to get the experience needed to perform the analysis independently in the second round. This seems to have been successful because our student teams found previously unknown vulnerabilities in five devices in the second round of tests.

KW - cyber security

KW - education

M3 - Paper

Y2 - 9 August 2016 through 10 September 2016

ER -

Learning from others’ mistakes: penetration testing IoT devices in the classroom

Abstract

Conference

Keywords

Access to Document

Fingerprint

Cite this