Summary

The Internet of Things is changing our society. The increasing amount of “smart devices” that are being connected to the Internet is attracting everyone’s attention. However, for the sake of the usability, IoT devices frequently have poor security. With the rapid development of the IoT, comes the need to secure the devices and thereby protect organisations and citizens against cyber-attacks. The first step to achieve a higher maturity of connected devices is to conduct penetration tests, which are means of verifying the level of security of an IoT system. However, there are not many frameworks specific for the IoT realm. This research adds to the collection of penetration testing frameworks, by creating a workprogram, specifically targeted to testing IoT devices with the ZigBee protocol. To achieve this goal, IoT security experts are interviewed and available penetration testing workprograms examined. The ZigBee protocol, which is one of the widespread IoT protocols, is analyzed for potential vulnerabilities and attack vectors, by hands-on assessment of a smart light bulb system and the ZigBee network. The final product of the research is an open source workprogram, which will standardize the process of conducting IoT penetration tests in both corporate and small businesses. It contains six steps, which include formal, mandatory steps, ZigBee protocol analysis and optionally hardware and firmware analysis.