1395  IoT Security Practice Exercises

1395.1 Practice Exercises

Apply your knowledge of IoT threats and vulnerabilities with these hands-on exercises.

NoteExercise 1: Threat Actor Analysis and Mitigation Strategy

Objective: Learn to identify threat actors, understand their motivations, and design appropriate defenses for different attacker profiles.

Scenario: You’re deploying a smart building system with 500 IoT devices controlling HVAC, lighting, and access control.

Tasks:

1. Identify potential threat actors for this deployment using the threat actor classification (script kiddies, cybercriminals, hacktivists, insiders, nation-states)
2. Analyze capabilities and motivations: For each threat actor, determine what they might target and why
3. Map attack vectors: Identify which attack vectors each threat actor would likely use (network, physical, web/API, firmware, side-channel)
4. Design layered defenses: Create a defense strategy that addresses the top 3 most likely threat actors

Expected Outcome: A threat assessment document identifying:

• 3-5 relevant threat actors with capability scores (1-5)
• Attack scenarios for each actor
• Prioritized mitigation controls (e.g., “Deploy network segmentation to prevent lateral movement from compromised HVAC controller to access control system”)

Practical Application: Understanding threat actors helps you allocate security budget appropriately—defending against nation-states requires different investments than defending against script kiddies.

NoteExercise 2: STRIDE Threat Modeling Workshop

Objective: Apply the STRIDE framework to systematically identify threats in an IoT system.

Scenario: Smart door lock system with: mobile app -> cloud API -> Wi-Fi router -> smart lock device

Tasks:

1. Draw a data flow diagram showing all components and communication paths
2. Apply STRIDE to each component:
   • Spoofing: Can attacker impersonate mobile app, cloud server, or lock?
   • Tampering: Can unlock commands, firmware, or stored keys be modified?
   • Repudiation: Can users deny unlocking the door? Is there an audit trail?
   • Information Disclosure: Can unlock codes, Wi-Fi credentials, or user data leak?
   • Denial of Service: Can attacker prevent legitimate users from unlocking?
   • Elevation of Privilege: Can guest user gain admin access?
3. Document 10+ threats (at least one per STRIDE category plus duplicates)
4. Prioritize using DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability)
5. Recommend mitigations for the top 5 highest-risk threats

Expected Outcome: Threat model document with:

• Data flow diagram
• Threat table with STRIDE category, description, DREAD score, and mitigation
• Top 5 priority threats with detailed mitigation plans

Example Threat:

• Category: Tampering (Replay Attack)
• Description: Attacker captures “unlock” Wi-Fi command and replays it 3 hours later
• DREAD Score: 8/10 (High damage, easy reproducibility, medium exploitability, high affected users, high discoverability)
• Mitigation: Add timestamp + nonce to unlock commands; reject commands >30 seconds old

NoteExercise 3: Vulnerability Scanning and Assessment

Objective: Conduct a practical vulnerability assessment on an IoT device to identify security weaknesses.

Scenario: You have a smart camera that you want to test for vulnerabilities before deploying 100 units in your facility.

Tasks:

1. Network scanning: Use nmap to identify open ports and services:

   nmap -sV -p- 192.168.1.100

   • Document all open ports (common IoT: 22-SSH, 23-Telnet, 80-HTTP, 443-HTTPS, 554-RTSP, 8080-Web)
   • Check for unnecessary services that should be disabled

2. Default credential testing: Try common default passwords:

   • admin/admin, admin/password, root/root, admin/12345
   • Document if any work (CRITICAL vulnerability if yes)

3. Firmware analysis: Download firmware and analyze:

   binwalk -e firmware.bin
   strings firmware.bin | grep -i "password\|key\|secret"

   • Look for hardcoded credentials, API keys, or encryption keys
   • Check if firmware is encrypted/obfuscated

4. Web interface testing: Access device web interface:

   • Test for SQL injection: admin' OR '1'='1
   • Test for XSS: <script>alert('XSS')</script>
   • Check if HTTPS is enforced or if HTTP is allowed

Expected Outcome: Vulnerability assessment report with:

• List of open ports and services (with risk ratings)
• Default credentials test results
• Hardcoded secrets found in firmware
• Web vulnerabilities discovered
• Risk score (1-10) and remediation recommendations

Safety Note: Only test devices you own. Unauthorized testing is illegal.

{
  const container = document.getElementById('kc-vuln-assessment');
  if (container && typeof InlineKnowledgeCheck !== 'undefined') {
    container.innerHTML = '';
    container.appendChild(InlineKnowledgeCheck.create({
      question: "During vulnerability assessment of IoT devices before deployment, you discover: (1) Telnet on port 23 with default credentials 'admin:admin', (2) Web interface on port 80 with outdated jQuery (CVE-2020-11023), (3) MQTT on port 1883 without authentication. Which vulnerability should be prioritized FIRST for remediation?",
      options: [
        {text: "Outdated jQuery - it has a known CVE number", correct: false, feedback: "While CVE-2020-11023 is real, it's an XSS vulnerability requiring user interaction. Default credentials allow immediate unauthenticated access."},
        {text: "MQTT without authentication - it exposes sensor data", correct: false, feedback: "Unauthenticated MQTT is serious, but Telnet with default credentials provides full shell access, which is more severe than MQTT data exposure."},
        {text: "Telnet with default credentials - provides immediate shell access to the device", correct: true, feedback: "Correct! Telnet with default credentials is the highest priority: (1) Provides full shell access immediately, (2) Enables complete device compromise, (3) This exact vulnerability enabled the Mirai botnet. Prioritization: Default credentials > Unauthenticated services > Known CVEs requiring user interaction."},
        {text: "All three are equally critical and should be fixed simultaneously", correct: false, feedback: "While all should be fixed, real-world resource constraints require prioritization. Default credentials providing shell access are the most immediate threat."}
      ],
      difficulty: "medium",
      topic: "iot-security"
    }));
  }
}

NoteExercise 4: Incident Response Simulation

Objective: Practice responding to a real-world IoT security incident using established incident response procedures.

Scenario: Your security monitoring detects unusual activity:

• Smart sensor #42 (normally sends 10KB/hour) suddenly sends 10MB in 5 minutes
• Traffic analysis shows sensor is communicating with unknown external IP 185.220.101.x (known botnet C&C server)
• 50 other sensors are showing similar suspicious patterns

Tasks:

1. Identification (5 minutes):
   • Confirm the incident is real (not false positive)
   • Classify severity: Low/Medium/High/Critical
   • Identify affected systems and data
2. Containment (10 minutes):
   • Immediate: Network-isolate all 51 affected sensors (VLAN quarantine or firewall block)
   • Short-term: Disable sensor accounts/credentials to prevent further spread
   • Document all containment actions with timestamps
3. Eradication (15 minutes):
   • Analyze one compromised sensor: what malware is running? How did it get there?
   • Identify root cause: Default password? Firmware vulnerability? Physical tampering?
   • Develop eradication plan: Firmware reflash? Password reset? Replace hardware?
4. Recovery (10 minutes):
   • Restore sensors from clean firmware backup
   • Reset all credentials (unique per device)
   • Gradually return sensors to production with enhanced monitoring
5. Lessons Learned (10 minutes):
   • Document timeline of events
   • Identify security control gaps that allowed compromise
   • Update security policies and implement new controls
   • Calculate cost of incident (downtime, labor, reputation)

Expected Outcome: Incident response report with:

• Incident timeline (detection -> containment -> eradication -> recovery)
• Root cause analysis (how did attacker compromise 51 sensors?)
• Containment actions taken and their effectiveness
• 5+ recommendations to prevent recurrence

Real-World Learning: This simulates the 2016 Mirai botnet incident. Understanding incident response procedures minimizes damage when (not if) breaches occur.

{
  const container = document.getElementById('kc-incident-9');
  if (container && typeof InlineKnowledgeCheck !== 'undefined') {
    container.innerHTML = '';
    container.appendChild(InlineKnowledgeCheck.create({
      question: "During incident response for compromised IoT sensors, your team identifies the root cause: all 51 sensors used the same hardcoded Wi-Fi password 'IoT2024!' which was leaked on GitHub. After eradication, what is the MOST CRITICAL 'lessons learned' action?",
      options: [
        {text: "Fire the developer who committed the credentials to GitHub", correct: false, feedback: "Blaming individuals doesn't fix systemic issues. The process allowed credentials to be committed and leaked."},
        {text: "Encrypt the Wi-Fi password in the firmware so it can't be extracted", correct: false, feedback: "Encryption helps but doesn't solve the root cause. The same password on all devices means one leak compromises all devices."},
        {text: "Implement unique per-device credentials and add pre-commit secret scanning", correct: true, feedback: "Correct! Two critical changes: (1) Unique per-device credentials so one leak doesn't compromise all devices, (2) Pre-commit hooks with secret scanning to prevent future credential commits. Process changes prevent recurrence."},
        {text: "Move from Wi-Fi to cellular connectivity for better security", correct: false, feedback: "Changing connectivity doesn't address the credential management problem. Cellular devices would face the same issue if credentials are hardcoded."}
      ],
      difficulty: "medium",
      topic: "iot-security"
    }));
  }
}

NoteExercise 5: OWASP IoT Top 10 Audit

Objective: Conduct a systematic security audit using the OWASP IoT Top 10 checklist.

Scenario: You’re auditing a smart home hub device before recommending it for enterprise deployment.

Audit Checklist:

#	Vulnerability	Test Method	Pass/Fail	Notes
I1	Insufficient Security Configurability	Check if password can be changed, complexity requirements
I2	Insecure Web Interface	Test for XSS, CSRF, session management issues
I3	Insufficient Authentication	Try default credentials, check for MFA support
I4	Insecure Network Services	Port scan, check for Telnet, unencrypted services
I5	Insecure Software/Firmware	Check for update mechanism, verify signatures
I6	Hardware Limitations	Inspect for JTAG, UART, debug ports
I7	Insecure Cloud Interface	Test API authentication, check for credential exposure
I8	Unintended Device Usage	Review privacy policy, data collection scope
I9	Privacy Concerns	Check what data is collected, where it’s stored
I10	Insecure Default Settings	Review factory defaults, UPnP status

Deliverable: Complete audit report with findings, severity ratings, and remediation recommendations.

NoteExercise 6: Network Segmentation Design

Objective: Design network segmentation for an IoT deployment using IEC 62443 zone principles.

Scenario: Manufacturing facility with:

• 200 production sensors (temperature, pressure, flow)
• 50 industrial cameras
• 20 PLCs controlling machinery
• 10 HMI workstations
• Enterprise network with 500 employees

Tasks:

1. Define zones based on security level requirements (SL1-SL4)
2. Design conduits (controlled data flows between zones)
3. Specify firewall rules for each zone boundary
4. Plan monitoring for each zone

Expected Output:

• Zone diagram with security levels
• Firewall rule matrix
• Monitoring strategy per zone

1395.2 Additional Knowledge Checks

{
  const container = document.getElementById('kc-exercise-defense');
  if (container && typeof InlineKnowledgeCheck !== 'undefined') {
    container.innerHTML = '';
    container.appendChild(InlineKnowledgeCheck.create({
      question: "You're designing defenses for an IoT system and must prioritize limited security budget. Which defense provides the HIGHEST security ROI (return on investment) for typical IoT deployments?",
      options: [
        {text: "Deploy advanced AI-based intrusion detection system ($50K)", correct: false, feedback: "AI-based IDS is valuable but expensive and requires expertise. Simpler controls provide better ROI for typical deployments."},
        {text: "Eliminate default credentials and enforce unique passwords ($2K)", correct: true, feedback: "Correct! Eliminating default credentials blocks the #1 IoT attack vector (Mirai exploited this). Cost is minimal (process change), effectiveness is maximum. This single control would have prevented the 2016 Mirai botnet from compromising 600,000+ devices."},
        {text: "Implement end-to-end encryption with quantum-resistant algorithms ($30K)", correct: false, feedback: "Encryption is important but quantum-resistant algorithms are overkill for most IoT. Basic TLS provides sufficient protection at much lower cost."},
        {text: "Hire 24/7 security operations center monitoring ($150K/year)", correct: false, feedback: "SOC monitoring is valuable but expensive. For the same budget, preventing attacks (eliminating defaults, patching, segmentation) provides better ROI than detecting them."}
      ],
      difficulty: "medium",
      topic: "iot-security"
    }));
  }
}

{
  const container = document.getElementById('kc-exercise-stride');
  if (container && typeof InlineKnowledgeCheck !== 'undefined') {
    container.innerHTML = '';
    container.appendChild(InlineKnowledgeCheck.create({
      question: "In STRIDE threat modeling for a smart thermostat, you identify that the device stores the homeowner's daily schedule (when they leave for work, when they return). An attacker could determine when the house is empty. Which STRIDE category does this represent?",
      options: [
        {text: "Spoofing - the attacker pretends to be the thermostat", correct: false, feedback: "Spoofing involves impersonating an identity. Learning the schedule doesn't require impersonation."},
        {text: "Tampering - the attacker modifies the schedule data", correct: false, feedback: "Tampering involves modifying data. The threat here is reading data, not changing it."},
        {text: "Information Disclosure - sensitive information is exposed to unauthorized parties", correct: true, feedback: "Correct! Information Disclosure occurs when data is exposed to unauthorized parties. The daily schedule reveals when the house is empty - valuable information for burglars. Mitigation: encrypt schedule data, implement access controls, minimize data stored on device."},
        {text: "Denial of Service - the thermostat becomes unavailable", correct: false, feedback: "DoS involves making a service unavailable. The threat here is about data exposure, not availability."}
      ],
      difficulty: "easy",
      topic: "iot-security"
    }));
  }
}

1395.3 What’s Next

Now that you’ve practiced security exercises, continue to:

• Interactive Security Tools - Use risk calculators and attack surface visualizers
• Worked Examples - Study detailed threat modeling case studies
• Visual Reference Gallery - Review security diagrams and attack visualizations