1396 Interactive IoT Security Tools

1396.1 Interactive Security Assessment Tools

This chapter provides interactive tools for assessing IoT security risks and understanding attack surfaces.

Interactive Tool: IoT Security Risk Calculator

This interactive calculator uses the DREAD methodology (Damage, Reproducibility, Exploitability, Affected users, Discoverability) to assess security risk for IoT devices. It evaluates four threat categories based on device characteristics you specify.

How to use this tool:

Adjust the device characteristics sliders below
Observe how risk scores change for each threat category
Review the overall risk level and mitigation recommendations
Experiment with different configurations to understand risk factors

Learning objective: Understand how device design choices (connectivity, update capability, data sensitivity) directly impact security risk.

Show code

viewof connectivity = Inputs.select(
  ["None", "Local (Bluetooth/Zigbee)", "Wi-Fi", "Cellular", "Internet-Exposed"],
  {label: "Network Connectivity", value: "Wi-Fi"}
)

viewof dataSensitivity = Inputs.range(
  [1, 10],
  {label: "Data Sensitivity (1=Low, 10=Critical)", step: 1, value: 5}
)

viewof updateCapability = Inputs.select(
  ["No Updates", "Manual Updates", "Automatic Updates", "Automatic + Rollback"],
  {label: "Update Capability", value: "Manual Updates"}
)

viewof physicalAccess = Inputs.select(
  ["Controlled (Secure Facility)", "Semi-Controlled (Office)", "Public (Street/Store)"],
  {label: "Physical Access", value: "Semi-Controlled (Office)"}
)

viewof authStrength = Inputs.range(
  [1, 10],
  {label: "Authentication Strength (1=Default Password, 10=MFA+Biometric)", step: 1, value: 5}
)

viewof deploymentScale = Inputs.range(
  [1, 10000],
  {label: "Number of Devices Deployed", step: 1, value: 100}
)

Show code

function calculatePhysicalRisk() {
  let damage = physicalAccess === "Public (Street/Store)" ? 8 :
               physicalAccess === "Semi-Controlled (Office)" ? 5 : 2;
  let reproducibility = 7;
  let exploitability = physicalAccess === "Controlled (Secure Facility)" ? 2 :
                       physicalAccess === "Semi-Controlled (Office)" ? 5 : 8;
  let affectedUsers = Math.min(10, Math.ceil(deploymentScale / 1000));
  let discoverability = physicalAccess === "Public (Street/Store)" ? 9 : 4;

  return {
    damage,
    reproducibility,
    exploitability,
    affectedUsers,
    discoverability,
    total: (damage + reproducibility + exploitability + affectedUsers + discoverability) / 5
  };
}

function calculateNetworkRisk() {
  let connectivityScore = connectivity === "None" ? 0 :
                         connectivity === "Local (Bluetooth/Zigbee)" ? 3 :
                         connectivity === "Wi-Fi" ? 6 :
                         connectivity === "Cellular" ? 5 :
                         connectivity === "Internet-Exposed" ? 10 : 0;

  let damage = Math.min(10, connectivityScore + Math.ceil(dataSensitivity / 2));
  let reproducibility = connectivityScore > 5 ? 9 : 6;
  let exploitability = connectivityScore === 10 ? 9 :
                       connectivityScore > 5 ? 7 : 4;
  let affectedUsers = Math.min(10, Math.ceil(deploymentScale / 500));
  let discoverability = connectivityScore === 10 ? 10 : connectivityScore > 5 ? 7 : 3;

  return {
    damage,
    reproducibility,
    exploitability,
    affectedUsers,
    discoverability,
    total: (damage + reproducibility + exploitability + affectedUsers + discoverability) / 5
  };
}

function calculateSoftwareRisk() {
  let updateScore = updateCapability === "No Updates" ? 10 :
                   updateCapability === "Manual Updates" ? 7 :
                   updateCapability === "Automatic Updates" ? 4 :
                   updateCapability === "Automatic + Rollback" ? 2 : 10;

  let damage = Math.min(10, updateScore + Math.ceil((10 - authStrength) / 2));
  let reproducibility = updateScore > 7 ? 9 : 6;
  let exploitability = Math.min(10, updateScore + Math.ceil((10 - authStrength) / 3));
  let affectedUsers = Math.min(10, Math.ceil(deploymentScale / 300));
  let discoverability = 8;

  return {
    damage,
    reproducibility,
    exploitability,
    affectedUsers,
    discoverability,
    total: (damage + reproducibility + exploitability + affectedUsers + discoverability) / 5
  };
}

function calculateDataRisk() {
  let damage = dataSensitivity;
  let reproducibility = 8;
  let exploitability = Math.min(10, Math.ceil((10 - authStrength) * 1.2));
  let affectedUsers = Math.min(10, Math.max(dataSensitivity, Math.ceil(deploymentScale / 200)));
  let discoverability = dataSensitivity > 7 ? 9 : 6;

  return {
    damage,
    reproducibility,
    exploitability,
    affectedUsers,
    discoverability,
    total: (damage + reproducibility + exploitability + affectedUsers + discoverability) / 5
  };
}

// Calculate all risks
physicalRisk = calculatePhysicalRisk()
networkRisk = calculateNetworkRisk()
softwareRisk = calculateSoftwareRisk()
dataRisk = calculateDataRisk()

// Overall risk score (weighted average)
overallRisk = (
  physicalRisk.total * 0.2 +
  networkRisk.total * 0.3 +
  softwareRisk.total * 0.3 +
  dataRisk.total * 0.2
)

// Risk level classification
riskLevel = overallRisk < 3 ? "Low" :
            overallRisk < 5 ? "Medium" :
            overallRisk < 7 ? "High" : "Critical"

riskColor = overallRisk < 3 ? "#27ae60" :
            overallRisk < 5 ? "#f39c12" :
            overallRisk < 7 ? "#e67e22" :
            "#e74c3c"

Show code

// Display Overall Risk Level
html`
<div style="text-align: center; margin: 20px 0; padding: 20px; background: ${riskColor}; color: white; border-radius: 10px; box-shadow: 0 4px 6px rgba(0,0,0,0.1);">
  <div style="font-size: 24px; font-weight: bold;">Overall Risk Level: ${riskLevel}</div>
  <div style="font-size: 48px; font-weight: bold; margin: 10px 0;">${overallRisk.toFixed(1)}<span style="font-size: 24px;">/10</span></div>
  <div style="font-size: 14px; opacity: 0.9;">Based on DREAD methodology across 4 threat categories</div>
</div>
`

Show code

// DREAD Score Breakdown Table
html`
<table style="width: 100%; border-collapse: collapse; margin: 20px 0; box-shadow: 0 2px 4px rgba(0,0,0,0.1);">
  <thead>
    <tr style="background: #2C3E50; color: white;">
      <th style="padding: 12px; text-align: left; border: 1px solid #34495e;">Threat Category</th>
      <th style="padding: 12px; text-align: center; border: 1px solid #34495e;">Damage</th>
      <th style="padding: 12px; text-align: center; border: 1px solid #34495e;">Reproducibility</th>
      <th style="padding: 12px; text-align: center; border: 1px solid #34495e;">Exploitability</th>
      <th style="padding: 12px; text-align: center; border: 1px solid #34495e;">Affected Users</th>
      <th style="padding: 12px; text-align: center; border: 1px solid #34495e;">Discoverability</th>
      <th style="padding: 12px; text-align: center; border: 1px solid #34495e; background: #16A085;"><strong>Total Risk</strong></th>
    </tr>
  </thead>
  <tbody>
    ${[
      {name: "Physical Threats", risk: physicalRisk, desc: "Tampering, theft, hardware extraction"},
      {name: "Network Threats", risk: networkRisk, desc: "MITM, DDoS, eavesdropping, botnet"},
      {name: "Software Threats", risk: softwareRisk, desc: "Malware, firmware tampering, injection"},
      {name: "Data Threats", risk: dataRisk, desc: "Breaches, privacy violations, exfiltration"}
    ].map(cat => {
      const rowColor = cat.risk.total < 3 ? "#d5f4e6" :
                      cat.risk.total < 5 ? "#fef5e7" :
                      cat.risk.total < 7 ? "#fadbd8" : "#f5b7b1";
      return `
        <tr style="background: ${rowColor}; border-bottom: 1px solid #ddd;">
          <td style="padding: 12px; border: 1px solid #ddd;">
            <strong>${cat.name}</strong><br/>
            <span style="font-size: 12px; color: #555;">${cat.desc}</span>
          </td>
          <td style="padding: 12px; text-align: center; border: 1px solid #ddd;">${cat.risk.damage}</td>
          <td style="padding: 12px; text-align: center; border: 1px solid #ddd;">${cat.risk.reproducibility}</td>
          <td style="padding: 12px; text-align: center; border: 1px solid #ddd;">${cat.risk.exploitability}</td>
          <td style="padding: 12px; text-align: center; border: 1px solid #ddd;">${cat.risk.affectedUsers}</td>
          <td style="padding: 12px; text-align: center; border: 1px solid #ddd;">${cat.risk.discoverability}</td>
          <td style="padding: 12px; text-align: center; border: 1px solid #ddd; font-weight: bold; font-size: 16px;">
            ${cat.risk.total.toFixed(1)}
          </td>
        </tr>
      `;
    }).join('')}
  </tbody>
</table>

<div style="font-size: 12px; color: #666; margin-top: 10px;">
  <strong>DREAD Scale:</strong> Each factor scored 1-10, where 10 = highest risk. Total Risk = average of 5 factors.
</div>
`

Show code

recommendations = {
  const recs = [];

  if (physicalRisk.total > 5) {
    recs.push({
      category: "Physical Security",
      priority: "HIGH",
      recommendation: "Deploy tamper-evident seals, secure mounting hardware, and physical access logging.",
      reason: `Physical access risk is ${physicalRisk.total.toFixed(1)}/10 due to ${physicalAccess.toLowerCase()} deployment.`
    });
  }

  if (networkRisk.total > 5) {
    recs.push({
      category: "Network Security",
      priority: "CRITICAL",
      recommendation: "Implement network segmentation, deploy TLS/DTLS, enable mutual authentication.",
      reason: `Network risk is ${networkRisk.total.toFixed(1)}/10 with ${connectivity} connectivity.`
    });
  }

  if (softwareRisk.total > 5) {
    recs.push({
      category: "Software Updates",
      priority: "CRITICAL",
      recommendation: "Enable automatic security updates with signed firmware verification.",
      reason: `Software risk is ${softwareRisk.total.toFixed(1)}/10 with current update capability: ${updateCapability}.`
    });
  }

  if (authStrength < 6) {
    recs.push({
      category: "Authentication",
      priority: "CRITICAL",
      recommendation: "Eliminate default credentials, implement certificate-based authentication.",
      reason: `Authentication strength is only ${authStrength}/10.`
    });
  }

  if (dataRisk.total > 5) {
    recs.push({
      category: "Data Protection",
      priority: "HIGH",
      recommendation: "Encrypt data at rest (AES-256) and in transit (TLS 1.3).",
      reason: `Data risk is ${dataRisk.total.toFixed(1)}/10 with sensitivity level ${dataSensitivity}/10.`
    });
  }

  if (connectivity === "Internet-Exposed") {
    recs.push({
      category: "Internet Exposure",
      priority: "CRITICAL",
      recommendation: "Never expose devices directly to internet - use VPN gateway or reverse proxy with WAF.",
      reason: "Internet-exposed devices are scanned by automated bots within minutes of deployment."
    });
  }

  if (overallRisk < 3) {
    recs.push({
      category: "Security Posture",
      priority: "INFO",
      recommendation: "Your configuration demonstrates strong security practices. Maintain current controls.",
      reason: `Overall risk is ${overallRisk.toFixed(1)}/10 (Low).`
    });
  }

  return recs;
}

html`
<div style="margin: 20px 0;">
  <h3 style="color: #2C3E50; border-bottom: 2px solid #16A085; padding-bottom: 10px;">
    Mitigation Recommendations (${recommendations.length})
  </h3>
  ${recommendations.map((rec, idx) => {
    const priorityColor = rec.priority === "CRITICAL" ? "#e74c3c" :
                         rec.priority === "HIGH" ? "#e67e22" :
                         rec.priority === "MEDIUM" ? "#f39c12" : "#3498db";
    return `
      <div style="margin: 15px 0; padding: 15px; background: #f8f9fa; border-left: 4px solid ${priorityColor}; border-radius: 4px;">
        <div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 8px;">
          <strong style="color: #2C3E50; font-size: 16px;">${idx + 1}. ${rec.category}</strong>
          <span style="background: ${priorityColor}; color: white; padding: 4px 12px; border-radius: 12px; font-size: 12px; font-weight: bold;">
            ${rec.priority}
          </span>
        </div>
        <div style="color: #555; margin-bottom: 8px; font-style: italic; font-size: 14px;">
          ${rec.reason}
        </div>
        <div style="color: #333; line-height: 1.6;">
          <strong>Action:</strong> ${rec.recommendation}
        </div>
      </div>
    `;
  }).join('')}
</div>
`

Show code

html`
<div style="margin: 20px 0; padding: 20px; background: #eaf6f6; border: 2px solid #16A085; border-radius: 8px;">
  <h4 style="color: #2C3E50; margin-top: 0;">Understanding DREAD Methodology</h4>
  <ul style="line-height: 1.8; color: #333;">
    <li><strong>Damage (D):</strong> How severe is the harm if exploited? (1=minimal, 10=complete compromise)</li>
    <li><strong>Reproducibility (R):</strong> How easy to reproduce? (1=difficult, 10=works every time)</li>
    <li><strong>Exploitability (E):</strong> What skill/resources needed? (1=nation-state, 10=script kiddie)</li>
    <li><strong>Affected Users (A):</strong> How many impacted? (1=single user, 10=all users)</li>
    <li><strong>Discoverability (D):</strong> How easy to find? (1=requires audit, 10=Shodan visible)</li>
  </ul>
  <p style="line-height: 1.8; color: #333; margin-bottom: 0;">
    <strong>Try this:</strong> Set "Network Connectivity" to "Internet-Exposed", "Authentication Strength" to 1, and "Update Capability" to "No Updates". This mirrors vulnerable Mirai botnet devices.
  </p>
</div>
`

Interactive: Attack Surface Visualizer

This tool visualizes the attack surface of a typical IoT system. Select each component to explore common attacks, risk levels, and mitigation strategies.

Show code

viewof selectedComponent2 = Inputs.radio(
  ["device", "gateway", "network", "cloud", "mobile"],
  {
    label: "Select Component to Analyze:",
    value: "device",
    format: x => ({
      device: "Device/Sensor",
      gateway: "Gateway",
      network: "Network",
      cloud: "Cloud",
      mobile: "Mobile App"
    }[x])
  }
)

Show code

componentData2 = ({
  device: {
    name: "Device/Sensor",
    color: "#2C3E50",
    riskLevel: 8,
    description: "Physical IoT devices deployed in the field",
    attacks: [
      { name: "Firmware Tampering", severity: "Critical" },
      { name: "JTAG/Debug Port Access", severity: "Critical" },
      { name: "Side-Channel Attacks", severity: "High" },
      { name: "Hardware Cloning", severity: "High" },
      { name: "Sensor Spoofing", severity: "Medium" }
    ],
    mitigations: [
      "Disable JTAG/debug ports in production",
      "Use secure boot with signed firmware",
      "Implement hardware security modules (HSM)",
      "Deploy tamper-evident enclosures"
    ]
  },
  gateway: {
    name: "Gateway",
    color: "#16A085",
    riskLevel: 7,
    description: "Edge gateway bridging devices to cloud",
    attacks: [
      { name: "Gateway Compromise", severity: "Critical" },
      { name: "Protocol Downgrade", severity: "High" },
      { name: "Credential Theft", severity: "High" },
      { name: "Log Manipulation", severity: "Medium" }
    ],
    mitigations: [
      "Implement OS hardening",
      "Enable secure boot",
      "Use encrypted credential storage",
      "Deploy intrusion detection"
    ]
  },
  network: {
    name: "Network",
    color: "#E67E22",
    riskLevel: 9,
    description: "Communication layer (Wi-Fi, cellular, LPWAN)",
    attacks: [
      { name: "Man-in-the-Middle", severity: "Critical" },
      { name: "Replay Attacks", severity: "Critical" },
      { name: "DDoS Attacks", severity: "Critical" },
      { name: "Eavesdropping", severity: "High" }
    ],
    mitigations: [
      "Enforce TLS 1.3 / DTLS",
      "Implement mutual TLS (mTLS)",
      "Use VPN for exposed devices",
      "Deploy network segmentation"
    ]
  },
  cloud: {
    name: "Cloud",
    color: "#3498DB",
    riskLevel: 8,
    description: "Cloud platform storing data and APIs",
    attacks: [
      { name: "API Exploitation", severity: "Critical" },
      { name: "Data Breach", severity: "Critical" },
      { name: "Account Takeover", severity: "Critical" },
      { name: "Misconfigured Storage", severity: "High" }
    ],
    mitigations: [
      "Implement WAF and rate limiting",
      "Enable MFA for admin accounts",
      "Encrypt data at rest",
      "Deploy CSPM tools"
    ]
  },
  mobile: {
    name: "Mobile App",
    color: "#9B59B6",
    riskLevel: 6,
    description: "Smartphone app for device control",
    attacks: [
      { name: "Reverse Engineering", severity: "High" },
      { name: "Insecure Storage", severity: "High" },
      { name: "Hardcoded Credentials", severity: "Critical" },
      { name: "Weak Authentication", severity: "High" }
    ],
    mitigations: [
      "Use code obfuscation",
      "Store secrets in OS keychain",
      "Implement certificate pinning",
      "Never hardcode credentials"
    ]
  }
})

currentComponent2 = componentData2[selectedComponent2]

Show code

{
  const riskBgColor = currentComponent2.riskLevel >= 8 ? "#fadbd8" :
                      currentComponent2.riskLevel >= 6 ? "#fdebd0" : "#fcf3cf";
  const riskTextColor = currentComponent2.riskLevel >= 8 ? "#e74c3c" :
                        currentComponent2.riskLevel >= 6 ? "#e67e22" : "#f39c12";

  return html`
    <div style="margin: 20px 0; padding: 20px; background: white; border-radius: 8px; box-shadow: 0 2px 8px rgba(0,0,0,0.1); border-left: 5px solid ${currentComponent2.color};">
      <div style="display: flex; justify-content: space-between; align-items: center; margin-bottom: 15px;">
        <div>
          <h3 style="margin: 0; color: ${currentComponent2.color};">${currentComponent2.name}</h3>
          <p style="margin: 5px 0 0 0; color: #666; font-size: 14px;">${currentComponent2.description}</p>
        </div>
        <div style="text-align: center; padding: 10px 20px; background: ${riskBgColor}; border-radius: 8px;">
          <div style="font-size: 28px; font-weight: bold; color: ${riskTextColor};">${currentComponent2.riskLevel}/10</div>
          <div style="font-size: 12px; color: ${riskTextColor}; font-weight: bold;">RISK</div>
        </div>
      </div>

      <h4 style="color: #2C3E50; border-bottom: 2px solid #e74c3c; padding-bottom: 8px;">Common Attacks</h4>
      <div style="display: grid; gap: 10px;">
        ${currentComponent2.attacks.map(attack => {
          const sevColor = attack.severity === "Critical" ? "#e74c3c" :
                          attack.severity === "High" ? "#e67e22" : "#f39c12";
          return `
            <div style="padding: 10px; background: #f8f9fa; border-radius: 6px; border-left: 4px solid ${sevColor};">
              <strong style="color: #2C3E50;">${attack.name}</strong>
              <span style="background: ${sevColor}; color: white; padding: 2px 8px; border-radius: 10px; font-size: 11px; margin-left: 10px;">${attack.severity}</span>
            </div>
          `;
        }).join('')}
      </div>

      <h4 style="color: #2C3E50; border-bottom: 2px solid #16A085; padding-bottom: 8px; margin-top: 20px;">Mitigations</h4>
      <ul style="margin: 10px 0; padding-left: 25px;">
        ${currentComponent2.mitigations.map(m => `
          <li style="margin: 8px 0; color: #333;">
            <span style="color: #16A085; font-weight: bold;">&#10003;</span> ${m}
          </li>
        `).join('')}
      </ul>
    </div>
  `;
}

1396.2 CVSS Score Calculator

Learning Guide: Vulnerability Categories

Understanding how to categorize vulnerabilities helps prioritize remediation efforts:

Category	CVSS Range	Response Time	Example
Critical	9.0 - 10.0	Immediate (24-48 hours)	Remote code execution, default credentials
High	7.0 - 8.9	Urgent (1 week)	SQL injection, privilege escalation
Medium	4.0 - 6.9	Standard (30 days)	XSS, information disclosure
Low	0.1 - 3.9	Scheduled (90 days)	Minor information leak

CVSS Components:

Attack Vector (AV): Network, Adjacent, Local, Physical
Attack Complexity (AC): Low, High
Privileges Required (PR): None, Low, High
User Interaction (UI): None, Required
Impact (C/I/A): None, Low, High for Confidentiality, Integrity, Availability

1396.3 What’s Next

Now that you’ve explored interactive security tools, continue to:

Worked Examples - Study detailed threat modeling case studies
Visual Reference Gallery - Review security diagrams and attack visualizations
Practice Exercises - Apply your knowledge with hands-on exercises