Ethical Hacking for IoT Security: A First Look into Bug Bounty Programs and Responsible Disclosure

09/24/2019
by   Aaron Yi Ding, et al.
0

The security of the Internet of Things (IoT) has attracted much attention due to the growing number of IoT-oriented security incidents. IoT hardware and software security vulnerabilities are exploited affecting many companies and persons. Since the causes of vulnerabilities go beyond pure technical measures, there is a pressing demand nowadays to demystify IoT "security complex" and develop practical guidelines for both companies, consumers, and regulators. In this paper, we present an initial study targeting an unexplored sphere in IoT by illuminating the potential of crowdsource ethical hacking approaches for enhancing IoT vulnerability management. We focus on Bug Bounty Programs (BBP) and Responsible Disclosure (RD), which stimulate hackers to report vulnerability in exchange for monetary rewards. We carried out a qualitative investigation supported by literature survey and expert interviews to explore how BBP and RD can facilitate the practice of identifying, classifying, prioritizing, remediating, and mitigating IoT vulnerabilities in an effective and cost-efficient manner. Besides deriving tangible guidelines for IoT stakeholders, our study also sheds light on a systematic integration path to combine BBP and RD with existing security practices (e.g., penetration test) to further boost overall IoT security.

READ FULL TEXT
POST COMMENT

Comments

There are no comments yet.

Authors

page 3

page 5

06/25/2019

Peril v. Promise: IoT and the Ethical Imaginaries

The future scenarios often associated with Internet of Things (IoT) osci...
04/25/2020

Best Practices for IoT Security: What Does That Even Mean?

Best practices for Internet of Things (IoT) security have recently attra...
09/09/2021

Automated Security Assessment for the Internet of Things

Internet of Things (IoT) based applications face an increasing number of...
02/12/2022

Perspectives on risk prioritization of data center vulnerabilities using rank aggregation and multi-objective optimization

Nowadays, data has become an invaluable asset to entities and companies,...
06/11/2019

Sharing of vulnerability information among companies -- a survey of Swedish companies

Software products are rarely developed from scratch and vulnerabilities ...
07/14/2020

multiple layers of fuzzy logic to quantify vulnerabilies in iot

Quantifying vulnerabilities of network systems has been a highly controv...
09/20/2021

A Deep Learning-based Penetration Testing Framework for Vulnerability Identification in Internet of Things Environments

The Internet of Things (IoT) paradigm has displayed tremendous growth in...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.