TY - GEN
T1 - Ethical hacking for boosting IoT vulnerability management
T2 - 8th International Conference on Telecommunications and Remote Sensing, ICTRS 2019
AU - Ding, Aaron Yi
AU - De Jesus, Gianluca Limon
AU - Janssen, Marijn
N1 - Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.
PY - 2019
Y1 - 2019
N2 - The security of the Internet of Things (IoT) has attracted much attention due to the growing number of IoT-oriented security incidents. IoT hardware and software security vulnerabilities are exploited affecting many companies and persons. Since the causes of vulnerabilities go beyond pure technical measures, there is a pressing demand nowadays to demystify IoT "security complex" and develop practical guidelines for both companies, consumers, and regulators. In this paper, we present an initial study targeting an unexplored sphere in IoT by illuminating the potential of crowdsource ethical hacking approaches for enhancing IoT vulnerability management. We focus on Bug Bounty Programs (BBP) and Responsible Disclosure (RD), which stimulate hackers to report vulnerability in exchange for monetary rewards. We carried out a qualitative investigation supported by literature survey and expert interviews to explore how BBP and RD can facilitate the practice of identifying, classifying, prioritizing, remediating, and mitigating IoT vulnerabilities in an effective and cost-efficient manner. Besides deriving tangible guidelines for IoT stakeholders, our study also sheds light on a systematic integration path to combine BBP and RD with existing security practices (e.g., penetration test) to further boost overall IoT security.
AB - The security of the Internet of Things (IoT) has attracted much attention due to the growing number of IoT-oriented security incidents. IoT hardware and software security vulnerabilities are exploited affecting many companies and persons. Since the causes of vulnerabilities go beyond pure technical measures, there is a pressing demand nowadays to demystify IoT "security complex" and develop practical guidelines for both companies, consumers, and regulators. In this paper, we present an initial study targeting an unexplored sphere in IoT by illuminating the potential of crowdsource ethical hacking approaches for enhancing IoT vulnerability management. We focus on Bug Bounty Programs (BBP) and Responsible Disclosure (RD), which stimulate hackers to report vulnerability in exchange for monetary rewards. We carried out a qualitative investigation supported by literature survey and expert interviews to explore how BBP and RD can facilitate the practice of identifying, classifying, prioritizing, remediating, and mitigating IoT vulnerabilities in an effective and cost-efficient manner. Besides deriving tangible guidelines for IoT stakeholders, our study also sheds light on a systematic integration path to combine BBP and RD with existing security practices (e.g., penetration test) to further boost overall IoT security.
KW - Bug Bounty Programs
KW - Ethical Hacking
KW - IoT Security
KW - Responsible Disclosure
KW - Vulnerability Management
UR - http://www.scopus.com/inward/record.url?scp=85073204446&partnerID=8YFLogxK
U2 - 10.1145/3357767.3357774
DO - 10.1145/3357767.3357774
M3 - Conference contribution
T3 - ACM International Conference Proceeding Series
SP - 49
EP - 55
BT - ICTRS 2019 - Proceedings of the 8th International Conference on Telecommunications and Remote Sensing
A2 - Lazarov, Andon
A2 - Shishkov, Boris
A2 - Mitrakos, Dimitris
A2 - Janssen, Marijn
PB - Association for Computing Machinery (ACM)
Y2 - 16 September 2019 through 17 September 2019
ER -