Large-Scale (Semi-)Automated Security Assessment of Consumer IoT Devices -- A Roadmap
Pascal Schöttle, Matthias Janetschek, Florian Merkle, Martin Nocker, Christoph Egger
TL;DR
The paper addresses the lack of scalable security assessment for consumer IoT devices and the associated risk to users and infrastructure. It proposes a roadmap built on model-based testing (MBT) and machine learning to automate test generation, device modeling, and result interpretation, enabling repeatable and objective security evaluations. Core contributions include a MBT-driven security assessment process, a device (meta) model, testing profiles, a growing test case catalog, and a focus on machine-readable artifacts to drive automation. The work aims to support scalable certification and informed consumer choice, ultimately incentivizing manufacturers to adopt security-by-design practices in a heterogeneous and rapidly evolving IoT landscape.
Abstract
The Internet of Things (IoT) has rapidly expanded across various sectors, with consumer IoT devices - such as smart thermostats and security cameras - experiencing growth. Although these devices improve efficiency and promise additional comfort, they also introduce new security challenges. Common and easy-to-explore vulnerabilities make IoT devices prime targets for malicious actors. Upcoming mandatory security certifications offer a promising way to mitigate these risks by enforcing best practices and providing transparency. Regulatory bodies are developing IoT security frameworks, but a universal standard for large-scale systematic security assessment is lacking. Existing manual testing approaches are expensive, limiting their efficacy in the diverse and rapidly evolving IoT domain. This paper reviews current IoT security challenges and assessment efforts, identifies gaps, and proposes a roadmap for scalable, automated security assessment, leveraging a model-based testing approach and machine learning techniques to strengthen consumer IoT security.