Abstract

IoT is an emerging field exploding with new products and innovation. The security of IoT products is still lagging behind for various reasons. One of the important reasons from security researcher’s perspective is the availability of security tools. If you have been pentesting IoT products, you would agree that there are too many different tools required for the job and there is no single silver bullet. And when it comes to Smart Infrastructure, we do not have any existing solutions similar to IT penetration testing tools. We started looking at the learning curve and tools required for IoT security research and decided to create a framework that will enable the research community to speed up their research and pentesting effort. Meet expliot (pronounced - explaayotee) an open source IoT security testing and exploitation framework, right now in Beta phase, it will provide the building block for writing exploits and other IoT security assessment test cases with ease by making it simple for security researchers to create and execute simple to complex mis-use cases using the framework. The objective of the framework is:
Simplicity - Ease of use
Extendability - Easy to extend
Coverage - Cover most of the IoT attack surface

Expliot currently has a few recon test cases to aid pentesting. The aim of the project is to have a single framework provide multiple functionality including interfaces for IoT protocols like coAP, MQTT etc, radio protocols like BLE, Zigbee etc, hardware protocols like JTAG, I2C, SPI etc, firmware analysis.