Attackers may attempt exploiting Internet of Things (IoT) devices to operate them unduly as well as to gather personal data of the legitimate device owners'. Vulnerability Assessment and Penetration Testing (VAPT) sessions help to verify the effectiveness of the adopted security measures. However, VAPT over IoT devices, namely VAPT targeted at IoT devices, is an open research challenge due to the variety of target technologies and to the creativity it may require. Therefore, this article aims at guiding penetration testers to conduct VAPT sessions over IoT devices by means of a new cyber Kill Chain (KC) termed PETIoT. Several practical applications of PETIoT confirm that it is general, while its main novelty lies in the combination of attack and defence steps. PETIoT is demonstrated on a relevant example, the best-selling IP camera on Amazon Italy, the TAPO C200 by TP-Link, assuming an attacker who sits on the same network as the device's in order to assess all the network interfaces of the device. Additional knowledge is generated in terms of three zero-day vulnerabilities found and practically exploited on the camera, one of these with High severity and the other two with Medium severity by the CVSS standard. These are camera Denial of Service (DoS), motion detection breach and video stream breach. The application of PETIoT culminates with the proof-of-concept of a home-made fix, based on an inexpensive Raspberry Pi 4 Model B device, for the last vulnerability. Ultimately, our responsible disclosure with the camera vendor led to the release of a firmware update that fixes all found vulnerabilities, confirming that PetIoT has valid impact in real-world scenarios.

翻译：攻击者可能试图利用物联网设备进行不当操作，并收集合法设备所有者的个人数据。漏洞评估与渗透测试（VAPT）有助于验证所采用安全措施的有效性。然而，针对物联网设备的VAPT（即面向物联网设备的VAPT）因目标技术的多样性和所需的创造性而成为一项开放的研究挑战。因此，本文旨在通过一种名为PETIoT的新型网络攻击杀伤链（KC），指导渗透测试人员对物联网设备实施VAPT流程。PETIoT的多次实际应用证实了其通用性，而其核心创新在于攻击与防御步骤的结合。本文以亚马逊意大利站最畅销的IP摄像头——TP-Link的TAPO C200为例演示PETIoT，假设攻击者与设备处于同一网络中，以评估设备的所有网络接口。研究发现了该摄像头的三个零日漏洞并进行了实际利用，依据CVSS标准，其中一项的严重等级为高，另外两项为中等级别。这些漏洞包括摄像头拒绝服务（DoS）、运动检测突破和视频流突破。最后，PETIoT的应用通过基于廉价树莓派4 Model B设备对最后一个漏洞的自制修复方案进行了概念验证。我们向摄像头供应商进行负责任的披露后，对方发布了修复所有漏洞的固件更新，证实了PETIoT在真实场景中的有效影响。