Heathen – IoT Pentesting Framework

Heathen Internet of Things Penetration Testing Framework developed as a research project, which automatically help developers and manufacturers build more secure products in the Internet of Things space based on the Open Web Application Security Project (OWASP). It provides a set of features in every fundamental era.

-Insecure Web Interface
-Insufficient Authentication/Authorization
-Insecure Network Services
-Lack of Transport Encryption
-Privacy Concerns
-Insecure Cloud Interface
-Insecure Mobile Interface
-Insufficient Security Configurability
-Insecure Software/Firmware
-Poor Physical Security

Getting Started with Heathen Framework:

Installation :

To start, just make sure that you got all the dependencies. If not, just run the script.
To Lunch Heathen IoT Pentesting Framework run

-Insecure Web Interface:

  • Now, you can scan all your web interfaces to ensure that any web interface in the product has been tested for XSS, SQLi and CSRF vulnerabilities


-Insecure Network Service:

  • Ensure all devices do not make network ports and/or services available to the internet via UPnP, for example


-Lack of Transport Encryption:

  • Ensure all communication between system components is encrypted as well as encrypting traffic between the system or device and the internet
  • Use recommended and accepted encryption practices and avoid proprietary protocols
  • Ensure SSL/TLS implementations are up to date and properly configured


 -Insecure Software/Firmware:

  • Ensure all system devices have update capability and can be updated quickly when vulnerabilities are discovered
  • Ensure update files are encrypted and that the files are also transmitted using encryption
  • Ensure that update files are signed and then validated by the device before installing
  • Ensure update servers are secure
  • Ensure the product has the ability to implement scheduled updates

Acknowledgments: Craig Smith – Daniel Miessler – Dirk Wetter -Justin Klein Keane – Yunsoul


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: