Methodology for Vulnerability Assessment in WSNs Using CVSS and NIST SP 800-30
DOI:
https://doi.org/10.56294/dm2025836Keywords:
Wireless Sensor Networks, vulnerability assessment, penetration Testing, risk assessment, cybersecurityAbstract
Wireless Sensor Networks (WSNs) play a vital role in applications where protecting data is critical. This study presents a six-step methodology for performing intrusive security audits on IEEE 802.15.4-based WSNs, focusing on identifying and evaluating vulnerabilities that compromise confidentiality, integrity, and availability. The approach combines the Offensive Security framework, the NIST SP 800-30 risk assessment guidelines, and the CVSS scoring system to quantify vulnerabilities. Two experimental setups were used: one with temperature sensors, and another with both temperature and CO₂ sensors. Attacks including sniffing, spoofing, data tampering, and denial-of-service were executed using ZBOSS Sniffer, Wireshark, and a Zigbee CC emulator. Key vulnerabilities involved network tracking, unauthorized data interception, and manipulation of traffic flows. Results showed that sniffing was the most effective technique, achieving the highest CVSS scores, particularly in the dual-sensor scenario. The methodology proved effective in uncovering security weaknesses and highlights the need for tailored mitigation strategies (e.g., stronger commissioning, authenticated encryption, and anomaly detection) to improve WSN resilience.
References
1. Valencia L, Guarda T, Patricio G, Arias L, Ninahualpa Quiña G. Seguridad de la Información en WSN aplicada a Redes de Medición Inteligentes basado en técnicas de criptografía. Revista Ibérica de Sistemas e Tecnologias de Informação [Internet]. 2019 [cited 2025 Jun 18];(E17):393–406. Available from: https://www.risti.xyz/issues/ristie17.pdf
2. Chinnow J, Bsufka K, Schmidt AD, Bye R, Camtepe A, Albayrak S. A simulation framework for smart meter security evaluation. In: SMFG 2011 - IEEE International Conference on Smart Measurements for Grids, Proceedings. doi: 10.1109/SMFG.2011.6125758; 2011. p. 1–9. doi: 10.1109/SMFG.2011.6125758. DOI: https://doi.org/10.1109/SMFG.2011.6125758
3. Oreku GS, Pazynyuk T. Security in wireless sensor networks. Security in Wireless Sensor Networks. Springer Cham; 2015. 1–87 p. doi: 10.1007/978-3-319-21269-2. DOI: https://doi.org/10.1007/978-3-319-21269-2_1
4. Batista Guerra FK. Diseño e implementación de un modelo individual para la simulación de la propagación de malware en redes de sensores inalámbricas [Internet]. Universidad de Salamanca; 2020. Available from: https://gredos.usal.es/handle/10366/145241
5. Calle-Tenesaca ME, Andrade-Amoroso RP. Ciberseguridad en contabilidad: protegiendo la integridad de los datos financieros en empresas comerciales. Revista Metropolitana de Ciencias Aplicadas [Internet]. 2024;7(S2):87–98. Available from: https://remca.umet.edu.ec/index.php/REMCA/article/view/734 DOI: https://doi.org/10.62452/bdc3pg66
6. Cuzme-Rodríguez F, Zambrano-Romero W, Moreira-Zambrano C, Almeida-Zambrano E, Cuenca Álaba W. Security in smart objects, a general view at the physical and logical level. INNOVATION & DEVELOPMENT IN ENGINEERING AND APPLIED SCIENCES [Internet]. 2019 Jun 6 [cited 2025 Jul 12];1(1):33–46. Available from: https://revistasojs.utn.edu.ec/index.php/ideas/article/view/5 DOI: https://doi.org/10.53358/ideas.v1i1.5
7. Vásquez A. Auditoría de seguridad e investigación de protocolos IoT (Thread y Zigbee) [Internet]. Universidad de Santiago de Compostela; 2021. Available from: https://nootropico.li/files/tfg/TFG_IoT_ZigbeeThread.pdf
8. Alabdulatif AA. Security Attacks in IEEE 802.15.4: A Review Disassociation Procedure. Advances in Intelligent Systems and Computing [Internet]. 2020;1073:477–85. Available from: https://link.springer.com/chapter/10.1007/978-3-030-33582-3_45 DOI: https://doi.org/10.1007/978-3-030-33582-3_45
9. Bluetooth SIG. Mesh Security Overview | Bluetooth® Technology Website [Internet]. 2025 [cited 2025 Jul 18]. Available from: https://www.bluetooth.com/bluetooth-resources/mesh-security-overview/
10. Thread Group. Thread 1.4 Features White Paper [Internet]. 2024 [cited 2025 Sep 14]. Available from: https://www.threadgroup.org/ThreadSpec.
11. Joint Task Force. Security and Privacy Controls for Information Systems and Organizations [Internet]. Gaithersburg, MD; 2020 Dec [cited 2025 Jun 18]. Available from: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final
12. López Delgado JL, López Ramos JA. A Comprehensive Survey on Generative AI Solutions in IoT Security. Electronics 2024, Vol 13, Page 4965 [Internet]. 2024 Dec 17 [cited 2025 Sep 14];13(24):4965. Available from: https://www.mdpi.com/2079-9292/13/24/4965 DOI: https://doi.org/10.3390/electronics13244965
13. Pinto A, Herrera LC, Donoso Y, Gutierrez JA. Survey on Intrusion Detection Systems Based on Machine Learning Techniques for the Protection of Critical Infrastructure. Sensors 2023, Vol 23, Page 2415 [Internet]. 2023 Feb 22 [cited 2025 Sep 14];23(5):2415. Available from: https://www.mdpi.com/1424-8220/23/5/2415 DOI: https://doi.org/10.3390/s23052415
14. Tejedor Doria JA. Pentesting Iot Device Smart Doorlock [Internet]. Universidad Complutense de Madrid; 2020 [cited 2025 Sep 18]. Available from: https://hdl.handle.net/20.500.14352/9080
15. Nithya N, Rajendran N. Secure Data Aggregation Technique using Audit based scheme for Wireless Sensor Network. Turkish Online Journal of Qualitative Inquiry [Internet]. 2021 [cited 2025 Jul 9];12(6):8643–54. Available from: https://tojqi.net/index.php/journal/article/view/3318
16. Tejena-Macías MA. Análisis de riesgos en seguridad de la información. Polo del Conocimiento [Internet]. 2018 [cited 2025 May 18];3(4):230–44. Available from: https://polodelconocimiento.com/ojs/index.php/es/article/view/809 DOI: https://doi.org/10.23857/pc.v3i4.809
17. Cuzme-Rodríguez F, León-Gudiño M, Suárez-Zambrano L, Domínguez-Limaico M. Offensive Security: Ethical Hacking Methodology on the Web. In: Botto-Tobar M, Barba-Maggi L, González-Huerta J, Villacrés-Cevallos P, S. Gómez O, Uvidia-Fassler M, editors. Information and Communication Technologies of Ecuador (TICEC) TICEC 2018 Advances in Intelligent Systems and Computing [Internet]. Springer, Cham; 2019 [cited 2025 Jul 12]. p. 127–40. Available from: https://link.springer.com/chapter/10.1007/978-3-030-02828-2_10 DOI: https://doi.org/10.1007/978-3-030-02828-2_10
18. MeteoSur. Nuevo sistema de sensores inalámbricos hace posible el monitoreo en tiempo real para la agricultura por ambientes [Internet]. 2020 [cited 2025 Jul 18]. Available from: https://www.meteosur.com/node/18
19. Negi R, Gupta S, Hasan W, Kumar D. IoT Sensors and Networks for Crop Monitoring and Management. Agriculture 40 [Internet]. 2024 [cited 2025 May 8];45–67. Available from: https://www.taylorfrancis.com/chapters/edit/10.1201/9781003570219-3/iot-sensors-networks-crop-monitoring-management-radhika-negi-sheetanshu-gupta-wajid-hasan-dhirendra-kumar DOI: https://doi.org/10.1201/9781003570219-3
20. Mordor Intelligence. Pronóstico del mercado de la red de sensores inalámbricos (2022 - 27) | Tamaño de la industria, tendencias [Internet]. 2023 [cited 2025 Sep 8]. Available from: https://www.mordorintelligence.com/es/industry-reports/wireless-sensor-networks-market
21. Zhang D, Woo SS. Real Time Localized Air Quality Monitoring and Prediction through Mobile and Fixed IoT Sensing Network. IEEE Access [Internet]. 2020 [cited 2025 Jun 18];8:89584–94. Available from: https://ieeexplore.ieee.org/document/9090830 DOI: https://doi.org/10.1109/ACCESS.2020.2993547
22. Heredia-Andrango A, Cuzme-Rodríguez F, Maya-Olalla E, Domínguez-Limaico HM, Jaramillo-Vinueza E. Mitigating MQTT Vulnerabilities in IoT with Open-Source IDS/IPS: A Practical Approach. 2025 [cited 2025 Jul 12];13–22. Available from: https://link.springer.com/chapter/10.1007/978-3-031-92651-8_2. DOI: https://doi.org/10.1007/978-3-031-92651-8_2
Downloads
Published
Issue
Section
License
Copyright (c) 2025 Fabián Cuzme-Rodríguez, Kevin Oñate-Pozo, Henry Farinango-Endara, Luis Suárez-Zambrano, Edgar Jaramillo-Vinueza, Jorge Benalcázar-Gómez (Author)
This work is licensed under a Creative Commons Attribution 4.0 International License.
The article is distributed under the Creative Commons Attribution 4.0 License. Unless otherwise stated, associated published material is distributed under the same licence.
