IOT Penetration Testing Services

Identify The Threat IOT Devices Pose To Your Organization

The proliferation of Internet of Things (IoT) devices and their entrenchment into every facet of our existence can be viewed as both a superb innovation and a security nightmare. Any one connected device can present numerous points of entry for bad actors.

Smart cars, smartphones, smart refrigerators, connected home devices…. the world essentially becomes one integrated information system aimed at improving the quality of life and driving new business models. Add to that the fact an increasing amount of personal and corporate information is stored in the cloud where it potentially interchanges with yet another multitude of devices and it just compounds the risks to your business.

As IoT-connected devices become an integral part of our daily personal and business lives, it is crucial these devices undergo thorough testing to mitigate risks to your environment.

Gartner, Inc. forecasts that connected things “… will reach 20.8 billion by 2020.”

How We Test IOT Devices

TBG has compiled a comprehensive Internet of Things (IOT) testing methodology based on OWASP to fully audit the security posture of any IOT device. When testing IOT devices TBG will take on the role of bad actors and attempt to subvert the security controls used by the manufacturer. We focus on identifying vulnerabilities threatening the confidentiality, integrity, and availability of the IOT device.

When performing an IOT penetration test, we look at the four possible attack vectors that a bad actor would be targeting.

Attacks against the device

Attacks against the Network

Attacks against the server(s)

Attacks against the wireless communication

Each of these attack vectors is explored to ensure proper security controls are in place to detect, mitigate, and properly audit access. Any one of these attack vectors could allow the leakage or alteration of confidential information.

Network

IOT devices communicate on many different types of communication channels such as public internet, 4G, 3G, bluetooth, wifi, and zigbee. Testing includes reviewing each of the communication channels in use by the device for attacks.

Application

IOT devices can have multiple applications driving its functionality from mobile apps to web applications. Testing includes attack vectors to each of the applications and follows the OWASP testing methodology.

Firmware

Firmware is the software that runs the IOT device. Testing includes identifying the ability to retrieve the firmware then audit it for flaws and vulnerabilities that can be used in further attacks.

Encryption

IOT devices communicate over multiple channels and with different devices these channels need to be secure and prevent snooping. These devices also store data that could possibly be sensitive. Testing includes ensuring each piece of data in transit and at rest is encrypted to prevent attackers from accessing it.

Hardware

This is the IoT device hardware (Chip, such as a chip set, Storagestorage, JTAG, UART ports, Sensors, Camera etc.) port, sensor, camera, or other device. Testing will include reviewing each of the IOT device components to ensure unauthorized access to the device is being properly reviewed and secured.