Identify the threat IOT Devices pose to your organization

The proliferation of Internet of Things (IoT) devices and their entrenchment into every facet of our existence can be viewed as both a superb innovation and a security nightmare. Any one connected device can present numerous points of entry for bad actors.

Gartner, Inc. forecasts that connected things “… will reach 20.8 billion by 2020.”

Smart cars, smartphones, smart refrigerators, connected home devices…. the world essentially becomes one integrated information system aimed at improving the quality of life and driving new business models. Add to that the fact an increasing amount of personal and corporate information is stored in the cloud where it potentially interchanges with yet another multitude of devices and it just compounds the risks to your business.

As IoT-connected devices become an integral part of our daily personal and business lives, it is crucial these devices undergo thorough testing to mitigate risks to your environment.

 

How We Test IOT Devices

TBG has compiled a comprehensive Internet of Things (IOT) testing methodology based on OWASP to fully audit the security posture of any IOT device. When testing IOT devices TBG will take on the role of bad actors and attempt to subvert the security controls used by the manufacturer. We focus on identifying vulnerabilities threatening the confidentiality, integrity, and availability of the IOT device.

When performing an IOT penetration test, we look at the four possible attack vectors that a bad actor would be targeting.

  1. Attacks against the device
  2. Attacks against the Network
  3. Attacks against the server(s)
  4. Attacks against the wireless communication

Each of these attack vectors is explored to ensure proper security controls are in place to detect, mitigate, and properly audit access. Any one of these attack vectors could allow the leakage or alteration of confidential information.

  • Network
    IOT devices communicate on many different types of communication channels such as public internet, 4G, 3G, bluetooth, wifi, and zigbee. Testing includes reviewing each of the communication channels in use by the device for attacks.
  • Application
    IOT devices can have multiple applications driving its functionality from mobile apps to web applications. Testing includes attack vectors to each of the applications and follows the OWASP testing methodology.
  • Firmware
    Firmware is the software that runs the IOT device. Testing includes identifying the ability to retrieve the firmware then audit it for flaws and vulnerabilities that can be used in further attacks.
  • Encryption
    IOT devices communicate over multiple channels and with different devices these channels need to be secure and prevent snooping. These devices also store data that could possibly be sensitive. Testing includes ensuring each piece of data in transit and at rest is encrypted to prevent attackers from accessing it.
  • Hardware
    This is the IoT device hardware (Chip, such as a chip set, Storagestorage, JTAG, UART ports, Sensors, Camera etc.) port, sensor, camera, or other device. Testing will include reviewing each of the IOT device components to ensure unauthorized access to the device is being properly reviewed and secured.
 

Benefits Of Working With Us

TBG Security has provided services across a number of industries from Fortune 50 companies to government agencies.

  • Trusted advisors for 12 years
  • Employ same tools and techniques as today’s hackers
  • All successful exploits fully documented
  • Provide stakeholder-ready report

And here are just some of our Certifications:

  • Certified Information System Security Professional (CISSP)(ISC)2
  • Offensive Security Certified Professional (OSCP)
  • Offensive Security Certified Expert (OSCE)
  • Certified Ethical Hacker (CEH)
  • GIAC Certified Intrusion Analyst (GCIA)
  • PCI SSC Approved Scanning Vendor (ASV)
  • Certified Information Systems Auditor (CIA)
  • GIAC Certified Incident Handler, SANS Institute (GCIH)
  • Certified Cisco Network Associate, Cisco Systems (CCNA)
  • Microsoft Certified Systems Engineer, Microsoft (MCSE)
  • Splunk Certified Architect (SCA)
 

Get In Touch

Want to know more about our external penetration tests? We’re here to help.

Contact us