Internet of Things (IoT) Penetrating Testing Services
Customized Penetration Testing Against Your IoT Devices
Our consultants at Artifice Security have network security skills and electronic backgrounds, with some serving as electronic warfare technicians specializing in component-level electronics.
Process
What to Expect in our IoT Penetration Testing Service
Artifice Security goes well beyond the OWASP Top 10 to exploit vulnerabilities when testing IoT devices. We check for vulnerabilities that are not well known, or we find new undiscovered vulnerabilities. During our test, we examine the entire ecosystem of the IoT device, from the physical device itself to how it communicates with the end-user and everything in between. Our consultants at Artifice Security have electronic backgrounds, with some serving as electronic warfare technicians specializing in component-level electronics.
Below are some examples of areas we examine:
IoT Device Hardware
- Internal communication protocols like UART, I2C, SPI, and more
- Open ports
- JTAG debugging
- Retrieve and examine firmware from EEPROM or FLASH memory
- Tamper testing
Firmware Testing
- Binary analysis
- Reverse engineering
- Analyzing file system
- Examine key and certificates
- Firmware modification
Radio Security Analysis
- The exploitation of communication protocols such as BLE, Zigbee, LoRA, 6LoWPAN
- Sniffing radio packets
- Jamming attacks
- Modifying and replaying packets
Mobile, Web, and Cloud Application Testing
- Web dashboards (XSS, IDOR, Injections, etc.)
- Source code review for .apk and .ipa files
- Application reversing
- Hardcoded API keys
- Cloud credentials like MQTT, CoAP, AWS, and more
methodology
IoT Penetration Test Methodology
01
Define the Scope
- Determine the functionality of the IoT device
- Determine if the device can be physically tested or remotely tested
- Outline which systems, if any, are excluded from testing
- Determine testing dates and times for the penetration test
- Exchange key personnel and emergency contact information for any critical findings found
02
Information Gathering / Recon Phase
During the information-gathering phase of the assessment, Artifice Security will perform passive information gathering against your organization using Open-Source Intelligence (OSINT) tools and techniques. This public data can help us determine undiscovered risks to your company and show you what information is out there that you may not know exists. This targeted intelligence includes the following checks:
- Gather any IT information about your organization
- Searches for publicly exposed documents such as PDFs, DOCXs, XLSXs, and PowerPoint documents that may contain sensitive or customer information without your knowledge
- Searches on the Internet and Darkweb for leaked credentials within password breach databases
- Checks to find any leaked information about your IoT device and research any possible vulnerable components
03
Enumeration Phase
- Obtain firmware from the device
- Determine network services in use, including wireless
- Enumerate web services, backend API, cloud, or mobile interfaces
- Determine secure update mechanism
- Enumerate software components and libraries to include third-party libraries
- Determine how the device stores personal information
- Determine how the device uses encryption and where it uses encryption, including at rest
- Determine security support and device management
- Determine security of default settings
- Enumerate all physical hardening measures
- Correlate public and proprietary vulnerabilities against systems on your network
04
Attack and Exploitation Phase
- Use leaked information to gain privileged access to IoT device
- Obtain hardcoded passwords from firmware
- Access backdoors coded in firmware
- Attack network services
- Exploit any vulnerabilities found in web services
- Load unvalidated firmware on the device
- Obtain personal information for other accounts
- Escalate privileges and access sensitive data
- Show proofs-of-concept for exfiltrating data
05
Reporting Phase
Reporting begins with an executive summary which gives a layman’s explanation of the vulnerabilities and conveys the overall risk to your IoT device and organization. In addition to a summary of results, we also provide a list of positive findings found during testing. Next, the report explains how we determine criticality and risk for each vulnerability so you can better understand what to prioritize for remediation and how we rate severity for each finding.
Further in the report, we break down each vulnerability in technical detail, including a summary of the finding, affected location(s), proofs-of-concept, and remediation steps. Each detailed proof-of-concept has easy-to-follow steps for your team to recreate the process of how we exploited the vulnerability.
In addition to the report, Artifice Security also provides you with a customer-facing report and attestation letter if needed.
- Executive Summary that easily conveys risk
- Vulnerabilities rated by criticality
- Detailed walkthrough showing how we chain together attacks
- Detailed repeatable proofs-of-concept for each vulnerability
- Best practice remediation steps that are customized and realistic based on your current environment
06
Remediation Testing
As part of your penetration test, Artifice Security includes performing remediation testing (retesting) against your IoT device after your team remediates all findings. This retesting helps ensure your organization has adequately implemented changes to fix all vulnerabilities. Remediation and retesting also give compliance auditors and customers proof of your lowered or eliminated risk. After remediation testing completes, we will provide you with an updated report that reflects the current state of your IoT device.
FAQ
Frequently Asked Questions
What are the most common IoT vulnerabilities?
The most common IoT vulnerabilities we find are the following:
- Weak, guessable, or hardcoded passwords
- Insecure network services (FTP, telnet, and default creds for SSH)
- Insecure ecosystem interfaces such as web, backend API, cloud, and mobile
- Lack of secure update mechanism
- Use of insecure or outdated components (typically third-party software libraries)
- Insufficient privacy protection
- Insecure data transfer and storage
- Lack of device management
- Insecure default settings
- Lack of physical hardening
What are some of the tools you use for IoT penetration testing?
The tools we use largely depend on the IoT device we are testing. For example, does the IoT device have wireless or Bluetooth, or does it have a web application interface? We use various tools for exploitation, reverse engineering, and hardware and software testing. Some of these tools include the following:
- Expliot – IoT Exploitation Framework
- Routersploit – Exploitation Framework for Embedded Devices
- IoTSecFuzz – Comprehensive Testing Tool for IoT Devices
- HomePwn – Swiss Army Knife for Pentesting IoT Devices
- killerbee – Zigbee Exploitation
- HAL – Hardware Analyzer
- FwAnalyzer – Firmware Analyzer
- ISF – Industrial Security Exploitation Framework
- PENIOT – Penetration Testing Tool for IoT
- IDA Pro – Interactive Disassembler
- GDB – GNU Project Debugger for Debugging C/C++
- Ghidra – GNU Project Debugger Suite of Tools Designed by the NSA
- BurpSuite – An Integrated Platform/Graphical Tool for Performing Security Testing of Web Applications