Internet of Things (IoT) Penetrating Testing Services

Customized Penetration Testing Against Your IoT Devices

Artifice Security is the top penetration testing company for penetration testing of Internet of Things (IoT) devices. We go beyond simple device testing to examine the target’s complete ecosystem, including hardware, firmware, network, wireless communications, mobile, web application interfaces, Cloud APIs, and other crucial areas. Our manual testing and analysis go into great detail, looking for both known and previously unknown flaws.

Our consultants at Artifice Security have network security skills and electronic backgrounds, with some serving as electronic warfare technicians specializing in component-level electronics.

Process

What to Expect in our IoT Penetration Testing Service

Artifice Security goes well beyond the OWASP Top 10 to exploit vulnerabilities when testing IoT devices. We check for vulnerabilities that are not well known, or we find new undiscovered vulnerabilities. During our test, we examine the entire ecosystem of the IoT device, from the physical device itself to how it communicates with the end-user and everything in between. Our consultants at Artifice Security have electronic backgrounds, with some serving as electronic warfare technicians specializing in component-level electronics.

Below are some examples of areas we examine:

IoT Device Hardware

Internal communication protocols like UART, I2C, SPI, and more
Open ports
JTAG debugging
Retrieve and examine firmware from EEPROM or FLASH memory
Tamper testing

Firmware Testing

Binary analysis
Reverse engineering
Analyzing file system
Examine key and certificates
Firmware modification

Radio Security Analysis

The exploitation of communication protocols such as BLE, Zigbee, LoRA, 6LoWPAN
Sniffing radio packets
Jamming attacks
Modifying and replaying packets

Mobile, Web, and Cloud Application Testing

Web dashboards (XSS, IDOR, Injections, etc.)
Source code review for .apk and .ipa files
Application reversing
Hardcoded API keys
Cloud credentials like MQTT, CoAP, AWS, and more

The above is just a fraction of what we test as we typically perform hundreds of checks against your device.

methodology

IoT Penetration Test Methodology

After years of performing penetration testing, Artifice Security has created a proven, repeatable methodology that will meet your organizational needs. Each finding in the report has verifications with no possible false positives. We operate as a manual penetration testing company that offers you proofs-of-concept that you can verify. To achieve this, we use the following steps:

01

Define the Scope

Before starting the IoT penetration test, Artifice Security will communicate with your team to determine the exact scope for your IoT assessment. We will communicate with your team to understand the function of the IoT device, its components, how it functions normally, and the time needed to complete the penetration test.

Determine the functionality of the IoT device
Determine if the device can be physically tested or remotely tested
Outline which systems, if any, are excluded from testing
Determine testing dates and times for the penetration test
Exchange key personnel and emergency contact information for any critical findings found

02

Information Gathering / Recon Phase

During the information-gathering phase of the assessment, Artifice Security will perform passive information gathering against your organization using Open-Source Intelligence (OSINT) tools and techniques. This public data can help us determine undiscovered risks to your company and show you what information is out there that you may not know exists. This targeted intelligence includes the following checks:

Gather any IT information about your organization
Searches for publicly exposed documents such as PDFs, DOCXs, XLSXs, and PowerPoint documents that may contain sensitive or customer information without your knowledge
Searches on the Internet and Darkweb for leaked credentials within password breach databases
Checks to find any leaked information about your IoT device and research any possible vulnerable components

03

Enumeration Phase

Artifice Security will use active information-gathering tools and techniques to determine all possible attack vectors during the enumeration phase. We will assemble information gathered from this phase and the information gathering phase as the foundation for our attack and exploitation phase.

Obtain firmware from the device
Determine network services in use, including wireless
Enumerate web services, backend API, cloud, or mobile interfaces
Determine secure update mechanism
Enumerate software components and libraries to include third-party libraries
Determine how the device stores personal information
Determine how the device uses encryption and where it uses encryption, including at rest
Determine security support and device management
Determine security of default settings
Enumerate all physical hardening measures
Correlate public and proprietary vulnerabilities against systems on your network

04

Attack and Exploitation Phase

During the attack and exploitation phase, Artifice Security will use manual penetration testing techniques to exploit vulnerabilities found in your IoT device. We perform this exploitation using professional tools and techniques while being cautious about protecting your data and not interrupting normal business functions. At this phase, we will perform the following tasks against your IoT device:

Use leaked information to gain privileged access to IoT device
Obtain hardcoded passwords from firmware
Access backdoors coded in firmware
Attack network services
Exploit any vulnerabilities found in web services
Load unvalidated firmware on the device
Obtain personal information for other accounts
Escalate privileges and access sensitive data
Show proofs-of-concept for exfiltrating data

05

Reporting Phase

Artifice Security will put together all information about your organization and vulnerabilities discovered for your IoT device during the reporting phase. We guarantee that each discovered vulnerability will be present with no false positives in the report as we use manual penetration testing.

Reporting begins with an executive summary which gives a layman’s explanation of the vulnerabilities and conveys the overall risk to your IoT device and organization. In addition to a summary of results, we also provide a list of positive findings found during testing. Next, the report explains how we determine criticality and risk for each vulnerability so you can better understand what to prioritize for remediation and how we rate severity for each finding.

Further in the report, we break down each vulnerability in technical detail, including a summary of the finding, affected location(s), proofs-of-concept, and remediation steps. Each detailed proof-of-concept has easy-to-follow steps for your team to recreate the process of how we exploited the vulnerability.
In addition to the report, Artifice Security also provides you with a customer-facing report and attestation letter if needed.

Executive Summary that easily conveys risk
Vulnerabilities rated by criticality
Detailed walkthrough showing how we chain together attacks
Detailed repeatable proofs-of-concept for each vulnerability
Best practice remediation steps that are customized and realistic based on your current environment

06

Remediation Testing

As part of your penetration test, Artifice Security includes performing remediation testing (retesting) against your IoT device after your team remediates all findings. This retesting helps ensure your organization has adequately implemented changes to fix all vulnerabilities. Remediation and retesting also give compliance auditors and customers proof of your lowered or eliminated risk. After remediation testing completes, we will provide you with an updated report that reflects the current state of your IoT device.

FAQ

Frequently Asked Questions

What are the most common IoT vulnerabilities?

The most common IoT vulnerabilities we find are the following:

Weak, guessable, or hardcoded passwords
Insecure network services (FTP, telnet, and default creds for SSH)
Insecure ecosystem interfaces such as web, backend API, cloud, and mobile
Lack of secure update mechanism
Use of insecure or outdated components (typically third-party software libraries)
Insufficient privacy protection
Insecure data transfer and storage
Lack of device management
Insecure default settings
Lack of physical hardening

What are some of the tools you use for IoT penetration testing?

The tools we use largely depend on the IoT device we are testing. For example, does the IoT device have wireless or Bluetooth, or does it have a web application interface? We use various tools for exploitation, reverse engineering, and hardware and software testing. Some of these tools include the following:

Expliot – IoT Exploitation Framework
Routersploit – Exploitation Framework for Embedded Devices
IoTSecFuzz – Comprehensive Testing Tool for IoT Devices
HomePwn – Swiss Army Knife for Pentesting IoT Devices
killerbee – Zigbee Exploitation
HAL – Hardware Analyzer
FwAnalyzer – Firmware Analyzer
ISF – Industrial Security Exploitation Framework
PENIOT – Penetration Testing Tool for IoT
IDA Pro – Interactive Disassembler
GDB – GNU Project Debugger for Debugging C/C++
Ghidra – GNU Project Debugger Suite of Tools Designed by the NSA
BurpSuite – An Integrated Platform/Graphical Tool for Performing Security Testing of Web Applications

Do you need the IoT device in hand for penetration testing?

Some of our clients only want specific areas of IoT testing done, which allow remote testing, such as testing the web application interfaces for the IoT device. We would need the device in hand for most tests to properly conduct a full manually-performed IoT penetration test.

How long does an IoT penetration test take to perform?

Depending on the IoT type and complexity, it can take five to twenty days. A complex system with a larger attack surface may take even longer to complete.

Leading-Edge Cybersecurity

Services

Let's work together