Internet of Things (IoT) Penetrating Testing Services

Customized Penetration Testing Against Your IoT Devices

Artifice Security is the top penetration testing company for penetration testing of Internet of Things (IoT) devices. We go beyond simple device testing to examine the target’s complete ecosystem, including hardware, firmware, network, wireless communications, mobile, web application interfaces, Cloud APIs, and other crucial areas. Our manual testing and analysis go into great detail, looking for both known and previously unknown flaws.

Our consultants at Artifice Security have network security skills and electronic backgrounds, with some serving as electronic warfare technicians specializing in component-level electronics.


What to Expect in our IoT Penetration Testing Service

Artifice Security goes well beyond the OWASP Top 10 to exploit vulnerabilities when testing IoT devices. We check for vulnerabilities that are not well known, or we find new undiscovered vulnerabilities. During our test, we examine the entire ecosystem of the IoT device, from the physical device itself to how it communicates with the end-user and everything in between. Our consultants at Artifice Security have electronic backgrounds, with some serving as electronic warfare technicians specializing in component-level electronics.

Below are some examples of areas we examine:

IoT Device Hardware
  • Internal communication protocols like UART, I2C, SPI, and more
  • Open ports
  • JTAG debugging
  • Retrieve and examine firmware from EEPROM or FLASH memory
  • Tamper testing
Firmware Testing
  • Binary analysis
  • Reverse engineering
  • Analyzing file system
  • Examine key and certificates
  • Firmware modification
Radio Security Analysis
  • The exploitation of communication protocols such as BLE, Zigbee, LoRA, 6LoWPAN
  • Sniffing radio packets
  • Jamming attacks
  • Modifying and replaying packets
Mobile, Web, and Cloud Application Testing
  • Web dashboards (XSS, IDOR, Injections, etc.)
  • Source code review for .apk and .ipa files
  • Application reversing
  • Hardcoded API keys
  • Cloud credentials like MQTT, CoAP, AWS, and more
The above is just a fraction of what we test as we typically perform hundreds of checks against your device.


IoT Penetration Test Methodology

After years of performing penetration testing, Artifice Security has created a proven, repeatable methodology that will meet your organizational needs. Each finding in the report has verifications with no possible false positives. We operate as a manual penetration testing company that offers you proofs-of-concept that you can verify. To achieve this, we use the following steps:

Define the Scope

Before starting the IoT penetration test, Artifice Security will communicate with your team to determine the exact scope for your IoT assessment. We will communicate with your team to understand the function of the IoT device, its components, how it functions normally, and the time needed to complete the penetration test.
  • Determine the functionality of the IoT device
  • Determine if the device can be physically tested or remotely tested
  • Outline which systems, if any, are excluded from testing
  • Determine testing dates and times for the penetration test
  • Exchange key personnel and emergency contact information for any critical findings found

Information Gathering / Recon Phase

During the information-gathering phase of the assessment, Artifice Security will perform passive information gathering against your organization using Open-Source Intelligence (OSINT) tools and techniques. This public data can help us determine undiscovered risks to your company and show you what information is out there that you may not know exists. This targeted intelligence includes the following checks:

  • Gather any IT information about your organization
  • Searches for publicly exposed documents such as PDFs, DOCXs, XLSXs, and PowerPoint documents that may contain sensitive or customer information without your knowledge
  • Searches on the Internet and Darkweb for leaked credentials within password breach databases
  • Checks to find any leaked information about your IoT device and research any possible vulnerable components

Enumeration Phase

Artifice Security will use active information-gathering tools and techniques to determine all possible attack vectors during the enumeration phase. We will assemble information gathered from this phase and the information gathering phase as the foundation for our attack and exploitation phase.
  • Obtain firmware from the device
  • Determine network services in use, including wireless
  • Enumerate web services, backend API, cloud, or mobile interfaces
  • Determine secure update mechanism
  • Enumerate software components and libraries to include third-party libraries
  • Determine how the device stores personal information
  • Determine how the device uses encryption and where it uses encryption, including at rest
  • Determine security support and device management
  • Determine security of default settings
  • Enumerate all physical hardening measures
  • Correlate public and proprietary vulnerabilities against systems on your network

Attack and Exploitation Phase

During the attack and exploitation phase, Artifice Security will use manual penetration testing techniques to exploit vulnerabilities found in your IoT device. We perform this exploitation using professional tools and techniques while being cautious about protecting your data and not interrupting normal business functions. At this phase, we will perform the following tasks against your IoT device:
  • Use leaked information to gain privileged access to IoT device
  • Obtain hardcoded passwords from firmware
  • Access backdoors coded in firmware
  • Attack network services
  • Exploit any vulnerabilities found in web services
  • Load unvalidated firmware on the device
  • Obtain personal information for other accounts
  • Escalate privileges and access sensitive data
  • Show proofs-of-concept for exfiltrating data

Reporting Phase

Artifice Security will put together all information about your organization and vulnerabilities discovered for your IoT device during the reporting phase. We guarantee that each discovered vulnerability will be present with no false positives in the report as we use manual penetration testing.

Reporting begins with an executive summary which gives a layman’s explanation of the vulnerabilities and conveys the overall risk to your IoT device and organization. In addition to a summary of results, we also provide a list of positive findings found during testing. Next, the report explains how we determine criticality and risk for each vulnerability so you can better understand what to prioritize for remediation and how we rate severity for each finding.

Further in the report, we break down each vulnerability in technical detail, including a summary of the finding, affected location(s), proofs-of-concept, and remediation steps. Each detailed proof-of-concept has easy-to-follow steps for your team to recreate the process of how we exploited the vulnerability.
In addition to the report, Artifice Security also provides you with a customer-facing report and attestation letter if needed.

  • Executive Summary that easily conveys risk
  • Vulnerabilities rated by criticality
  • Detailed walkthrough showing how we chain together attacks
  • Detailed repeatable proofs-of-concept for each vulnerability
  • Best practice remediation steps that are customized and realistic based on your current environment

Remediation Testing

As part of your penetration test, Artifice Security includes performing remediation testing (retesting) against your IoT device after your team remediates all findings. This retesting helps ensure your organization has adequately implemented changes to fix all vulnerabilities. Remediation and retesting also give compliance auditors and customers proof of your lowered or eliminated risk. After remediation testing completes, we will provide you with an updated report that reflects the current state of your IoT device.


Frequently Asked Questions

What are the most common IoT vulnerabilities?

The most common IoT vulnerabilities we find are the following:

  • Weak, guessable, or hardcoded passwords
  • Insecure network services (FTP, telnet, and default creds for SSH)
  • Insecure ecosystem interfaces such as web, backend API, cloud, and mobile
  • Lack of secure update mechanism
  • Use of insecure or outdated components (typically third-party software libraries)
  • Insufficient privacy protection
  • Insecure data transfer and storage
  • Lack of device management
  • Insecure default settings
  • Lack of physical hardening

What are some of the tools you use for IoT penetration testing?

The tools we use largely depend on the IoT device we are testing. For example, does the IoT device have wireless or Bluetooth, or does it have a web application interface? We use various tools for exploitation, reverse engineering, and hardware and software testing. Some of these tools include the following:

  • Expliot – IoT Exploitation Framework
  • Routersploit – Exploitation Framework for Embedded Devices
  • IoTSecFuzz – Comprehensive Testing Tool for IoT Devices
  • HomePwn – Swiss Army Knife for Pentesting IoT Devices
  • killerbee – Zigbee Exploitation
  • HAL – Hardware Analyzer
  • FwAnalyzer – Firmware Analyzer
  • ISF – Industrial Security Exploitation Framework
  • PENIOT – Penetration Testing Tool for IoT
  • IDA Pro – Interactive Disassembler
  • GDB – GNU Project Debugger for Debugging C/C++
  • Ghidra – GNU Project Debugger Suite of Tools Designed by the NSA
  • BurpSuite – An Integrated Platform/Graphical Tool for Performing Security Testing of Web Applications

Do you need the IoT device in hand for penetration testing?

Some of our clients only want specific areas of IoT testing done, which allow remote testing, such as testing the web application interfaces for the IoT device. We would need the device in hand for most tests to properly conduct a full manually-performed IoT penetration test.

How long does an IoT penetration test take to perform?

Depending on the IoT type and complexity, it can take five to twenty days. A complex system with a larger attack surface may take even longer to complete.

Leading-Edge Cybersecurity