Internet of Things Penetration Testing
INTRODUCTION TO IoT PENTESTING
Why should you test the security of your Internet of Things estate?
The quantity of connected devices has exploded year on year recently and the Internet of Things (IoT) has become a significant target for malicious attackers. Botnets are often built and designed to use Distributed Denial of Service (DDoS) attacks. The Mirai malware (2016) infected millions of IoT devices and then commanded those botnets to launch high profile, bandwidth-evouring DDoS attacks against high profile websites.
PrimoConnect’s defensive security solution architects routinely work closely with creators of smart devices. This way, through knowledge-share, our offensive security teams can provide assurance around our customers’ IoT devices’ security configurations. Internet of Things penetration testing provides is invaluable in auditing the level of security associated with connected devices.
PrimoConnect’s experience in IoT testing covers domestic devices and those in the workplace.
When Is IoT Pen Testing Applicable?
Internet of Things devices should be security tested whenever a device is to be connected to a network. Even if you foresee no threat from an IP TV in a hotel room, a tracking device in a logistics lorry, an IP fridge in an office lobby or robotic interactive toy in a school classroom, connected devices are actively being targeted by malicious actors who are aiming to:
Build botnets
Instigate an attack via the use of malicious or illegally obtained software
Threaten individual and / or corporate privacy
IoT devices are often designed to be ‘plug and play‘. These should always be subject to an Internet of Things penetration test. The low effort to setup will almost certainly mean that they are deployed with poor security configurations. If your organisation produces Internet of Things devices and you are concerned about their security configuration, PrimoConnect offer a world class penetration testing service with some of the most skilled and experienced experts globally.
How Do PrimoConnect Perform An IoT Security Test?
IoT solution pen-testing involves testing the network, API, and applications. This can be done remotely if the IoT environment is accessible over internet or a wireless network or onsite if not. Compared with more common areas of penetration testing Internet of Things presents a number of unique challenges. Diverse architectures, communication protocols, coding and operating systems result in almost immeasurable combinations of technology. Our most senior and experienced penetration testers will carry out testing IoT devices.
PrimoConnect’s security penetration testers ensure that the full attack surface and all use cases of the IoT device in question are considered, in order to give full levels of assurance to the customer. An Internet of Things penetration test focuses on the following areas:
Hardware
Firmware
Application
Network
Encryption
IoT penetration test reporting
PrimoConnect customers for Internet of Things security testing can expect a full report split into two key areas, per engagement. The first section is a management report, which is designed to be consumed by a non-technical audience and relays the overall security posture of the target device in terms of risk to the organisation.
The second is a technical report, which provides in-depth technical detail for each finding, including relevant and actionable remedial advice.
The last step in an engagement is a full debrief conference call with a senior pen tester to run through the report and ensure full comprehension has been achieved. It’s an opportunity to ask questions and ask for explanations of any security auditing queries that customers may have.