IoT pentest - Connected objects penetration test

IoT

An IoT pentest enables to search for security flaws in the connected object’s entire ecosystem: hardware, embedded software, communication protocols, servers, mobile applications, APIs and Web interfaces.

Aim of an IoT pentest

IoT security is a major challenge, with the development of smart homes, smart cities, connected health care systems and the 4.0 industry.

The security of connected objects is a complex subject, due to the range of technologies and the number of possible points of attack.

The objective of a connected object pentest is to identify the flaws present in the different layers in order to secure the object’s entire environment. In this case, the audit targets the hardware (electronics), the software (embedded software, communication protocol) as well as APIs, Web and mobile interfaces (servers, web applications, mobile applications). However, it is also possible to focus the audit on a limited technical area depending on the security issues previously identified.

Therefore, the scope of an IoT security audit is to be defined according to the client's priorities:

  • Should we pentest the entire IoT ecosystem or only certain parts?
  • What is the desired level of detail: a rapid analysis or in-depth research work?
  • What is the level of public exposure of the solution, and what are the consequences if hacking occurs? (in order to choose between a black box penetration test or a grey box penetration test)

Stages of an IoT security audit

The first step is the definition of the scope of the audit. Discussions with the client make it possible to decide the objectives, the target and the conditions of the pentest.

It is important to allocate time for the preparation phase of the audit: reception of the object by the pentesters, purchase of specific equipment if necessary, transmission of additional information by the client, etc.

In some cases, the pentesters carry out the audit from Sensora's offices, having one or more copies of the connected object at their disposal. In other cases, the audit must be conducted from a client’s site. Depending on the pre-defined conditions, the client may be notified of the findings as the audit progresses or only when the audit is completed.

iot-pentest-firmware-penetration-testing

Hardware penetration testing

Penetration tests of hardware focus on the electronic components of the solution (non-invasive and invasive attacks).

The techniques used include the following:

  • Reverse engineering of elements extracted from the hardware equipment studied
  • Memory dumps
  • Cryptographic analysis

Firmware penetration testing

Penetration tests of firmware focus on the software embedded in the object, including a certain number of techniques:

  • Detection of communication ports that are open and badly protected
  • Buffer overflow
  • Breaking passwords
  • Reverse engineering
  • Cryptographic analysis
  • Modifications of firmware
  • Debugging
  • Detection of configuration interfaces or backdoors

Communication protocols penetration testing

Penetration tests of communication protocols focus on the technology enabling the communication of the object and the sending of data to the outside (RFID, NFC, ZigBee, Bluetooth, WiFi, SigFox, LoRa, etc.).

The tests are based on the following techniques:

  • Capture and analysis of multi-protocol radio signals (sniffing)
  • Cryptographic analysis
  • Passive monitoring of exchanges
  • Interception and corruption of exchanges
  • Denials of service
iot-pentest-hardware-penetration-testing

Focus on Bluetooth Low Energy

Bluetooth Low Energy (BLE) is a communication protocol that is particularly used because it makes it possible to send small quantities of data between items of equipment while saving the battery.

Security issues related to BLE are very often linked to incorrect implementation of the protocol. There are ways to encrypt the data exchange and strengthen the security of the protocol, which are to be studied from the design phase of a connected object.

Further information on Bluetooth Low Energy

zoom bluetooth
26%

In 2018, 26% of organizations experienced a data breach specifically because of unsecured IoT devices or applications.
2019. The Third Annual Study on Third Party IoT Risk: Companies Don’t Know What They Don’t Know. Ponemon Institute. (p. 2).

65%

65% of consumers are concerned with the way connected devices collect and use personal data.
2019. The trust opportunity: Exploring consumers’ attitudes to the Internet of Things. Consumers International & Internet Society. (p. 7)

73%

73% of organizations had been hit by at least an attack against connected devices in 2018.
2018. The IoT Revolution: Uncovering Opportunities, Challenges and the Scale of the Security Threat. Trend Micro. (p. 4).

Our range of pentests

We cover a wide technical scope, with specific tests for each type of target. The exact area to which the pentest is applied is to be defined directly according to your security priorities, or after a reconnaissance audit phase for identifying the parts that are most at risk from the viewpoint of an attacker.

fancybox
Reconnaissance audit
fancybox
Web platforms
fancybox
Mobile apps
fancybox
Infrastructure & network
fancybox
Social engineering
fancybox
Information system