What is IoT Penetration Testing?

by Sarah Harvey / September 12th, 2019

The technology that consumers use every day is becoming smarter and smarter – locks, mirrors, cars, refrigerators, speakers, watches, thermostats, printers, security cameras. Internet of things (IoT) technology is making daily tasks easier, but how secure is this technology? It’s your job as the developer of IoT technology to make sure that the information transmitted through these devices is secure so that the consumer doesn’t have to worry.

IoT devices are vulnerable to the same array of attacks as you would find in other areas of technology. Why should these not be tested and held to the same security standards as the rest? What ways could an attacker abuse the IoT technology that your organization has developed? In order to protect the IoT products you develop, your IoT products must undergo thorough penetration testing.

Why Test the Security of IoT Devices?

Gartner expects that by 2020, 20 billion IoT devices will be available. This number doesn’t include what Gartner deems “general-purpose” devices like smartphones, but dedicated, physical objects that contain embedded technology to sense or interact with their internal state or the external environment. This surge in IoT technology can save lives, time, energy, money – the possibilities are endless. But IoT that isn’t built with an emphasis on security can be extremely dangerous.

The number of and types of IoT attacks keep on climbing. In Symantec’s 2019 Internet Security Threat Report, for instance, it includes the following:

  • IoT attacks increased 600% between 2016 and 2017.
  • On average, IoT devices experience 5,200 attacks per month.
  • 90% of IoT attacks are attributed to routers and connected cameras.
  • IoT attacks against industrial controls systems (ICS) are rising.
  • Mirai was the third most common IoT threat in 2018, some variants using up to 16 different exploits.
  • VPNFilter revolutionized IoT attacks with its ability to survive a reboot.
  • In 2018, Telnet accounted for 90% of protocol attacks and 85% of port attacks.

When you develop IoT, don’t you want assurance that your technology has a defense against these types of attacks? Are your routers part of the 75% of targeted IoTs? How are you mitigating the threats against the Telnet protocol? How many IoT attacks can your devices withstand? Are you working with a security team that recognizes APT groups’ behaviors? Penetration testing can be a solution for gaining the assurance you need.

How is Penetration Testing Performed on IoT Devices?

During IoT penetration testing, we are testing an IoT product’s security hygiene. Is information secured in storage and in transit? Could the IoT device be forced into completing tasks it shouldn’t? Could the IoT device be bypassed? Could authentication requirements be bypassed? What vulnerabilities could be abused? We put IoT technology through multiple types of tests in hopes of revealing any security vulnerabilities that might exist.

The OWASP IoT Top 10 lists things to avoid when building, deploying, or managing IoT systems or devices, including:

  1. Weak, Easily Guessable, or Hardcoded Passwords
  2. Insecure Network Services
  3. Insecure Ecosystem Interfaces
  4. Lack of Secure Update Mechanism
  5. Use of Insecure or Outdated Components
  6. Insufficient Privacy Protection
  7. Insecure Data Transfer and Storage
  8. Lack of Device Management
  9. Insecure Default Settings
  10. Lack of Physical Hardening

While our testing is focused on how IoT technology has been built with security in mind, this list provides a good baseline of what a penetration tester may be looking for during IoT penetration testing. Our team will thoroughly test IoT devices to think of ways that an attacker could leverage your vulnerabilities. All IoT is different, and we’re prepared to perform diligent, advanced IoT penetration testing to protect your organization.

We want to find the gaps in your IoT security before an internal or external attacker does. If you want to avoid the consequences of compromised IoT technology and work with an expert ethical hacker, contact us today.

More Penetration Testing Resources

What is Network Penetration Testing?

What are the Stages of Penetration Testing?

3 Hacks to Get the Most Out of Your Penetration Test