Securing and penetration testing IoT (connected/smart devices) products is complex. It requires a good understanding of the greater picture – how everything works together and the entire architecture, which entails specific investigation of each of the components and of their connection – device, server-side, mobile app, identification and communication.
Based on AppSec Labs experience and research in the field of connected/smart devices, the following are the different components that must be tested (and a detailed drill down of what will be tested) as a part of IoT product testing:
Category | Test Name |
---|---|
Firmware Extracting & Reversing | Extracting Reversing Dumping Downgrading Bypass verification Malicious update Reset to insecure state |
Device App Vulnerabilities | Overflows Vulnerable services (web, ssh, tftp, etc.) Privilege escalation |
Local Data Storage | Tampering of storage Sensitive information disclosure PII (Personally identifiable information) PHI (Protected health information) Removal of storage media Extract usernames, passwords, URLs Encryption keys (symmetric, Asymmetric) Sensitive information in logs GEO location information Device ID/Serial number exposure Hardcoded credentials Inability to wipe device |
Exposed Debugging Interfaces | UART JTAG SPI USB I2C |
Device Authentication and Identification | Device spoofing Identity tampering Pairing attacks Session hijacking Brute force Device impersonation Weak identifier Insecure crypto Backdoor accounts Default credentials |
Side Channel Attacks | Power consuming attack Time based attack |
Denial of Service | Battery abuse Disable the device Brick the device |
Network Traffic | Sniffing MITM attacks Message integrity Replay attacks Insecure usage of protocols (e.g. MQTT, XMPP) Identity / Event / Data spoofing Privilege escalation |