Internet of Things Assessment
The Internet of Things describes various everyday objects or industrial machines that are connected to the Internet. These (“smart”) devices usually act automatically and autonomously, collecting information about themselves and their environment and sending it to other networked devices for evaluation. Many of the networked devices also provide the user with a web application that allows the devices to be operated and controlled from any location.
Testing Internet of Things (IoT) devices differs in some aspects from classical penetration testing. In an IoT assessment, several types of penetration tests are usually performed. This is because an IoT environment consists of several components such as a mobile application and possibly a web application, a backend (cloud) and a gateway.
In the IoT Assessment we conduct, all areas of the IoT environment are examined for vulnerabilities using penetration testing (simulated hacker attacks). The exact form of the analysis is determined individually.
We assist you:
- Information procurement: Identification of the installed hardware components and interfaces
Analysis of common device interfaces such as UART, JTAG, SWD, USB
Analysis of the memory chip (readout of firmware and sensitive data)
Analysis of the network communication (Bluetooth Low Energy, ZigBee, WLAN, MQTT, HTTP(S), TCP, …) as well as scanning of the target object and identification of its services.
- Check of the web application of the device according to the description “Web Application Security Pentest“.
- Brute-force of login services, as well as password cracking of possible password hashes in our graphics card cluster
- Checking the mobile app according to the instructions in “Mobile Application Security Pentest“.
- Search for known vulnerabilities and configuration errors as well as validation and exclusion of false positives
- Recherche nach bekannten Verwundbarkeiten und Konfigurationsfehlern sowie Validierung und Ausschluss von False-Positives
- Detailed results report with proposed measures in the format you prefer
- Web Application Security Penetration testing
- Penetration testing of mobile apps
- Penetration testing of fat clients
Static code analysis can be a supplement or alternative to penetration testing:
The Big Application Security Penetration Testing FAQ for Clients provides answers to many important questions concerning the commissioning of penetration tests.