Internet of Things brings smart functionality to millions of devices, but with WIFI and connectivity comes risk. Millions of organizations now face vulnerabilities from Internet of Things devices. IoT pentesting allows you to find and resolve those vulnerabilities, hopefully before non-ethical hackers do. This increase in risk is especially true considering new devices increase the volume and complexity of that risk. Additionally, many devices, ranging from printers to lights to ultra-fast WIFI routers, pose real risks to business because they add numerous access points, even through firewalls.
Most importantly, while much of the burden of securing IoT falls on the developer, many IoT vulnerabilities relate to configuration, updates, and device management. Both IoT developers and deployers need to be aware of the security risks posed by devices, so that both can take steps to provide the most secure environment possible. This remains true whether you’re using an out-of-the-box solution, modifying or integrating IoT, or building a new solution to bring to market.
Why Pentest IoT Devices?
Gartner suggests that some 20 billion IoT devices are already in use. If you add in smartphones, you have to add more than 3.5 billion to that number. Today’s digital networks are device rich, and each of those devices poses a vulnerable access point which a hacker could potentially exploit. In fact, according to Symantec:
- IoT attacks have increased over 1000% since 2016
- Routers and smart security cameras are most frequently attacked (90% of attacks)
- IoT threats like Miral leverage dozens of exploits at once to find the fastest access point
- Over 200 million IoT attacks were tracked in 2020
- 57% of enterprise IoT devices have medium or severe vulnerabilities
IoT devices are rapidly becoming the norm. Security simply hasn’t kept up. Pentesting can help you to determine if your devices are vulnerable and how. In turn, pentesting gives you the knowledge you need to resolve those vulnerabilities to create a secure IoT environment. And, chances are, if you review IoT devices on your network, including routers, smart printers, automation, etc., there are more than you think.
Pentesting IoT Devices
If you’ve installed smart devices such as lights, routers, tablets, Point of Sale, etc., you have vulnerabilities. In most cases, you won’t have permission to pentest the software or framework used by the device. You can test the deployment on your network, your security settings and configurations, and device security on your network. A pentest examines those issues to look for potential weaknesses or vulnerabilities.
For example, an OWASP Top 10 IoT pentest will search for:
- Weak passwords – Guessable or easily brute-forced passwords
- Hardcoded passwords – Publicly available, unchangeable credentials, such as firmware backdoors and client software granting access to deployed systems
- Network services – Network services compromising the confidentiality, integrity, or availability of information, or which allow unauthorized access or remote control
- Ecosystem Interfaces – Web, backend API, cloud, or mobile interfaces compromising the device or its components. These often include authentication/authorization problems, encryption issues, and input/output filtering.
- Updates – Ability to securely update the device, such as firmware validation, secure delivery, anti-rollback mechanisms, and notifications of security changes
- Components – Insecure or outdated components such as software, libraries, customization, third-party apps, etc.
- Privacy – Private data stored on the device or in an ecosystem/network without proper security controls or permissions
- Data Security – Data encryption and access control during storage, transit, and processing
- Device Management – Security support on deployed devices, including asset management, update management, systems monitoring, response capabilities, and decommissioning
- Default Settings – Insecure default settings that might still be on the device
- Physical Hardening – Physical hardening measures to prevent hackers from scoping devices or taking local control of devices
Eventually, the level and depth of your IoT pentest will heavily depend on your organization, number of devices, and technology. If you’re using open-source, you can always test the software itself. Otherwise, you’ll have to test your network, configurations, and setup around it. All IoT is different. In addition, any plugins, modifications, or third-party software you’ve installed will change your security.
In most cases, this assessment of your network, configurations, and setup are included in a standard blackbox pentest. If you include the IP addresses used by your IoT devices in the scope of the pentest, they will be tested as part of the standard process. For example, if you request a standard Level 3 pentest from Cyver, we automatically assess all IoT devices using the IP addresses in scope.
Here, scope is important. Most businesses focus on their web application. At the same time, IoT and other trends mean it’s increasingly important to check not just your website, but the full scope of network presence for all IP addresses.
Ensuring that IoT isn’t adding vulnerabilities to your business is important. Hackers can easily access systems through smart routers, printers, and cameras. If you’re ready to look at your own security, we can help. Cyver delivers pentest-as-a-service, with findings delivered through our cloud tool. Developers and IT security will directly receive findings as tickets, so they can immediately get started on resolving issues. And, once they’re done, we’ll automatically retest for free to ensure your vulnerabilities are resolved. If you’re ready to learn more, visit our about us page, or check our pricing. Pentesting IoT devices is a lot simpler with findings as tickets to help you resolve issues.
IoT Developers – Developers and software companies remain responsible for platform and web app security for their devices. This means going through the normal cycle of checking code. It also means using pentesting to perform external checks to review the security of the external web application, customer portals, etc. Cyver can help with both code review and a pentest of your web applications. If you’re interested, contact us and we’ll customize a pentest to meet the specific needs of your software and its users.