What is IoT Penetration Testing?

With the rise of the Internet of Things (IoT) and Internet-connected devices becoming more pervasive in every organization, it makes sense that there’s been more done to assess the risk and implement security controls for these devices. Both the organizations that produce IoT devices and the organizations that incorporate them into their networks have responsibilities when it comes to securing them, however. Whether it’s your smart refrigerator, your smart televisions in the conference rooms, or the thermostats, when they are a part of your corporate network they can impact your network security posture. IoT penetration testing and security assessments are an important part of understanding the risk these connected devices pose to your organization.

If your company is producing IoT devices, you should be assessing the security of your products prior to putting them into production and selling. This includes everything from the default installation settings of your devices, the physical security of the devices, the software and application-level security, and the security lifecycle (how are you going to update them, how should they be installed/hardened, etc.).

For the organizations that use these devices on their network, they have to realize that IoT devices are rarely plug and play, and they represent additional attack surface on your corporate network. Due diligence must be done to evaluate these products before placing them on your network, they need to be hardened and secure when they are installed, and they should always be isolated/segmented on your network whenever possible.

How Do You Perform IoT Penetration Testing?

Let’s start with companies that produce IoT devices, as the answer is a little more complex. For Internet-connected products that clients will be incorporating into their network, you should absolutely be considering a third-party security assessment as part of development plan. Not only will this give you some confidence that the security controls you’ve incorporated into a device over the product development lifecycle are effective, but it can also provide you with some proof that you can show your customers, stating that “Yes, we’ve had this product tested and here are the results.” When we perform IoT penetration testing and security assessments for clients, the activities included in the assessment will be largely determined by that particular products intended use, its attack surface, and the threat model associated with it. Many times, an assessment will include:

  • A security best practice gap analysis on the development, maintenance, and support processes
  • Network-level penetration testing of a device when it is operating on the network
  • Application-level penetration testing of software/applications hosted and accessible on the device when it is operating
  • API penetration testing of any associated public/private APIs that the device interacts with
  • Wireless penetration testing of any temporary or permanent wireless communications used, to include Bluetooth, ZigBee, and any custom protocols

As you can see, for an IoT vendor, this is a very holistic assessment to provide a good picture of the risks associate with a product. Then, satisfactory controls can be put in place to help mitigate these risks, even if that means simply updated customer documentation to shift responsibility, the goal is to have the product operate in a secure manner. For business that are worried about IoT devices they’ve already got on their network, there are two primary steps to understanding and mitigating your risk here. The first is to attempt to identify and inventory all IoT devices currently on your network. This should be pretty straight-forward if you have these devices in their own segment already, but can be a real pain if they are a part of your general device population. Then once you’ve got a good handle on what you have, an internal penetration test can help assess the risk associated with those devices on your network, since a testing team will be looking for things like default credentials and information leakage that can affect your security posture. If you want to learn more about the security of your IoT devices in either of these scenarios, we’d be happy to discuss further!