Internet of Things (IoT) Penetration Testing
In addition to a multitude of new possibilities, the Internet of Things also harbors many risks and is exposed to various attack vectors. In both private and industrial applications, the devices communicate via backend interfaces that need to be secured. In addition, the devices have firmware that could potentially be vulnerable or replaceable, which could enable circumvention of protection mechanisms. Sensitive information such as passwords and cryptographic keys must be securely stored on the device and protected from being read. It is not uncommon for IoT devices to be remotely controlled and monitored via an app, which creates another potential gateway.
To verify the security of such IoT devices, we offer IoT penetration tests. In the course of such a penetration test, a combination of different test methods is applied, which are based on the OWASP IoT Top 10 and the OWASP IoT Security Verification Standard. First, the IoT device itself is checked for vulnerabilities and it is determined whether sensitive data or the firmware can be read and manipulated. Then the communication connection to the backend server is checked and tested by means of a man-in-the-middle attack. Then, if available, the associated mobile applications (iOS und Android) are checked. Finally, the penetration test of the backend is performed, using the methodology for performing webapplication and web API penetration tests.
