User Interfaces and Controls

Many IoT devices allow users to input data or retrieve information through mechanisms such as touchscreens, microphones or cameras. Hidden areas for system configuration or updates may expose sensitive information or allow for device manipulation by attackers.

As part of the IoT penetration test, we:

• Assess the user interfaces of your IoT device for potential vulnerabilities
• Verify whether access to protected areas or unauthorized device manipulation is possible
• Optionally analyze mobile apps and desktop applications used to control the device

Wireless Interfaces

To connect IoT devices with each other, appropriate network interfaces are required. Wireless standards provide flexible and scalable setups. However, wireless connections can pose significant security risks. The extended range and flexibility of wireless communication make it easier for potential attackers to intercept communication, manipulate data or remotely connect to the devices.

Our state-of-the-art IoT test lab is equipped to thoroughly examine your devices and identify vulnerabilities in the following wireless interfaces:

• Wi-Fi
• Bluetooth und Bluetooth Low Energy
• ZigBee (e.g., in smart home applications)
• LoRaWAN (e.g., for connecting sensor technology to the internet)
• Mobile networks (2G-5G)
• RFID and NFC (e.g., for inventory management, access control or payment systems)

Physical Interfaces

In addition to wireless interfaces, wired connections are often used, especially when real-time communication is required. Since these interfaces are often accessible without manipulation of the device, they are of particular interest to attackers.

Our team of experts will analyze:

• External interfaces like Ethernet, USB or OBD-II
• Methods for external access to internal device functions such as firmware or sensitive data
• Ways to manipulate the overall behavior of the device

On-Board and Debugging-Interfaces

Embedded devices feature various interfaces and bus systems, used both for internal data transfer between microprocessors and memory modules as well as for error analysis or firmware updates.

Using state-of-the-art laboratory equipment, our experts analyze your IoT devices down to the circuit board and examine:

• The security of various bus systems (e.g., SPI and I²C)
• The protection of debugging interfaces (e.g., JTAG and UART)
• The authentication and encryption methods employed
• Potential ways to read or manipulate the data processed by the device or its firmware, such as passive eavesdropping on bus systems or active attacks bypassing security measures through fault injection

Memory, Firmware and Firmware Update Process

The firmware of an IoT device governs its behavior, such as processing of sensor and various other inputs, or storing data in memory. Firmware files often contain sensitive information and manufacturer’s intellectual property. Functional and security updates can be carried out through various methods, such as:

• Via local interfaces such as USB, UART or JTAG
• Through "Over-the-Air" (OTA) updates using Bluetooth or ZigBee

As part of our IoT penetration testing, we offer the following services:

• Firmware analysis and examination of the update mechanism
• Evaluation of device behavior during manipulation of firmware updates
• Identification of vulnerabilities, configuration errors and ways to extract of sensitive data
• Reading of memory modules and analysis of stored data

Services and  IoT-Protocols

The connectivity of IoT devices is facilitated through various protocols, such as those used for exchange of operational and telemetry data, to perform maintenance and diagnostics or to enable remote management. If secure transmission channels are not employed for these connections, attackers may intercept or alter data, or impersonate communication partners, thereby manipulating the communication flow (known as man-in-the-middle attacks).

To ensure a comprehensive approach, we not only examine the components and interfaces of your device but also assess:

• The passively captured connection data
• The direct manipulation of the communication
• The backend of the system under test, if desired

During the first phase of the penetration test, test objectives as well as organizational, technical and legal aspects are coordinated with the client. This involves collecting key device data and reviewing architecture diagrams of the IoT ecosystem, along with technical specifications of the device and interfaces, and, where applicable, circuit and block diagrams. Based on this information, the components and functions to be tested, as well as the testing approach, are coordinated with the client.

The results of this phase are documented in a contract, which serves as the legal basis for the penetration testing engagement.

In phase 2, the information and documents provided by the customer are examined in detail.

Additionally, in this phase, the initial test setup is carried out. The testing team prepares the device to be tested, along with any necessary peripherals, simulators and test equipment. This also includes testing any provided software, login credentials and files such as update packages.

Based on the information gathered during previous phases, the list of planned test cases - and therefore the time required - can be adjusted for selected components according to their relevance. This involves identifying, analyzing, and prioritizing potential threats and attack vectors (e.g., based on damage potential, likelihood of success and possible impacts).

Following the initial analyses, active intrusion attempts are conducted. For this purpose, selected test cases for each device component in scope will be executed.

The tests are conducted in a state-of-the-art test lab using specialized equipment tailored to the specific technologies.

 If a test case reveals a (potential) vulnerability, its exploitability and impact are examined:

• Exploitability refers to conditions affecting the success of an intrusion attempt, such as the accessibility of the vulnerable component, required permissions and expertise, safeguards and protection mechanisms, etc.
• Impact refers to the consequences that a successful attack would have, e.g., on confidentiality, integrity and availability of systems, user accounts or data

Furthermore, evidence is gathered for each vulnerability, such as screenshots or step-by-step instructions to reproduce the attack or provoke specific system behaviors.

All tests are mainly carried out manually.

The penetration test is concluded with the Final Analysis and Clean-Up Phase. During the final analysis, all results from the previous phases are compiled into a detailed report, including:

• A summary of the test approach and findings, including an overall assessment of the security level of the test subject
• A detailed description of each discovered vulnerability, including proof-of-concept and screenshots
• An evaluation of each vulnerability in terms of its severity
• General recommendations for remediation or mitigation of the identified vulnerabilities

If necessary, remnants of the test activities are also removed in this phase.