IoT Penetration Testing helps Identify IoT Weaknesses
The Internet of Things (IoT) is growing at pace and organisations all over the world are starting to realise the benefits these embedded devices can bring to their operations, as well as their employees/customers.
Security of such devices is vital, especially when they are processing sensitive data, where they have access to critical networks/systems within an organisation, or crucially, where a potential breach may endanger health.
IoT Penetration Testing
We can provide security assurance and penetration testing at any stage during the IoT development lifecycle, however, the earlier you can engage with security testing, the more beneficial it will be. We are also a cetification body for the IoT Security Certification Scheme. We would recommend engaging at one, or ideally both, of the following stages:
Design phase: This is the ideal place to start engaging with security testing. At this stage, we would work with your team to offer expert consultancy, ensuring your device is 'secure by design' and to help prevent potentially costly security mistakes from being made at the very earliest point. We would help you following the NCSC's guidance on IoT security and ensuring that compliance with new standards of IoT security would be simplicity.
Minimal Viable Product: We would recommend conducting more robust testing on the physical device prototype at this point. This will ensure that any security issues are rectified before costly manufacturing orders are placed or supply chains are established.
How IoT Penetration Testing is Performed
Our embedded/IoT device testing can be conducted onsite or remotely, depending on your requirements. In the case of physical testing, we would require access to a minimum of two devices and clients must accept the cost of any potentially broken devices during testing.
During these times, with the Covid pandemic, we advise remote testing where ever possible. Your IoT devices can be safely couriered to our secure, ISO27001 certified operations center for testing.
What we Test For
Embedded devices can be complicated in nature and no two devices are the same. Our testing is tailored to the device under review and our consultants will undertake whatever testing is necessary to fully assess the security of the entire IoT system. This could include:
The following shows the areas of a device that could also be tested as part of our assessments:
[+] Firmware & hardware: Test/degbug points, anti-tamper protections, operating system hardening, default credentials, network services, APIs & network traffic interception.
[+] Ecosystem: Cloud services/APIs, mobile application and update/upgrade process.
[+] Protocol fuzzing: Device protocol APIs, industry standard protocols, proprietary protocols, network, file, advanced debugging and stack tracing.
Penetration Testing can be performed Internally within your corporate network or Externally over the Internet
Remote Penetration Testing
Traditionally, Penetration Tests have been conducted onsite where a our consultant would visit your office and physically connect to the network infrastructure to perform the assessment. With the issues faced around the Coronavirus situation, we have released our client portal, a technology-led alternative to having a consultant visit site.
We are offering a Remote Penetration Test where the whole engagement is performed without the need to visit the customer site. You can either download a Virtual Machine image that can be installed within the corporate network or be shipped a standalone network appliance.
Both solutions create a secure channel to the Hedgehog Security Operations Centre where the assigned consultant can then command the image or appliance in the same way as they would if they had their laptop on site.
All data collected during the test is held securely at our ISO27001 Operations Centre allowing the consultant to perform the assessment and upload the results to the client portal.
Explore the Demo Portal
Use the link in the top right to log into the portal. The credentials are:
Username: email@example.com Password: Demo-Password-2021
Hedgehog Security places great emphasis on the quality, reliability, and security of the services it offers. We are fully regulated by CREST, the Council for Regitered Ethical Security Testers and are authorised to deliver Cyber Security Consulting along with Penetration Testing, Vulnerability Scanning and IT Health Checks.
Get in Touch
Kindly fill the form and we will get back to you.