IoT penetration testing specifics from a certified ethical hacker with 5+ years of experience.

With the growing risk to IoT security, penetration testing vendors face multiple queries from companies and individuals, who want their IoT environment to be tested against potential cyber-attacks. Usually, security service providers don’t have specialists in IoT penetration testing, so it must be performed by a regular security team. What are the specifics of IoT penetration testing? Let’s dig deeper into the topic.

Basic IoT architecture

Tapping into IoT penetration testing, security engineers may wrongly consider this domain less challenging, as the IoT environment doesn’t have the most common vulnerability: human error (according to CompTIA, this is the major cause for 52% of security breaches). Most Internet attacks involve a user clicking a malicious link or opening an infected email. With IoT environment, there is no one to lure, so it’s harder to break into. This supposition is deceptive. Here’s what CSO says about IoT breaches in 2017: “Aruba Networks, Hewlett Packard Enterprise wireless networking subsidiary, has revealed that 84 percent of companies have already experienced some sort of IoT breach in a new study involving over 3,000 companies across 20 countries”. Intruders have more opportunities to breach an IoT system, as its architecture comprises a number of elements that become potential hacker’s targets.

Typically, an IoT architecture consists of the following components:

  • Things: Smart devices equipped with sensors and actuators.
  • IoT field Gateways: Border elements that provide connectivity between things and the cloud part of an IoT solution.
  • Cloud gateways: Components facilitating data compression and transmission between the gateways and cloud servers.
  • Streaming data processor: An element ensuring a smooth transition of input data to a big data warehouse and control applications.
  • Data storage: Consists of a data lake (stores unprocessed data in the form of “streams”) and a big data warehouse (stores filtered and structured data, as well as context information about smart devices, sensors, commands from control applications).
  • Data analytics: A unit that uses information from the big data warehouse to establish data patterns and gain meaningful insights.
  • Machine learning: Generates and regularly updates models based on the historical data accumulated in a big data warehouse which is used by control applications.
  • Control applications: Components that send automatic commands and alerts to actuators.
  • Client-server system: Consists of a user business logic component (the server side), a mobile application and a web application (the client side).

Full-scale IoT penetration testing goes beyond smart devices and should cover all IoT system elements.

Testing IoT components

Let’s take a closer look at what exactly should be tested.


Penetration testing is executed on the following elements of things:

  • UART, JTAG, SWD ports. Exposed ports allow a pentester to get root access, view and modify sensitive data.
  • Flash memory chips to detect a possibility to dump firmware.
  • Bus sniffing. Hackers may sniff clear text data between components and get access to sensitive information.

Additionally, pentesters check external peripheral devices (headphones, keyboard, mouse, etc.), as they are connected to the thing via USB access and may contain hidden vulnerabilities.

IoT field gateways and the cloud part

IoT field gateways, cloud gateways, streaming data processor, data storage, data analytics, web, mobile and control applications are tested with the help of the following black box technique stages:

  • Reconnaissance
  • Scanning
  • Enumeration
  • Gaining access
  • Privilege escalation and access maintaining.

Ideally, the server side of the client-server system (user business logic component) should be tested with white box technique. Having access to the code allows a pentester to understand and check all business functions of the application. This IoT component may as well be tested with a black box, in case a pentester doesn’t have access to the code.