(I)IoT Security News
Hacks, IoT Security, News

Pentester’s Guide to IoT Penetration Testing

IoT penetration testing specifics from a certified ethical hacker with 5+ years of experience.

With the growing risk to IoT security, penetration testing vendors face multiple queries from companies and individuals, who want their IoT environment to be tested against potential cyber-attacks. Usually, security service providers don’t have specialists in IoT penetration testing, so it must be performed by a regular security team. What are the specifics of IoT penetration testing? Let’s dig deeper into the topic.

Basic IoT architecture

Tapping into IoT penetration testing, security engineers may wrongly consider this domain less challenging, as the IoT environment doesn’t have the most common vulnerability: human error (according to CompTIA, this is the major cause for 52% of security breaches). Most Internet attacks involve a user clicking a malicious link or opening an infected email. With IoT environment, there is no one to lure, so it’s harder to break into. This supposition is deceptive. Here’s what CSO says about IoT breaches in 2017: “Aruba Networks, Hewlett Packard Enterprise wireless networking subsidiary, has revealed that 84 percent of companies have already experienced some sort of IoT breach in a new study involving over 3,000 companies across 20 countries”. Intruders have more opportunities to breach an IoT system, as its architecture comprises a number of elements that become potential hacker’s targets.

Typically, an IoT architecture consists of the following components:

Full-scale IoT penetration testing goes beyond smart devices and should cover all IoT system elements.

Testing IoT components

Let’s take a closer look at what exactly should be tested.

Things

Penetration testing is executed on the following elements of things:

Additionally, pentesters check external peripheral devices (headphones, keyboard, mouse, etc.), as they are connected to the thing via USB access and may contain hidden vulnerabilities.

IoT field gateways and the cloud part

IoT field gateways, cloud gateways, streaming data processor, data storage, data analytics, web, mobile and control applications are tested with the help of the following black box technique stages:

Ideally, the server side of the client-server system (user business logic component) should be tested with white box technique. Having access to the code allows a pentester to understand and check all business functions of the application. This IoT component may as well be tested with a black box, in case a pentester doesn’t have access to the code.

Source

http://feedproxy.google.com/~r/infosecResources/~3/dJreZ5zBz5s/

Related posts

Cisco Secure Client Carriage Return Line Feed Injection Vulnerability

(I) IoT
9 months ago

Siemens SPPA-T3000

(I) IoT
5 years ago

GE Ultrasound products

(I) IoT
5 years ago
Exit mobile version