Why test IoT systems?
Historically IoT systems were never connected and not exposed to a hostile environment. Now that these devices are getting connected to the internet engineers and developers are suddenly required to ensure that the device is capable of facing an extremely hostile environment where everything can (and will) be used against it.
As one can imagine, dealing with this hostile environment is no trivial task and mistakes are often made that enable hackers to abuse the devices for their own malicious goals. Even when you consider your IoT device to be “unimportant” it can still be of interest to a hacker with malicious intentions. The attacker might make the devices part of a larger botnet (e.g. Mirai botnet), use the device as a stepping stone to compromise other systems within the same local network (e.g. URGENT11) or even use it to fake a sensor value leading other systems that rely on the input of the sensors to automatically make decisions which (in the end) lead to catastrophic failures with very serious physical and safety consequences (e.g. TuV Rheinland battery hacking vulnerabilities). The scenarios are near endless and every IoT device should consider itself a target.
In addition, the IoT market in general is highly competitive and very poorly secured. Those vendors that can proof they take security and safety serious can use this as a unique selling point.
How can we help?
Qbit can help you to deal with this new and hostile environment your engineers and developers are currently facing. At Qbit we employ ethical hackers, that take on the role of the bad guy and will expose your device to an extremely hostile environment where state of the arts tools and techniques as well as manual and custom checks are used by professional hackers to find vulnerabilities in your IoT device and any of the related applications and cloud services. Instead of then exploiting those vulnerabilities for our own goals, we inform you of the discovered vulnerabilities in detail (reproduction steps, evidence, impact, probability, overall risk etc.) and provide recommendations on how to fix these vulnerabilities.
In addition to the above we also provide:
- Trainings for engineers and developers to learn secure coding techniques.
- Hacking workshops to show how a hacker thinks and what you should prepare for.
- Design reviews
- Code reviews
Qbit at all times, uses a risk driven testing approach. This means that the attack surface which is most likely to impact a large number of devices if a vulnerability is found, or is most likely to be attacked by malicious actors is tested first and most thoroughly (e.g. a network service that can be attacked from the internet using commonly available tools and techniques will be tested more intense than a Bluetooth protocol which requires specific hardware and an attacker to be within 10 meters from the device).
But we don’t stop there, we also use advanced techniques such as hardware-hacking to connect to JTAG, UART or similar hardware level debug interfaces, read out memory chips like EEPROM and use glitching techniques and logic analyzers to find information and vulnerabilities at the hardware or Operating System level of the device (e.g. getting access to a root shell, finding custom binary executables, encryption keys, private certificates, hardcoded passwords, file system etc.). The gained information is then analyzed or (partially) reverse engineered and used as input to stage further attacks from all possible attack vectors. (e.g. a backdoor account discovered by hardware hacking, which is the same on all devices, can then be used to perform an attack on all devices over the internet!)
As devices are often part of a solution which also communicates with a back-end system and uses a (mobile) application, traffic between the device and related software or servers is also inspected to find vulnerabilities. When possible (depending on scope and time constraints) the mobile application and back-end servers are also briefly checked for vulnerabilities. If it is required to fully check the mobile application and back-end server, Qbit makes use of the infrastructure or application assessment.
In addition to our own testing methodologies and checklists Qbit uses the ‘Baseline Security Recommendations for IoT’ of ENISA (November 2017) as a reference for testing the security of (IoT) devices.
Benefits of a Device assessment
- Find out if your systems are secure.
- Insight in inherent level of security and real vulnerabilities.
- Practical and feasible recommendations.