Hardware & embedded software testing
The Internet of Things (IoT) is one of many exciting innovations that connects humans with technology, both at home and in business. It offers the potential for seamless interaction between humans and any device. Combined with machine learning and artificial intelligence, IoT creates vast opportunity for innovators, law-abiding citizens, mischief makers and criminals alike. Given the number of cybersecurity breaches reported each day, the well-publicised lack of investment in security and a shortage of security staff, one may ask whether the benefits of IoT can be achieved safely, or is more consideration needed to understand IoT risk?
A (IoT) device typically consists of a physical object with a power supply (cabling/battery), processing unit, non-volatile memory, connectivity (wired/wireless), sensors/actuators and device management.
Qbit starts with analysing the firmware and kernel/libraries of the hardware and/or embedded system. The first is performed by means of the tools like binwalk and hexdump to identify the file system used. Or if no standard filesystem is used to find at least exportable parts, like binary executables, static content, encryption keys et cetera from the firmware. If the firmware uses an open filesystem we will use available tools to mount it and further analyse its contents. Individual executables, the libraries that they use, and the kernel can then be analysed for publicly known vulnerabilities. We then also use the Firmware Assessment Tool to emulate and analyse the firmware.
Next, Qbit will check the device from the network to see if the firmware that it uses is affected by network exploitable vulnerabilities. After this Qbit use hardware-hacking techniques (e.g. using JTAG or similar debug interfaces, reading memory chips like EEPROM, using logical analyser tools to check for hidden interfaces) where possible to obtain access to the firmware of the device and to gain a better understanding of its inner workings. Usually, a device is part of a solution that communicates with a back-end system and uses a (mobile) application to manage the device. For this purpose, Qbit makes use of the infrastructure or application assessment.
Qbit uses the ‘Baseline Security Recommendations for IoT’ of ENISA (November 2017) as a reference for testing the security if (IoT) devices.
Benefits of a Device assessment
- Find out if your systems are secure.
- Insight in inherent level of security and real vulnerabilities.
- Practical and feasible recommendations.