IoT and Embedded Device Assessment

You would never put an unpatched, unmonitored old server on your network and simply forget about it. Yet a smart camera, a building-management controller, or a networked printer is frequently exactly that - a small computer running outdated software, shipped with default credentials, updated rarely if ever, and sitting on your network with more access than anyone intended. Compounding this, internet-of-things devices are frequently exposed to the internet, and dedicated search engines such as Shodan can find them automatically. Our IoT and Embedded Device Assessment examines these devices as the genuine attack surface they are, with particular attention to how a single weak device becomes a foothold into everything around it. This naturally pairs with our External Exposure Assessment and Network Infrastructure Assessment.

Detectability, Exposure, Access

An IoT device that is not exposed to the public internet, even if insecure, may be difficult for an attacker to access. An internet-connected device, especially one indexed by search engines like Shodan, represents a direct security threat, as it represents an attractive target for attackers looking for an initial beachhead into your systems. Such devices rarely have much security and may even simply enable attackers to connect to them via default credentials. In addition to the risk of them acting as an initial foothold into your systems, they also are frequent targets for botnets, from historical examples such as the Mirai botnet to more recent examples like Aisuru and Kimwolf. IoT devices can also act as a vector for direct, physical attacks on your organisation: CCTV cameras hacked to facilitate a break-in, industrial control systems hijacked to directly damage equipment.

Our approach to IoT devices exposed to the public internet consists of three stages. We enumerate which of your devices actually support connections over public internet. We see if the devices in question really need to be accessed remotely, or if they can be locked down to only support an internal network (such as a segregated VLAN); and if not, if we can restrict public exposure through firewalls and other technical means. Finally, we assess access credentials, ensuring that device access can only happen with proper authentication and that factory default access settings have been changed.

Across Every Layer

Our assessment further covers the layers that make these devices vulnerable. At the network level we examine the protocols they speak - including lightweight messaging protocols such as MQTT and CoAP that are often deployed without authentication or encryption - and the services and management interfaces they expose, which routinely include default or hard-coded credentials. Where it is in scope, we extract and analyse device firmware to find embedded secrets, insecure update mechanisms that would let an attacker push malicious code, and the unpatched components that embedded software so often carries for years. And where a device and your objectives warrant it, we can extend to hardware-level analysis, interrogating debug and serial interfaces such as UART and JTAG that manufacturers frequently leave accessible and that can yield complete control of a device.

The Wider Ecosystem And The Real Consequence

We also assess the ecosystem each device depends on - the cloud APIs and companion applications through which many devices are managed, which can expose your devices, your data, or even other customers' devices when poorly secured. And we assess the consequence of compromise in your specific context: a compromised camera is a privacy breach and a foothold; a compromised controller on a network that also carries business systems is a pivot point into everything else, which is why segmentation, the central concern of our Network Infrastructure Assessment, is so often the most effective control for this class of device.

Tested Safely

The depth of an IoT assessment depends on what we can safely do to a device. For equipment you operate, we typically work with a representative sample in a controlled setting, so that any destructive hardware analysis never touches a live deployment. We treat operational and industrial control systems with heightened caution, since on that equipment an aggressive test can have physical consequences, and we scope such work accordingly - often favouring passive observation and bench testing over anything that touches a running process.

What You Receive

You receive an inventory of the devices assessed, the weaknesses found and the access they grant, and remediation guidance spanning network segmentation, credential and configuration hardening, and update and lifecycle management. The engagement serves two audiences: operators who need to know what the devices already on their network expose, and - for organisations that build or commission devices - manufacturers and integrators who need their products to withstand scrutiny before a customer or regulator applies it for them.