How to conduct an IoT pen test

Ryan Francis | May 26, 2017
Security experts explain the nuances.

Penetration testing was much like taking a battering ram to the door of the fortress. Keep pounding away and maybe find a secret backdoor to enter through. But what happens if pieces of the network are outside of the fortress? With the flurry of Internet of Things devices, is it harder to conduct a pen test with that many devices and end points?

Claud Xiao, principal security researcher, Unit 42 at Palo Alto Networks, said for just testing some network services on IoT devices in a black box way, the difficulty level and the steps are similar with regular pen testing. But if you're discovering vulnerabilities via analyzing firmware or via analyzing wireless communications (e.g., Bluetooth or ZigBee), that's much harder.

“Every step above may fail due to diversity existing everywhere during IoT devices' and embedded Linux system's design and implementation. Even if a security flaw was discovered, some additional knowledge may be required in order to write a workable exploit code,” Xiao said.

The benefits to pen testing Iot include strengthening device security, protecting against unauthorized usage, avoiding Elevation of Privileges, Lowerreducing the risk of compromise, better user and data privacy, and settrong Encryptionencryption to avoid man-in-the-middle (MTM) attacks.

Don Green, mobile security manager of Threat Research Center at WhiteHat Security, also agrees that IoT assessments are inherently more complicated because there is more hardware, software, and communication protocols involved.  “This translates into a larger attack surface and a wider array of attack vectors. A successful IoT assessment requires that the electronic ecosystem for a specific IoT device is thoroughly mapped and a detailed assessment plan is developed,” he said.

While the IoT has not introduced new technology per se, he said it has introduced a more complicated environment for developers and security teams. Understanding the complexities of the environment, adequate research of components, and development of a thorough assessment plan are the keys to success for securing the IoT.

Daniel Regalado, principal security engineer at ZingBox, said when you focus on IoT the challenges are different and harder. “You are dealing with different architectures, operating systems, communication protocols, etc. This is totally different than what the Penetration Tester faces with traditional networks.”

Most attacks start by luring the end user to open an email or click a malicious link, within the world of IoT it is different. There is no end-user behind those devices. Therefore, there is no person to lure, making it more challenging to break into embedded devices (low-hanging fruits like default credentials or plain text login protocols, like telnet, are not considered as challenges and therefore out of scope during Penetration Testing), he said.

 

