VAPT techniques for IoT

The Internet of Things is an emerging technology. The Internet of Things (IoT) is the system of physical objects like devices, vehicles, homes, and different things embedded with electronics, software, sensors, and network connectivity that empowers these objects to gather and interact with data. By the year 2030, 50+ billion appliances will be connected to the internet.
What exactly is IoT security testing? The assessment and exploitation of various components contained in an IoT device solution to help make the device more secure is known as an IoT penetration test. The first phase in IoT pentesting is to map the solution’s entire attack surface, followed by vulnerability identification and exploitation, and finally post-exploitation. An in-depth technical report follows the testing.

Attack Surface Mapping
Attack surface mapping refers to a diagram of all the possible entrance and exit points that an attacker could exploit in an IoT device solution. This is the most crucial phase in the IoT pen testing procedure. It also involves drawing an architecture schematic of the complete product from the standpoint of a pentester. The majority of pentesters devote their full day to this phase. A high-priority, high-criticality vulnerability is one in which the exploit is extremely simple and results in successful compromise and retrieval of sensitive data from the device. On the other hand, something difficult to perform would be classified as a low-criticality, low-priority vulnerability because the output provided during the test isn’t very relevant.

How is Attack Surface Mapping performed?
When a new device is considered, the first task is to observe and analyze the device properly. Many pentesters make the mistake of not understanding the device. Gather as much information as possible, such as device documentation and manuals, online resources and articles about the product, and any available content or prior study on the gadget. The CPU architecture, communication protocols utilized, mobile application details, firmware upgrade process, hardware ports, and external media support on devices, and all other details should be noted down properly. While we talk about the architecture of the device, it can be divided into three categories, embedded devices; firmware, software and applications, and radio communications.
The key to any IoT device architecture is an embedded device. Depending on the use case scenario, the embedded device in an IoT product can be used for a variety of functions. It could be used as a hub for the device’s whole IoT architecture, as a sensor that collects data from its physical surroundings, or as a means of displaying the data or completing the action that the user requested. As a result, these embedded devices in the Internet of Things could be used to gather, monitor, and analyze data as well as perform certain functions. It is quite understandable that such an integral part of technology brings numerous threats too. Some vulnerabilities to be found with these are exposed ports, insecure authentication mechanisms, external media-based attacks, and many more.
The software component covers everything from the device’s firmware to the mobile applications that operate it, as well as cloud components connected to it, and so on. There are several elements of the IoT ecosystem where we can apply our typical pentesting skills. Reverse engineering of binaries from various architectures, such as Advanced RISC Machines (ARM) and MIPS (Microprocessor without Interlocked Pipelined Stages), as well as reverse engineering of mobile applications, is covered. Insecure signature and integrity verification; the ability to understand the entire functionality of the device through the firmware are some major vulnerabilities that are found with firmware. For mobile applications, reverse engineering is the biggest loophole. To know more about the vulnerabilities related to mobile apps, check out the OWASP Top 10 for Mobile Application Security (link here). Some other vulnerabilities could be

  • Dumping source code of the mobile app.
  • Outdated third-party libraries and software development kits (SDKs).
  • Insecure authentication and authorization checks.
  • Business and logic flaws.
  • Insecure network communication.
  • Similarly, if we talk about web applications on IoT devices, Client-side injections, and Cross-site scripting accounts to be the greatest vulnerabilities present.
    For Radio communications, depending on what communication protocol a device is using, specialized hardware is required to perform an analysis of radio communication. There are various radio communications protocols used cellular, Wi-Fi, BLE, ZigBee, Wave, 6LoWPAN, LoRa, and more. Vulnerabilities found with Radio communications-

  • Denial of service (DoS).
  • Man-in-the-middle attacks.
  • Jamming-based attacks.
  • Lack of encryption.
  • Ability to extract sensitive information from radio packets.
  • Live radio communication interception and modification.
  • VAPT for IoT approaches
    It is critical to test programs, networks, and devices for security weaknesses in order to make the internet more secure and safe. Whether testing is conducted by manufacturers, third-party consulting firms, enterprise security teams, or security research organizations, methodologies differ based on the information provided to the testers. A full test should ideally include the entire IoT system, including its infrastructure, rather than just the device itself, although testing often only includes a part of an IoT system due to cost or technological capability.
    Black Box
    Black box assessments are popular and are known to be relatively inexpensive. These types of evaluations are carried out without any prior knowledge of the technology or device implementations in use. Black box evaluations are typically carried out by security researchers or third-party consulting businesses, although they can also be carried out by internal security teams for risk assessment.
    White Box
    When testers are given complete access to source code, network diagrams, architecture diagrams, data flow diagrams, and other extensive information on the technology used by the target device, these are called white-box assessments. In general, the more information is given to testers about the target device or application(s) ahead of time, the better the test results will be. White box assessments are more expensive, but they are also more accurate.
    Grey Box
    When testers have limited or partial knowledge that an insider of the company is aware of, grey box assessments are used. Testers may only have a basic understanding of the application stack and libraries used, but no extensive documentation on the API.
    How to conduct an IoT pentest?
    Pen-testing an IoT solution includes checking the network, API, and applications. If the IoT environment is available via the internet or a wireless network, this can be done remotely. The device is connected to a lab for hardware, encryption, and Wi-Fi pen-testing and examined for logical and physical security flaws. Deconstruct the device, locate hardware debugging ports or storage chips, and dump the firmware using various hardware hacking techniques. The firmware must next be analyzed and internal executables and configurations extracted. Finally, you’ll reverse the executable files to find security issues.
    To secure the complete software development life cycle, it is critical to construct a comprehensive security defense posture that includes code governance, policy management, and team coaching (SDLC). Penetration testing is a simple technique for security experts to evaluate their defenses, find weaknesses, and drive remediation with product development teams as software releases become more regular and complicated. Organizations can gain deeper insights into the business risks of various vulnerabilities by conducting sophisticated penetration testing that includes diverse attack vectors such as wireless, client-based, and web application attacks. This allows them to configure an appropriate defense posture that is suited to their ecosystem.