IoT Device Deployments Are Outpacing IoT Security Measures

Making The Case For IoT Penetration Testing

Amine Amhoume

IoT Device Deployments Are Outpacing IoT Security Measures

IoT Has Successfully Evolved From Concept To Commercial Deployment

Devices powering the Internet of Things (IoT) are everywhere. Every connected device with the ability to send data through a network autonomously without any human interaction qualifies. This includes modern passenger and commercial fleet vehicles, industrial robotics, battery-powered sensors, and several other smart machines. IoT is no longer a new technology that people wish to experience in the future. IoT is actively deployed and growing rapidly.

As more devices come to market, research forecasts for IoT solutions also grow exponentially. A 2019 study from Business Intelligence predicted more than 64 billion IoT devices by 2025. The growth is directly attributed to advantages that IoT introduces to businesses, health care organizations, and the industrial system (Industrial IoT or IIoT). Moreover, the introduction of 5G networking will serve developers with new opportunities to create low-power, high-speed communications devices with almost zero transmission delays.

Yet, the most problematic concern about this technology is its security. IoT devices are known to be highly vulnerable to cyber attacks such as DDoS, spoofing, malware, and privacy issues. Regulators, manufacturers, and enterprise users are all equally responsible for the security of this technology.

See Related: “Understanding The Threats That Come With The IoT

At the same time, penetration testing (often referred to as pentesting) is still one of the available solutions that guarantee the strength of IoT security. Pentesting is the process of hacking into computer systems, networks or web applications in search of finding vulnerabilities that lead to cyber attacks. Pentesting remains a manual process carried out by ethical hackers. Hence, we are here to give an overview of how pentesting, with all its pros and cons, is used to increase IoT security.

Benefits Of Pentesting An IoT Environment

For enterprises, the usefulness of IoT only comes with its safety. Therefore, conducting comprehensive pentesting on all the elements of the IoT ecosystem will bring various advantages including; managing risks, detecting security threats, empowering devices security, and ensuring business continuity.

Plus, securing the IoT ecosystem will help enterprises evade any data breaches and thus violating data protection laws such as GDPR. More, the final result of a pentesting process will assist stakeholders and executives to make business decisions in the future. Further, deploying tests on IoT devices could lead to discovering new attack vectors and approaches, and consequently fostering IoT security.

Steps Necessary For Successful IoT Pentesting

First, the IoT ecosystem demands three components to operate suitably, which are:

  • The things: Devices such as self-driving cars, cameras, sensors, and all the devices that reside on the edge of the network.
  • The gateways: Those are the materials that function as a bridge between the IoT devices and the data aggregation-spot. It can be a router or any device that connects two or more elements on the network.
  • Cloud data centers: This could be either private or public clouds and it's where data is stored and analyzed. This is the place where all the magic happens.

Second, pentesters should carry out a reconnaissance process on five levels, which are:

  • Hardware-level: Both edge devices and gateways hardware, chips, storage, and sensor should be investigated via reverse engineering and disassembling to identify any subversion vulnerabilities on them.
  • Network-level: This includes evaluating wireless protocols such as Wi-Fi, Bluetooth, ZigBee, and narrowband (NB) 5G; Encryption protocols, and end-to-end authentication and authorization for any potential weaknesses.
  • Firmware-level: Diverse types of operating systems should be analyzed to search for possible vulnerabilities, such as privilege escalation, Buffer Overflow, and zero-day exploits. This is done by examining the updating process, checking cryptographic primitives, and password storing mechanisms.
  • Web Application-level: targeting the APIs to look for any SQL injection, XSS, and Broken Authentication and Session Management that could lead to unauthorized access to the devices.
  • Cloud-level: Conducting a test on the operating systems and network infrastructure of the data aggregation point is mandatory to spot any issues that could threaten data privacy. If it’s a public cloud, then both parties, vendors and end-users, are responsible for its security.

After completing the recon process and gathering all the essential information, pentesters need to start attacking all the components using the appropriate tools. For example, pentesters should run a “man-in-the-middle” attack on the network-level to check if the encryption algorithms are working accurately.

Another scenario that the pentester should undertake is to interrogate the user-interface with brute-force attacks and see if the passwords used are sufficiently strong. Be aware that most IoT devices come with default passwords established by the manufacturer, and this is one of the reasons devices get hacked with ease.

This is a simplified explanation of the steps that pentesters usually perform. Everything seems to be reasonable and straightforward, but pentesting an IoT environment isn’t as simple as it might appear.

The Issues With Pentesting An IoT Environment

Pentesting an IoT ecosystem presents various complicated challenges for security teams for several reasons, such as the diversity of hardware, software and protocols of the devices. Normally, pentesters perform analyses on known operating systems (such as Windows and Linux 64/x86), networking protocols (UDP, TCP, FTP, etc.) and hardware. In the case of IoT, pentesters are obligated to have more knowledge about other architectures such as MIPS and SuperH, protocols (ZigBee, BLE, NFC), and embedded engineering. Due to the cybersecurity shortage in today's marketplace, pentesters with such capabilities are rare to be found.

It is difficult for pentesters to attack embedded devices because most of the attacks require user interaction to be completed. Due to its complexity, pentesting an IoT environment manually takes time and only produces static results (outputs including PDF reports or Excel sheets), which need to be turned into actionable insights. It will take time to resolve vulnerabilities and make business decisions.

See Related: “Driving A Cyber Security Culture Into The Business

Preparing For Successful, Secure IoT Deployments

In general, manual IoT pentesting takes time and demands a lot of effort from the pentester, but it puts them closer to being in the shoes of real cybercriminals. On the other hand, automated pentesting offers more efficiency and velocity. Choosing the best method to pentest an IoT ecosystem can vary from one organization to the next. Nevertheless, the overall goal is to enhance the usefulness of enterprise IoT by making it more secure.