What is it about?
IoT (Internet of Things) devices, or more generally systems with embedded logic, have become part of everyday life: smart plugs, intelligent thermostats, lights connected to home automation systems; smart watches, Wi-Fi scales, “wearable” objects also used to monitor health; biomedical devices connected to the network in hospitals; advanced network management systems for utilities at the “smart city” level.
And much more: IoT devices are new objects and, like any object connected to a telecommunications network, potentially subject to security problems. They can sometimes be caused by the inexperience of the designer or installer, and have serious consequences for organisations, businesses, homes and people.
CryptoNet Labs performs specific Penetration Tests for IoT devices or embedded systems with a triple level of verification:
- Static analysis. Based on reverse engineering of the firmware and search for “leaks”, use of insecure functions or other known patterns.
- Dynamic analysis. Interacting with the device at run-time and at network level, controls are performed on the exposed services and on the communication protocols, also through fuzzing techniques.
- Passive analysis. Collection and examination of network traffic generated or received by the device, to obtain an accurate knowledge of its interactions with other entities.
This approach provides a comprehensive view of vulnerabilities present and distinguishes false positives.
Who can benefit from it
Organisations that produce or use IoT devices in a variety of areas (home automation, smart city, wearable device, tracker, medical computing …) to highlight the weaknesses and corrective actions to be introduced (ideally in the development or deployment phase).