IoT devices are part of our daily routine. They help us achieving tasks both at home and at work connecting each other to a technology which just few years back could have only be described in a SCI-FI novel. An example of this is Amazon's Alexa which can be used to play music, turn on/off lights/heating, order a pizza or a Uber. The device is connected to your Amazon's account and react to voice commands to retrieve information from the internet. Today this new technology is embraced by companies all over the world as a new means to reach its users and grow its business. They, however, also present great challenges and security risks. An IoT device is not only a nice gadget to use but also a new way for malicious actors to interfere with users' private data and compromise corporate assets.
In July 2017, security researchers discovered a flaw in the NeoCool Cam IoT security cameras that if exploited by malicious users would have allowed them to access and compromise more than 100,000 internet connected cameras.
CodeGrazer offers hardware hacking and IoT device security assessment services, designed to cover all the security aspects related to your device.
IoT devices and more in general, hardware devices, are not just made up by a PCB and some copper but can present the following components, all of which can be assessed by CodeGrazer:
- A hardware component, generally in the form of a single PCB board.
- An operating system running locally on the device (firmware)
- An API communicating with an external web server.
- One or more external web servers.
- A web application available to users to manage the IoT device online.
The assessment conducted by CodeGrazer on a IoT/hardware device security will involve:
- Using the device as an authenticated user, using a similar approach as for assessing web or mobile applications to uncover api and web related vulnerabilities (see OWASP TOP 10).
- Checking how data is stored on the device and how is transported over the internet or LAN.
- Hardware hacking. Connecting to the device serial communication's ports (e.g. UART/JTAG) to retrieve debugging information and to access the device's firmware and perform a thorough code review and vulnerability assessment.
The consultant will deliver the report within 2 days from the end of the test together with any proof of concept videos demonstrating how to perform hardware hacking on your device.
By purchasing CodeGrazer's IoT device security assessment services you will be able to:
- Perform a comprehensive security assessment covering all components of an IoT device (hardware, software and web).
- Improve the security standards of your external infrastructure and web services.
- Learn how vulnerabilities were discovered by watching exhaustive proof-of-concept videos.