The Internet of Things (IoT) really ups the ante for the already complicated security penetration arena. With IoT there’s more software and hardware involved than in standard network testing, along with a host of communication protocols and third party add-ons which all have their own challenges and potential weaknesses.
Adding to the problem is the fact that many IoT devices were designed with the intent to hit the market quickly, to the detriment of security. The vulnerable Amazon Echo devices are a case in point: It’s surprisingly easy for a hacker, with just a few minutes’ hands-on access to a device, released pre-2017, to turn the personal assistant into an eavesdropping microphone without leaving a trace.
All this presents added challenges for security testing teams who, not only have to map out the tech, but also assess it and create a detailed plan for how to secure it. Consequently, security aspects are being subjected to particularly heavy due diligence during the M&A process. This is to make sure it’s sufficiently robust as companies have, on more than one occasion, failed to give the security layers the attention they deserve.
IoT penetration testing is different to standard network penetration testing – IoT devices don’t have what’s often the key vulnerability: human error, this makes IoT devices harder to break into. However, IoT devices often operate on different architectures, using communication protocols that sometimes require entirely different tools and methods when it comes to thorough testing.
The rapid development of the IoT field will require testing specialists, who want to play in the big leagues, to upgrade their skills on a continuous basis. Devices require constant monitoring to catch new anomalies, and IoT penetration testers also need to think holistically to avoid vulnerabilities being missed – for example a common weakness for IoT devices are their associated cloud accounts.
“An effective assessment methodology should consider the entire IoT solution,” Rapid7 IoT Research Lead Deral Heiland wrote on the Rapid7 blog. “Rapid7’s motivations behind examining the entire ecosystem is to ensure all components of the technology are secure. Failure of any component of the product ecosystem can and will affect the overall security posture.”
Rapid7’s IoT penetration testing structure is an example of the kind of all-encompassing approach that’s proven effective:
- Functional evaluation
- Device reconnaissance
- Cloud focused testing
- Mobile application / control system-focused testing
- Network-focused testing
- Physical inspection
- Physical device attacks
- Radio-focused testing
The IoT-connected device boom is only in its infancy, as we’re seeing rising numbers of smart cars, connected household appliances, energy meters and city infrastructure talking to one another. Penetration experts who have previously focused on networks will increasingly be looking to expand into or acquire this specialism. Many companies now need to plug the gaps, and are off to buy security solutions.
Given the proliferation of IoT devices and our increasing reliance on them, IoT security is now very much top of mind when architecting and implementing systems. IoT era penetration testing requires expertise across the usual network tech, as well as familiarity with the operating systems of devices like connected TVs, servers, and smart buildings. This is a trend that is only going to grow in the years to come, so watch this space.