Insight Bite: Internet of Things kicks penetration testing into high gear

The Internet of Things (IoT) really ups the ante for the already complicated security penetration arena. With IoT there’s more software and hardware involved than in standard network testing, along with a host of communication protocols and third party add-ons which all have their own challenges and potential weaknesses.

Adding to the problem is the fact that many IoT devices were designed with the intent to hit the market quickly, to the detriment of security. The vulnerable Amazon Echo devices are a case in point: It’s surprisingly easy for a hacker, with just a few minutes’ hands-on access to a device, released pre-2017, to turn the personal assistant into an eavesdropping microphone without leaving a trace.

All this presents added challenges for security testing teams who, not only have to map out the tech, but also assess it and create a detailed plan for how to secure it. Consequently, security aspects are being subjected to particularly heavy due diligence during the M&A process. This is to make sure it’s sufficiently robust as companies have, on more than one occasion, failed to give the security layers the attention they deserve.

IoT penetration testing is different to standard network penetration testing – IoT devices don’t have what’s often the key vulnerability: human error, this makes IoT devices harder to break into. However, IoT devices often operate on different architectures, using communication protocols that sometimes require entirely different tools and methods when it comes to thorough testing.

The rapid development of the IoT field will require testing specialists, who want to play in the big leagues, to upgrade their skills on a continuous basis. Devices require constant monitoring to catch new anomalies, and IoT penetration testers also need to think holistically to avoid vulnerabilities being missed – for example a common weakness for IoT devices are their associated cloud accounts.

“An effective assessment methodology should consider the entire IoT solution,” Rapid7 IoT Research Lead Deral Heiland wrote on the Rapid7 blog. “Rapid7’s motivations behind examining the entire ecosystem is to ensure all components of the technology are secure. Failure of any component of the product ecosystem can and will affect the overall security posture.”

Rapid7’s IoT penetration testing structure is an example of the kind of all-encompassing approach that’s proven effective:

  • Functional evaluation
  • Device reconnaissance
  • Cloud focused testing
  • Mobile application / control system-focused testing
  • Network-focused testing
  • Physical inspection
  • Physical device attacks
  • Radio-focused testing

The IoT-connected device boom is only in its infancy, as we’re seeing rising numbers of smart cars, connected household appliances, energy meters and city infrastructure talking to one another. Penetration experts who have previously focused on networks will increasingly be looking to expand into or acquire this specialism. Many companies now need to plug the gaps, and are off to buy security solutions.

Given the proliferation of IoT devices and our increasing reliance on them, IoT security is now very much top of mind when architecting and implementing systems. IoT era penetration testing requires expertise across the usual network tech, as well as familiarity with the operating systems of devices like connected TVs, servers, and smart buildings. This is a trend that is only going to grow in the years to come, so watch this space.

About Acuity Advisors

We know technology – that’s why we’re the industry’s trusted M&A advisor. Our partners are senior players in tech and M&A: skilled at getting to the heart of a technology business, understanding what will attract buyers, and building long-lasting relationships. We have an unrivalled understanding of the industry’s complexities and personalities – our track record and client feedback are compelling evidence of that. We’re an international firm – most of our deals are cross-border, from offices in London, Munich, Shanghai and Silicon Valley – but we’re grounded in our approach. We move quickly when it’s needed, and we’re around for the long haul when patience is a virtue. We’ve maintained a very high success rate across hundreds of deals while keeping our focus on doing what’s right for our clients. From first meeting to successful exit, we earn the trust that clients and investors put in us. Learn more here.

© 2018 Acuity Advisors LLP

A conversation is never wasted. We’re confident that we can give you all the help you need, but we’ll tell you if we think there’s a better option for you.

Get in Touch Get in touch now