Being connected to the Internet is no longer a privilege of computers. Things of common use such as light bulbs, electricity meter, medical equipment, maybe even your coffee machine and fridge have today enhanced capabilities, by taking advantage of an internet connection.
These “things” send user-related data to the cloud, which analyzes and stores them. Obviously, these systems can exist as long as the concept of security is bound to them. In some cases, the information sent can be extremely confidential and therefore, very likely to be an object of cyber-attacks.
Some of the IoT devices operate in environments where their correct functioning might be a matter of life or death. Hospitals, for example, are becoming more and more modern, and make use of IoT devices for several reasons. In some cases, making sure that those devices work properly, and that the data is securely transmitted and delivered is of vital importance.
The IoT world is, more often than not, composed by proprietary protocols and communication rules. Therefore, the concept of security compliance is not something that is thoroughly followed by every device.
For this reason, wizlynx group provides a tailored security assessment for Internet of Things, where our senior cyber security specialists will check your IoT connected devices against the full IoT attack surface. Our services rely on highly skilled cyber security analysts and pen-testers with extensive experience, both in defense and offense.
Use of easily brute forced, hardcoded, publicly available, and/or unchangeable passwords in client-side software/firmware that can grant unauthorized access to deployed devices.
Unneeded and/or insecure active network services - especially those exposed to the internet - that compromise confidentiality, integrity, or availability of information or allow unauthorized remote control (e.g. Telnet, Wi-Fi, ZigBee, Bluetooth, etc.).
Insecure web, backend API, cloud or mobile interfaces that allow compromise of the device and/or their ecosystems. Common issues include a lack of authentication and authorization, lacking or weak encryption, and a lack of input validation and output encoding.
Lack of ability to securely update the device/ecosystem, lack of firmware validation on device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanism, lack of notifications of security changes due to updates.
Users’ personal information stored insecurely on device, used insecurely, improperly, and/or without permission in logs and other artefacts, transmitted insecurely over the network or the internet, lack of adequate privacy disclosure before usage.
Lack of security of sensitive data at rest, in transit, or during processing (e.g. insufficient or lacking cryptography, mismanagement of keys, inefficient platform access controls, etc.).
Lack of physical anti-tampering defenses and/or lack of system integrity checking, allowing potential attackers to gain sensitive information that can help with future remote attack.
Lack of vendor-provided product features to help the user secure the device through configuration (e.g. stronger authentication, logging, monitoring, encryption strength management, etc.).
All findings will be documented in a final report, and then compared with a strengths/weaknesses profile against international standards for IT & Cyber Security. The identified weaknesses will be assessed and supplemented with recommendations and remediation actions, as well as prioritized according to the risk associated. The final report will be discussed during a presentation with you. The report will include a comprehensive and meaningful C-level summary of the executed IoT security assessment. Additionally, it will include all detailed results with respective evidence and recommendations for future security measures.