Security Services

IoT Security Testing Services

Being connected to the Internet is no longer a privilege of computers. Things of common use such as light bulbs, electricity meter, medical equipment, maybe even your coffee machine and fridge have today enhanced capabilities, by taking advantage of an internet connection.

These “things” send user-related data to the cloud, which analyzes and stores them. Obviously, these systems can exist as long as the concept of security is bound to them. In some cases, the information sent can be extremely confidential and therefore, very likely to be an object of cyber-attacks.

Some of the IoT devices operate in environments where their correct functioning might be a matter of life or death. Hospitals, for example, are becoming more and more modern, and make use of IoT devices for several reasons. In some cases, making sure that those devices work properly, and that the data is securely transmitted and delivered is of vital importance.

The IoT world is, more often than not, composed by proprietary protocols and communication rules. Therefore, the concept of security compliance is not something that is thoroughly followed by every device.

For this reason, wizlynx group provides a tailored security assessment for Internet of Things, where our senior cyber security specialists will check your IoT connected devices against the full IoT attack surface. Our services rely on highly skilled cyber security analysts and pen-testers with extensive experience, both in defense and offense.

Internet of Things (IoT) Constellation

What are we testing for during a IoT Security Review?

Our security assessment for IoT Devices is highly inspired from the OWASP Internet of Things Top 10 and other emerging industry standards. Our security assessment will mainly focus on the following areas.

Weak, Guessable, or Hardcoded Passwords

Use of easily brute forced, hardcoded, publicly available, and/or unchangeable passwords in client-side software/firmware that can grant unauthorized access to deployed devices.

Insecure Network Services and Protocols

Unneeded and/or insecure active network services - especially those exposed to the internet - that compromise confidentiality, integrity, or availability of information or allow unauthorized remote control (e.g. Telnet, Wi-Fi, ZigBee, Bluetooth, etc.).

Insecure Access Interfaces

Insecure web, backend API, cloud or mobile interfaces that allow compromise of the device and/or their ecosystems. Common issues include a lack of authentication and authorization, lacking or weak encryption, and a lack of input validation and output encoding.

Lack of Secure Update Mechanism

Lack of ability to securely update the device/ecosystem, lack of firmware validation on device, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanism, lack of notifications of security changes due to updates.

Insufficient Privacy Protection

Users’ personal information stored insecurely on device, used insecurely, improperly, and/or without permission in logs and other artefacts, transmitted insecurely over the network or the internet, lack of adequate privacy disclosure before usage.

Insecure Data Transfer and Storage

Lack of security of sensitive data at rest, in transit, or during processing (e.g. insufficient or lacking cryptography, mismanagement of keys, inefficient platform access controls, etc.).

Lack of Physical Hardening

Lack of physical anti-tampering defenses and/or lack of system integrity checking, allowing potential attackers to gain sensitive information that can help with future remote attack.

Insufficient Security Configurability

Lack of vendor-provided product features to help the user secure the device through configuration (e.g. stronger authentication, logging, monitoring, encryption strength management, etc.).

What Will You Get?

All findings will be documented in a final report, and then compared with a strengths/weaknesses profile against international standards for IT & Cyber Security. The identified weaknesses will be assessed and supplemented with recommendations and remediation actions, as well as prioritized according to the risk associated. The final report will be discussed during a presentation with you. The report will include a comprehensive and meaningful C-level summary of the executed IoT security assessment. Additionally, it will include all detailed results with respective evidence and recommendations for future security measures.

wizlynx group IoT Security Assessment Report

Our Cyber Security Certifications

wizlynx's security consultants and penetration testers hold the most recognised certifications in cyber security and penetration testing industry such as: SANS/GIAC GPEN, GWAPT, GCIH, GMOB, OSCP, CEH, CISSP, CISA and more!

Penetration Test | Offensive Security Certified Professional | OSCP
Penetration Test | GIAC Certified Penetration Tester | GPEN
Information Security | GIAC Expert Researcher and Advanced Penetration Tester | GXPN
Penetration Test | CREST Certified Penetration Tester | CREST
Penetration Test | GIAC Web App Pen Tester | GWAPT
Penetration Test | GIAC Mobile Device Security Analyst | GMOB
Penetration Test | Offensive Security Certified Expert | OSCE