IoT (Internet of Things) devices have become a significant part of the technology ecosystem for many types of businesses. IoT provides organizations with the ability to collect data. The most common uses include connected medical devices to monitor people or assets like equipment or sensors in the field. As a result of this increase, they have also become a favorite target of hackers. Protecting these components from risk is a multi-layered approach, and embedded penetration testing is one element of this.
As the adoption of IoT devices grows, those who use them must focus on embedded systems security. While most already use some type of pen test, a specific strategy for securing IoT is crucial.
What Is Embedded Penetration Testing?
Embedded penetration testing analyzes connected devices as the target system. Ethical hackers simulate a cyberattack related to IoT on the network to identify vulnerabilities and then attempt to exploit them.
Embedded penetration testing has the same objectives as other types, but those running them have a unique approach. It’s a practical exercise and requires a focus on interaction because IoT devices never exist on their own.
Why Are IoT Devices Such a Hot Target for Cybercriminals?
To understand the risk associated with IoT, you have to look at the hacker perspective. They are an opportunistic group, and IoT is a way in the door to an organization’s IT infrastructure. Often, these assets on the network have implicit trust designations, and that’s a weakness if standard cyber principles around least privilege, hardening, and segmentation are forgotten.
You can overlook or make assumptions about the security of a device. Without a protective shield and regular testing to find vulnerabilities, cybercriminals can penetrate them with attack vectors like command injection or gaining access to API (application programming interface) keys.
How Prepared Is the Cyber World for IoT Device Attacks?
There has been increased recognition of the cyber threats of IoT. Its robustness depends on the intended use. For example, IoT medical device manufacturers must now abide by new cybersecurity standards to achieve clearance from the FDA (Food and Drug Administration). It mandates that all medical device regulatory submissions include information regarding four core cybersecurity requirements.
However, even with these new protocols, the threat you have to worry about is what happens when the devices are in the “field” and connected to your network. These incidents are steadily rising, with 112 million attacks in 2022 worldwide. It was a staggering jump from the year prior, which reported only 60 million. The increase is the result of the proliferation of devices and cybercriminals focusing on this segment since it’s often an easy “in” to the network.
So, are most organizations prepared for these attacks? There’s no easy answer to this question. It depends on many things—an organization’s cybersecurity maturity, the volume of devices, how they are used, and continuous testing and assessment. Those who tap firms to perform pen testing of their IoT devices improve their chances of preparation by being proactive.
How Does Embedded Penetration Testing Work?
No matter the target system, pen tests have the same general steps. Because IoT devices are unique assets, how these tests work has some differences from an application pen test.
Here are the eight steps for embedded penetration testing that Blue Goat Cyber uses:
Step 1: Plan and Prepare
In the first step, planning and preparing come before the actual test. Testers engage in a variety of activities to develop their strategy of attack. Typically, they will define the scope of the test, ensure they have any information if provided, and become familiar with the IoT environment.
Step 2: Discover and Practice Reconnaissance
Step 2 kicks off the “investigation” of IoT by ethical hackers. They will assess the landscape to understand how the devices connect to the network and what data they collect. Scanning is a tool to gather this information. With what they learn, testers build their attack plan.
Step 3: Assess and Analyze Vulnerabilities
Next, the testers evaluate vulnerabilities in the IoT ecosystem, learned from the scan or via manual tactics. Analysis of these weaknesses is a crucial aspect of the pen test, which includes prioritization of the found issues. The classification involves linking a threat source to a specific vulnerability.
Step 4: Exploit Vulnerabilities
Now that the testers have found and prioritized weaknesses, they’ll move to exploit them. They attempt to gain access to the IoT devices, using tools and techniques to create a breach. These can include injecting SQL, locating back doors, and other methods of attack.
Step 5: Expand the Foothold and Penetrate Deeper
After initial access and review, ethical hackers will try to expand their foothold and probe further into the network. They will experiment with options when they are inside the network to gather more insights and may attempt to steal data or intercept communication or traffic. Testers gather more insights on the entire ecosystem.
Step 6: Leave and Clean Up
After exploiting and detecting as much as possible from the simulated attack, ethical hackers are ready to exit. They’ll leave the IoT network and return it to its original state.
Step 7: Deliver the Analysis and Remediation Report
Every embedded pen test ends with a complete analysis and report of actions taken by testers. It will include:
- The vulnerabilities they were able to exploit and how they did it
- If they were able to breach sensitive data and manipulate or extract it
- How long the tester was able to stay in the system without detection
You’ll also receive information on how to remediate these weaknesses to strengthen your embedded system security. Each item will have a priority, and most firms that do these tests can support remediation efforts. The report should also help you update and optimize patching and configuration strategies.
Step 8: Retest Post Remediation
Pen testing should be a regular part of your cybersecurity practices. If you want to be sure that the fixes and improvements you made worked, a retest will answer that question. Testing cadence should be at least bi-annually. You’d also want to retest if you add new devices to the network, modify end-user policies, or initiate new integrations.
These steps ensure you get the information you need to improve your security posture. While the efforts are similar regardless of the type of pen test, those related to embedded devices have challenges.
What Are the Challenges of Embedded Pen Testing?
Simply put, every device is different, especially its configuration and use case. It’s not as straightforward as more universal applications that run on the same operating systems.
There are also physical components, and IoT manufacturers build devices with many of these to ensure they work in a specialized way. It poses a challenge to pen testers, as they must work through different hardware landscapes and operating systems. There is more customization in these devices than in other elements.
Because this is such a distinct environment, you need to hire a testing team with expertise and experience with IoT devices.
What to Look for in Hiring an Embedded Penetration Testing Firm
Finding the right partner is vital for pen testing to deliver the value you expect. There are several areas to evaluate when hiring a firm. Make sure to do the following:
- Review their expertise in embedded devices: For a company to carry out an embedded pen test correctly, you need to inquire about their experience in carrying out these pen tests. You want to work with a group that specializes in these exercises.
- Inquire about training and credentials: It’s essential to know about the background of testers and if they have credentials that demonstrate pen test proficiency, including CISSP, CSSLP, OSCP, ECSA, LPT (Master), and CEH.
- Ensure they do more than automated scanning: Scanning automation is a key aspect of testing, but it should not be the only activity. Finding vulnerabilities needs a human eye too. Automation can’t uncover what only human intelligence can locate.
- Discuss methodology: The steps framework is a big part of the methodology, so have firms advise you on how they approach testing. Also, ask about how they validate and improve their methods.
- Request a sample remediation report: The report you receive post-test is the roadmap for improving security. Lots of reports are full of hot air and geek speak, which may require considerable interpretation. A straightforward and action-focused document is what you want to see.
- Evaluate the firm’s reputation in the industry: Lastly, you want to gauge an organization’s reputation. You can ask for references, check certifications, and read customer reviews to gather intel on this.
Is Embedded Penetration Testing Right for Your Organization?
Will embedded penetration testing deliver lots of benefits for your business? If IoT devices are part of your infrastructure and there to stay, then you can’t afford to forego pen testing. Breaches and attacks can create massive headaches and costs. It’s much more cost-effective to have regular pen tests as a pillar of your cyber strategy.
Blue Goat Cyber can help. We are expert pen testers with experience with IoT devices. Get started by requesting a discovery session.