IoT security audits

IoT security audits

In IoT security audits, Tarlogic's team of experts tries to identify potential security flaws in all types of connected devices using any kind of technology: NFC, ZigBee, Bluetooth, WiFi...

Objectives

The number of connected devices has increased exponentially in recent years; from devices that process health data such as smartwatches, scales or bracelets, to those that are directly involved in home security, such as electronic locks.

The widespread use of these devices poses a significant increase in the attack surface exposed to malicious actors, both for the company that manages them and for the users who use them on a daily basis.

To assess the security status of these technologies, attacks are modeled depending on the nature of the device and the data managed by it.

The result of this IoT security audit effort will allow the client to know the security stance of its infrastructure, including possible solutions to the problems found.

Benefits

The benefits that our clients obtain through the execution of these tests are:

  • Knowing potential security problems in the device, including open debug ports, or vulnerabilities in the rest of the components of the embedded operating system.

  • Study of security flaws in the device data flow, both in local connections through short-range networks and in its processing on company servers if any, as well as possible solutions at both technical and design levels.

  • Analysis of the security implications derived from the architecture and technologies used by the IoT framework.

General description

IoT device security audits typically examine all exposed infrastructure that manages the device, including backend services, wireless connections to the device and ports exposed by the device.

Short-range networks such as NFC, Bluetooth or ZigBee typically require specialised equipment to be audited, and, along with the nature of these types of networks, the security is usually more overlooked. The Tarlogic team has the tools and knowledge to audit the security of these networks.

The second step of these audits is usually to look for vulnerabilities in the backend services that support the infrastructure; these are usually very similar to other web services. It is particularly important to pay attention to the nature of the data, especially if the devices work with sensitive information.

Finally, the ports exposed by the devices are also usually analyzed in case there is any kind of debug connection.