Why penetration testing needs to be part of your IoT security

The importance of IoT security

IoT devices are ubiquitous in our daily lives—whether it’s at home with connected home automation devices, or at work with connected factories, hospitals, and even connected cars. According to data-gathering and visualization firm Statista, there was an estimated 15.9 billion IoT devices in use in 2023, and that number is expected to climb to more than 32.1 billion in 2030. As businesses globally have transformed their processes over the past decade with more embedded, IoT-driven intelligence, these billions of connected devices have also become a target for cybercriminals. And according to Keyfactor’s recent study, “Digital Trust in a Connected World: Navigating the State of IoT Security,” 69% of organizations surveyed in 2023 saw an increase in cyberattacks on their IoT devices.

Key drivers for IoT attacks

In addition to cybercriminals leveraging compromised devices to launch distributed denial-of-service (DDoS) attacks, the millions of exposed endpoints also present a national security threat. So it’s no surprise that the FBI has taken notice and provided guidance on secure IoT practices to defend against cybercriminals targeting unsecure IoT devices. Some key drivers for attacks on IoT devices include

• Lack of timely vulnerability patching. The Black Duck “2023 Global State of DevSecOps” report found that in a survey of 1,000 IT security professionals, 28% said their organizations take as much as three weeks to patch critical security risks/vulnerabilities in deployed applications, with another 20% noting it could take up to a month. 
• Lack of consumer awareness. Consumer purchasing decisions are driven by the latest features, ease of use, and pricing. Security, when considered at all, is an afterthought. 
• Inadequate security capabilities. In an effort to meet consumer demand and deliver low-cost devices, manufacturers often overlook security concerns. Additionally, there are no security regulations and standards that would require manufacturers to build security into their devices.

The role of penetration testing in IoT security

The Center for Internet Security (CIS) recommends best practices for securing IT systems and data. For large organizations, it is key to implement organizational controls that focus on people and processes, driving change and executing an integrated plan to improve the organizational risk posture. Often, attackers target software deployment vulnerabilities such as configurations, policy management, and gaps in interactions among multiple threat detection tools. Penetration testing and red team exercises (CIS Control 20) allow cybersecurity experts to detect vulnerabilities and assess the overall strength of an organization's defense by simulating the actions of an attacker. Key areas for IoT penetration testing include

• IoT device interfaces. IoT devices can have several types of interfaces such as web-based interfaces for consumers, or object interfaces for governance as code–type applications such as control systems. Input validation, command injection, and code injection should be a primary focus of penetration testing of IoT devices.
• Network infrastructure. The network infrastructure interconnecting IoT objects can often be vulnerable, and for IoT devices on a single network, malicious attacks need only a single exploit to be successful. It is important to use both automated tools and manual penetration testing methods to complete specialized penetration testing on the network infrastructure, associated cryptographic schemes, and communication protocols. 
• Proprietary programs. It is critical to scan proprietary programs that represent the entire system architecture. According to the latest “Open Source Security and Risk Analysis” (OSSRA) report from Black Duck, over 80% of the audited codebases contained at least one vulnerability. This represents immense heterogeneity and complexity in the codebases, so it is important for experienced penetration testing professionals to use intelligent gray box testing to ensure coverage on the test types required for a comprehensive penetration test.

Steps for pen testing an IoT device

IoT penetration testing requires a systematic approach that analyzes all aspects of the system or device for security vulnerabilities—from hardware and software components to the network and communication protocols. This helps ensure the IoT devices and systems are protected against a potential cyberattack. This approach includes five steps.

1. Scope and data gathering. Defining the scope will help narrow what needs to be protected and evaluated. Data gathering involves collecting information about the IoT system or device, including architecture, API protocols, etc., so pen testers can understand the target and potential attack vectors.
2. Vulnerability scanning. Using manual and automated testing methods, pen testers identify vulnerabilities in the IoT system that can be exploited by threat actors. 
3. Exploiting vulnerabilities. Once vulnerabilities have been identified, pen testers will attempt to exploit them to gain access to the IoT system.
4. Maintaining access. If an attempt to gain access to the IoT system is successful, a pen tester will monitor how long access can be maintained. 
5. Analyzing and reporting results. In this final stage, pen testers will document findings, including the vulnerabilities discovered, their risk rating, and recommendations for mitigating them.