Simply put, IoT is the interface between the physical and digital world that allows one to gather information from – and control – everyday objects.
When you have a random IoT object/device - a thermostat, a bulb or a toothbrush, to perform tests on it,
What do you do to it?
How do you test it?
What is the methodology that you follow?
IoT Security ≠ Device Security
IoT is definitely not limited to just the security of the device. It is a common misconception. IoT has an elaborate range of applications facing the device. We have mobile applications, network connectivity, admin interface, cloud connectivity, and so on. While testing we have to take all of this (at times even more) into consideration.
Ecosystem Access Control:
In the IoT ecosystem, we have to check for all possible ways how the mobile application communicates with the device, how the device communicates with the web application, how the web app deals with cloud and vice versa. The trust relations between these components are of utmost importance. We have to test for authentication, session management, confidentiality and integrity of the data.
Looking into device memory can be very interesting - we can find usernames, passwords keys and sensitive information such as third-party credentials and encryption keys stored in the memory.
Web, Mobile and Cloud Interfaces:
Every device usually has a web app and a mobile app, and we have a classic checklist, courtesy OWASP. By following the OWASP guidelines and running automated scans on an application, one can obtain a lot of information to play around with. There are some basic mistakes which vendors of the devices often make - like giving default usernames and passwords, no anti-automations (where brute force attacks come into the picture).
The device may have an administrative interface which wouldn’t be accessible by users in the network, which means we need to check the access control flows of the application.
We need to observe how the device firmware is updated, whether it is updated manually or can be updated only when the vendor releases an update. One can reveal hardcoded passwords, sensitive URLs for updating the device and also look for possibilities for pulling out the firmware.
Device Network Services:
IoT devices often communicate with co-devices in the network with root shells available on listening, so one should test the environment from a network security standpoint - like connecting to open ports and communicating with them directly through an untrusted device.
Network traffic testing is critical due to the sheer amount of LAN traffic, especially when we have an ecosystem where one hub controls a great amount of device chatter on the LAN, where some traffic may be encrypted and some not. These devices communicate with each other via different protocols such as RFID, ZigBee, Bluetooth, COAP and so on (based on the range/distance and efficiency).
IoT is totally dependant on how the environment around is made secure from a granular level.
Research by Venkatesh Nimmu