No matter how good a security program is, there's always the risk an error occurs somewhere along the way. This is particularly true of IoT architectures, which are typically complex. In many ways they are stronger than smaller systems, but they also come with more potential threats and vulnerabilities.
The more complex the system, the more challenging it is to spot issues in time. Yhe last thing anyone wants is to find out their IoT system had a wide-open vulnerability after an attack. IoT penetration testing, which simulates a cyber attack, can identify security issues before they can be exploited.
Pen testing isn't a panacea. Some issues -- privacy concerns among them -- can't be addressed. But in many other situations, pen testing is a powerful mitigation tool.
What IoT pen testing can detect
The following security challenges are common among IoT architectures, and IoT pen testing is key in identifying them.
Weak passwords are one of the easiest ways for an attacker to gain system entry. Despite initiatives to the contrary, weak passwords rank second in OWASP's list of common IoT vulnerabilities. Pen testing can find weak or easily guessable passwords.
Because weak passwords are vulnerable to brute-force attacks, these are usually the first tests conducted. Testers will also attempt interception, which are most successful when login protocols aren't encrypted. Run both insider and outsider tests for passwords. In insider tests, pen testers pose as employees, for example, and attempt to attack the network from inside. In outsider tests, the tester doesn't have access to the company's internal network.
Insecure network services
Here, the danger is when devices are connected to the internet -- a given for IoT deployments. Any vulnerabilities at the network level can expose the integrity, confidentiality and availability of data. Again, both insider and outsider pen tests should be conducted. The goal is to determine how much, if any, of the data can be compromised.
Data-driven pen testing is another option. In these cases, the tester uses certain data or information about the target to gain access.
Also consider performing blind and double-blind tests. In the former, testers have no information about the system they're trying to hack. In the latter, staff are unaware of the test taking place. This verifies the security of the system and the response time of staff members.
Outdated components or sloppy update mechanisms
All devices need to be updated to remain secure. But not all updates are created equally. If a secure update mechanism isn't in place, updates can do more harm than good, putting devices at risk. To prevent vulnerabilities from occurring, deliver updates through secure channels, and be sure to verify them before they are applied. Ensure attackers can't roll back an update. Testers can use several types of pen tests at this stage, including insider, outsider, data driven and blind.
Insecure data storage and transfer
Data transfer and storage are two classic vulnerability points. Weak encryption and lack of authentication are the usual culprits. In addition, encryption and authentication methods might themselves require updating. Pen testing can pinpoint -- and thus eliminate -- such vulnerabilities.
How to conduct an IoT pen test
Pen testing incorporates the following five stages:
- Planning and gathering information.
- Scanning the system to understand how it responds to attacks.
- Gaining access by exploiting vulnerabilities.
- Testing how long those vulnerabilities allow the attacker to maintain access.
- Analyzing results.
In the planning phase, set up the documentation. Decide what will be done and determine the expectations. Define your objectives and create an action plan. In addition, identify key stakeholders and interview them; they will be the ones defining constraints and desired outcomes.
Next, scan the system. The tester checks different attacks and threat vectors through manual and automated methods. Once vulnerabilities are identified, begin testing. The tester attempts to gain access and, if successful, monitors how long access was maintained.
All these tests help you determine the source and cause of the vulnerability. For example, you could find missing access controls, outdated software or unencrypted data.
Analyze the results. Determine exactly where and when the vulnerabilities first appeared, their risk rating and the methods needed to correct the problem.
Pen testing's benefits notwithstanding, it's possible that the results you get aren't what you expected. To avoid this, make sure you set the correct expectations and identify key stakeholders. Many rush through the first stage and instead focus on the tests themselves. That's a mistake. If the plan is incorrect and testers don't understand exactly what they need to be doing, crucial data can be missed.
Don't skip over any steps, no matter how meaningless they seem. The right people and the right priorities are the keys to successful IoT penetration testing.
Laura Vegh is a computer engineer with a passion for writing. After working in academia for seven years, she changed careers and became a full-time writer.