IoT devices are ubiquitous in our daily lives—whether it’s at home with connected home automation devices, or at work with connected factories, hospitals, and even connected cars. According to Gartner, there were over 20 billion IoT devices in 2020. As businesses globally over the past decade have transformed their processes with more embedded IoT-driven intelligence, these billions of connected devices have also become a soft target for cyber criminals. Nokia’s Threat Intelligence Lab reported in 2020 that IoT devices are now responsible for 32.72% of all infections observed in mobile and Wi-Fi networks—up from 16.17% in 2019.
With millions of exposed endpoints, cyber criminals not only leverage compromised devices to launch distributed denial of service (DDoS) attacks, but they also present a sustained national security threat. So it’s no surprise that even the FBI has taken notice and provided continued guidance on how to practice secure IoT practices to defend against cyber criminals targeting unsecure IoT devices. We have consistently noted that inadequate security capabilities, lack of real-time vulnerability patching, and lack of consumer awareness are key drivers for repeated attacks on IoT devices.
The Center for Internet Security, Inc. (CIS) has recommended best practices for securing IT systems and data. For large organizations it is key to implement organizational CIS controls to focus on people and processes—and drive change, executing an integrated plan to improve the organizational risk posture. CIS Control 20: Penetration Testing and Red Team Exercises is a well-defined method to implement organizational controls. These tests allow cyber security experts to detect vulnerabilities and assess the overall strength of an organization's defense by simulating the actions of an attacker. Often attackers target software deployment vulnerabilities—such as configurations, policy management, and gaps in interactions among multiple threat detection tools to exploit security gaps.
First, IoT devices can have several types of interfaces—web-based interfaces for consumers, or object interfaces for governance as code–type of application such as control systems. Hence input validation, command injection, and code injection should be a primary focus of penetration testing of IoT devices.
Second, the network infrastructure interconnecting IoT objects can often be vulnerable and for IoT devices on a single network, malicious attacks need only a single exploit to be successful. It is important to use both automated tools and manual penetration testing methods to do complete specialized penetration testing on the network infrastructure, associated cryptographic schemes, and communication protocols.
Finally, it is critical to scan proprietary programs which represent the entire system architecture. According to the seventh “Open Source Security and Risk Analysis” (OSSRA) report, 81% of the audited codebases contained at least one vulnerability. This represents immense heterogeneity and complexity in the codebases—hence it is important for experienced penetration testing professionals to use intelligent gray box testing to have excellent coverage on test types required for a comprehensive penetration test.
It is key to build a comprehensive security defense posture with governance by code, policy management, and coaching team members to secure the entire software development life cycle (SDLC). As software releases become more frequent and more complex, penetration testing is an easy process for security professionals to periodically test their defenses, identify gaps, and drive remediation with the product development teams. By conducting sophisticated penetration testing that includes diverse attack vectors such as wireless, client-based, and web application attacks, organizations can get deeper insights into the business risks of these various vulnerabilities, enabling them to configure an appropriate defense posture that is suited to their ecosystem.