Penetration testing

Pentester’s Guide to IoT Penetration Testing

Uladzislau Murashka
July 2, 2018 by
Uladzislau Murashka

IoT penetration testing specifics from a certified ethical hacker with 5+ years of experience.

With the growing risk to IoT security, penetration testing vendors face multiple queries from companies and individuals, who want their IoT environment to be tested against potential cyber-attacks. Usually, security service providers don't have specialists in IoT penetration testing, so it must be performed by a regular security team. What are the specifics of IoT penetration testing? Let's dig deeper into the topic.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Basic IoT architecture

Tapping into IoT penetration testing, security engineers may wrongly consider this domain less challenging, as the IoT environment doesn't have the most common vulnerability: human error (according to CompTIA, this is the major cause for 52% of security breaches). Most Internet attacks involve a user clicking a malicious link or opening an infected email. With IoT environment, there is no one to lure, so it's harder to break into. This supposition is deceptive. Here's what CSO says about IoT breaches in 2017: "Aruba Networks, Hewlett Packard Enterprise wireless networking subsidiary, has revealed that 84 percent of companies have already experienced some sort of IoT breach in a new study involving over 3,000 companies across 20 countries". Intruders have more opportunities to breach an IoT system, as its architecture comprises a number of elements that become potential hacker's targets.

Typically, an IoT architecture consists of the following components:

  • Things: Smart devices equipped with sensors and actuators.
  • IoT field Gateways: Border elements that provide connectivity between things and the cloud part of an IoT solution.
  • Cloud gateways: Components facilitating data compression and transmission between the gateways and cloud servers.
  • Streaming data processor: An element ensuring a smooth transition of input data to a big data warehouse and control applications.
  • Data storage: Consists of a data lake (stores unprocessed data in the form of "streams") and a big data warehouse (stores filtered and structured data, as well as context information about smart devices, sensors, commands from control applications).
  • Data analytics: A unit that uses information from the big data warehouse to establish data patterns and gain meaningful insights.
  • Machine learning: Generates and regularly updates models based on the historical data accumulated in a big data warehouse which is used by control applications.
  • Control applications: Components that send automatic commands and alerts to actuators.
  • Client-server system: Consists of a user business logic component (the server side), a mobile application and a web application (the client side).

Full-scale IoT penetration testing goes beyond smart devices and should cover all IoT system elements.

Testing IoT components

Let's take a closer look at what exactly should be tested.


Penetration testing is executed on the following elements of things:

  • UART, JTAG, SWD ports. Exposed ports allow a pentester to get root access, view and modify sensitive data.
  • Flash memory chips to detect a possibility to dump firmware.
  • Bus sniffing. Hackers may sniff clear text data between components and get access to sensitive information.

Additionally, pentesters check external peripheral devices (headphones, keyboard, mouse, etc.), as they are connected to the thing via USB access and may contain hidden vulnerabilities.

IoT field gateways and the cloud part

IoT field gateways, cloud gateways, streaming data processor, data storage, data analytics, web, mobile and control applications are tested with the help of the following black box technique stages:

  • Reconnaissance
  • Scanning
  • Enumeration
  • Gaining access
  • Privilege escalation and access maintaining.

Ideally, the server side of the client-server system (user business logic component) should be tested with white box technique. Having access to the code allows a pentester to understand and check all business functions of the application. This IoT component may as well be tested with a black box, in case a pentester doesn't have access to the code.

And what about machine learning block? This element gets data from the big data warehouse (which is already tested), so doesn't require testing.

Experienced IoT penetration testers would acknowledge that the most critical targets in the whole IoT solution are:

  • IoT field and cloud gateways, as these are border elements. The former - between the Internet and the IoT system, the latter - between the Internet and the cloud.
  • Streaming data processor, as it handles all data flows and is also placed near the border.
  • Data analytics unit, as it can be accessed through the web.
  • Client-server applications, as they face the Internet as well.

According to OWASP, testing these IoT components requires special attention to the lack of HTTPS, authentication problems (such as username harvesting) and lockouts after a number of brute-force guessing attempts.

On IoT penetration testing tools

The arsenal of IoT penetration testing tools comprises familiar names widely used in traditional security testing: the Metasploit framework for penetration testing, scanners (Nmap, Burp Suite, ZMap, Nessus), script languages (e.g., Python, Perl). In addition, it's a good practice to create custom IoT penetration testing tools that will suit a particular environment (e.g., to support real-time operating systems).

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Skills required

IoT penetration testing is no new domain. It requires a penetration tester proper understanding of the IoT architecture, as well as skills in a black box and white box testing. For now, there are no federal acts that regulate IoT security compliance, but 2018 is to become the year when both the US and Europe cybersecurity authorities will introduce strict regulations on IoT data protection. So, stand poised, dear pentesters! Your skills and knowledge will play a leading role in assuring full security compliance of your customers' IoT systems.

Uladzislau Murashka
Uladzislau Murashka

Certified Ethical Hacker at ScienceSoft with 5+ years of experience in penetration testing. Uladzislau’s spheres of competence include reverse engineering, black box, white box and gray box penetration testing of web and mobile applications, bug hunting and research work in the area of Information Security.