Device Testing/IOT testing

Device Testing/IOT testing

Laptop and Mobile Device Security Reviews

A security review of a company laptop or mobile device requires a tester to assess the security of the device hardware, operating system, applications and locally stored data for potential vulnerabilities. The ultimate goal is to see if sensitive data can be accessed locally or externally - typically from the perspective that the device is lost or has been stolen.

Why do you need a laptop/mobile device security review?

Mobile devices, are being increasingly adopted by large organisations and SMEs for their portability, functionality, and improving support for existing internet technologies. If such devices are lost or stolen, it is critical that the interception of such a device cannot pose a risk of data leakage or unauthorised access to corporate network resources.

How can we help you?

Company laptops and smart phones can have the same privileged access to business data resources as a desktop connected to the internal corporate network. Internal security policies often cannot map fully onto mobile devices and therefore such devices can be exposed to risk. Business laptops and mobile devices typically have trust relationships with the corporate network. As part of our testing methodology, we attempt to subvert or elevate any available privileges to gain access to data and services - reporting any entry points or opportunities for further attacks.

ProCheckUp currently offers the following services in this area:

  • - Android Device Security Review
  • - iPhone Security Review
  • - iPad Security Review
  • - Laptop Security Review (Stolen Laptop Case Study)

As part of the security review, our testers provide comprehensive testing of the laptop or mobile device hardware, operating system, applications, and locally stored data for security issues related (but not limited) to the following:

  • - Cached or unlocked credentials
  • - Weak password policies
  • - Sensitive data disclosure
  • - Encryption vulnerabilities
  • - Information leakage
  • - Missing security patches
  • - Local Security Policy Circumvention

Working with a personal account manager and dedicated member of the technical team, we will support and guide your company from initial enquiry stage through to fixing vulnerabilities.  You can read more about our processes here.

Please contact us for more information on how ProCheckUp Device Testing/IOT testing Services can help you.

IOT Testing

ProCheckUp can help you secure your IoT devices with our IoT testing and certification solutions. 

We have a state of the art IoT laboratory which enables us to address the increasing risks posed by technology developments in the area of connected devices.We also offer assurance for IoT functionality.

ProCheckUp uses the following IoT testing methodology:

Mapping the attack surface

This step helps the architecture of the solution to be understood, and helps establish the various tests that would be run on the product, sorted by priority.

The architecture can broadly be divided into three categories: 

1)         Embedded device

These devices include hubs, smart lightbulbs, motion sensors, smart switches and additional connected devices.

2)         Firmware, software and applications

After hardware testing the next component to be tested is software.

This includes firmware running on the device, mobile applications which are used to manage the device and the cloud components connected to the device.

3)         Radio communications

Radio communications provide a way for some devices to communicate with each other. Some of the radio communications used are Cellular , Wi-Fi, Bluetooth low energy, Zigbee, Z-Wave and more

Embedded device – hardware analysis

This stage allows us to understand the devices hardware from a security perspective by using both internal and external analysis. This consists of two stages: -

External Analysis

Cellular , Wi-Fi, Bluetooth low energy, Zigbee, Z-Wave and more

Internal Analysis

Internal interfaces, USB, Serial, JTAG SPI

Embedded device – Gaining shell access

 At this stage we would attempt to gain shell access to the device, using the following techniques:-

Ethernet Exploitation

Protocol implementation weakness.

Wireless Exploitation

HackRF, KillerBee, Ubertooth

USB Exploitation

PoisonTap, BashBunny and Facedancer21

UART Exploitation

Identifying the connections, identifying the baud rate, interacting with the device to gain a shell

I2C/SPI Exploitation

Identifying the connections,  reading writing to the EEPROM

JTAG Exploitation

Identifying the connections,  reading writing to the EEPROM. Reading memory contents. Analysing binaries.

Embedded device – Firmware Analysis

From a security perspective, firmware is the most critical component of an embedded device. Firmware resides on the non-volatile section of the device, allowing and enabling the device to perform different tasks required for the functioning of the device.

Obtaining the firmware

Downloading from the Internet

Extracting from the device

Sniffing during an update

Reversing applications

Extracting firmware

Manual method

Automated method - binwalk

Looking for hardcoded secrets

firmwalker

credentials, backdoor, sensitive URLS, access tokens, local pathnames

Embedded device – Backdooring the firmware

Backdooring the firmware is one of the main security issues which IoT devices face

Perform integrity checks and signature validation.

Firmware, software and applications - Auditing the file system and programs in use

At this stage, the operating system is audited to ensure that industry hardening best practices are followed.

Key management audit

Data store audit

Firmware release diffing

Firmware, software and applications - Analysing binaries

Disassembly and emulation of firmware binaries, running the binaries so we can analyse/exploit them.

Firmware, software and applications - Exploiting binaries

Looking for security vulnerabilities within the binaries/setting breakpoints, and creating exploits.

Cloud and supporting network audit

User Interface audit - Web/iOS/Android/API/thick client

Mobile application tests – see section on mobile application testing

 

Download our sample IOT report.

Please contact us for more information on how ProCheckUp IOT Testing Services can help you.


ACCREDITATIONS