#Infosec17 IoT Testing Must Focus on the Entire Ecosystem

Written by

Security professionals need to evaluate entire IoT ecosystems rather than focus on individual elements if they want testing to be as accurate as possible, according to Rapid7.

The firm’s research lead, Deral Heiland, explained that the interconnected nature of separate IoT components demands a holistic approach to testing covering: embedded hardware; mobile and control applications; cloud APIs and web services; network communication; and data.

“When you want to test an IoT solution, if you test the product alone your test is insufficient, and if you test just the cloud APIs that’s not enough,” he argued.

“You’ve got to look at the entire ecosystem …What happens in the cloud can impact the hardware … and if you compromise the hardware, it could lead to a compromise of the mobile or cloud elements.”

Effective IoT testing should follow an eight-step process starting with a functional evaluation which takes the product and puts it in a “normal operating stance”. From here, its various features, functions, components and communication paths can be examined, said Heiland.

Next comes device reconnaissance; that is, finding out info including its software version, vulnerability history, whether it uses any open source tech, if it's white labelled, and so on.

Often user manuals, spec sheets and even information from regulators such as the FCC can help with intel gathering here, said Heiland.

The testing should continue on with cloud and web APIs, the mobile and control apps, and networks, looking at things like use of encryption, access controls and communication.

It’s also important to take a look inside the hardware at its chips, ports and circuit connections, and to test for physical device attacks by reverse engineering the firmware and checking configurations.

Radio RF emissions form the final component that needs evaluating, said Heiland.

“Too many products are going out with common repeatable vulnerabilities that could be easily removed with better testing,” he concluded. “[Every time I] dig into the IoT system, looking at the eight steps, I learn something new, and every time I learn something new it becomes possible to make better products for everybody.”

Heiland’s words come as new research this week highlighted the huge number of vulnerabilities in IoT systems. High-Tech Bridge claimed that 98% of web interfaces and admin panels in IoT devices have fundamental security problems.

What’s hot on Infosecurity Magazine?