IoT Pentesting Fundamentals
IoT (Internet of Things) security testing spans hardware, firmware, wireless, network, mobile, and cloud — a single device usually touches all of them. Effective testing means mapping that whole ecosystem rather than treating the device as one black box.
The IoT attack surface
| Layer | What to look at |
|---|---|
| Hardware | Debug ports (UART, JTAG, SWD), exposed flash chips, test pads |
| Firmware | Hardcoded credentials, keys, outdated components, weak update mechanism |
| Wireless | Wi-Fi, BLE, Zigbee, Z-Wave, LoRa — pairing and encryption weaknesses |
| Network | Open services, plaintext protocols, weak TLS, local APIs |
| Mobile app | Companion app secrets, insecure storage, weak auth to the device/cloud |
| Cloud | Device-to-cloud APIs, account/tenant isolation, MQTT topic access control |
A practical methodology
- Recon the ecosystem — device, app, cloud endpoints, and the protocols between them.
- Extract firmware — from an update file, the vendor site, or directly from flash;
then unpack with
binwalkand review the filesystem. - Analyse firmware — search for credentials, keys, and certificates; identify the OS and outdated packages.
- Test the network services — enumerate open ports, inspect protocols, attempt auth bypass and command injection on local APIs.
- Examine wireless — capture and analyse pairing; check for unencrypted or replayable traffic.
- Assess the mobile + cloud path — how the app authenticates to the device and the backend; test for IDOR and weak tenant isolation.
Common findings
- Hardcoded or default credentials in firmware
- Unauthenticated UART/serial console giving a root shell
- Unsigned firmware updates (no integrity / authenticity checks)
- Plaintext device-to-cloud communication
- Companion app trusting the device or backend implicitly
Starter tooling
- Firmware:
binwalk,firmware-mod-kit,firmwalker, Ghidra - Hardware: logic analyzer, USB-UART adapter, Bus Pirate, flashrom
- Wireless: Ubertooth (BLE), HackRF, Wireshark
- Network:
nmap,mosquittoclients (MQTT), Burp Suite
Always test only devices you own or are explicitly authorised to assess.