Application developmentIoTLinkedin postsPen testing

IoT, smart fridges and hackers

February 2017:  Audent takes leading role in IoT security testing.

The first example of a smart domestic device security breach was with an internet enabled fridge.  Hackers took advantage of a flaw in the way a smart fridge fails to validate SSL certificates, making ‘man-in-the-middle’ attacks possible.  Login details from a Gmail account were obtained.

The explosion of IoT devices in domestic, corporate and healthcare environments has huge implications on personal safety. Internet access is now enabled within our cars, fridges, vacuum cleaners, heating systems, utilities and wearable technology such as medical diagnostic tags. Risk from cyber crime is growing at an exponential rate.

Audent has responded to this demand with a team of 25 testing experts covering all aspects of IoT.  Working on devices before they are released and also building assurance standards openly shared throughout the IoT community.

The teams working for Audent are well known and respected in their space, and below are some of their achievements and project highlights:

IoT Experiences:

  • Smart Health Monitor Device: Security assessment of smart health monitoring IoT product from one of the largest international medical/home automation device manufacturer.
  • Smart Vacuum Cleaning Robot: Performed controlled attack and penetration activities to assess the overall level of security of Smart Vacuum Robot from one of the International smart home appliance manufacturer.
  • Smart Food Processor: Performed penetration testing of Smart food processor appliance from one of the largest smart food processor manufacturer.
  •  Other smart domestic heating control devices.
  •  Provide training on IoT, Web, Android and IOS exploitation.

Web, Infrastructure and Mobile Application Experiences:

  • Security assessment of MDM solution, IOS and Android app of a consulting company in Germany.
  • Web Mobile and Network security assessment of various telecom companies. Security testing of large payment gateway.
  • Green field security testing for a government agency who are actively targeted by state sponsored/APT attacks.
  • Hardware/Embedded: Found and reported various issues, such as, buffer overflow in Linksys router, malicious command injection and encryption bypass in Kankun smart plug (IoT device).
  • Fuzzing Infrastructure: We have developed a state of the art in-house infrastructure for fuzz testing of various software. We regularly report bugs we find via fuzzing to product vendors.

Background:

  • Discipline Fusion: our ultimate objective is to secure clients’ systems rather than just finding vulnerabilities and suggesting a few technical steps.  Therefore, Cyber security strategy and defence consultants (who have worked at CISO level of highly secure organisations) are engaged after the security testing is completed by the penetration testing team in order to devise pragmatic risk mitigation solutions.
  • Post-Testing Support:  full support is provided to the client even after the report is presented to help remediate any vulnerabilities that are discovered during the engagement.  we are happy to advise on remediation after testing on an unlimited basis.
  • Organisation Focused Reporting:  a technical vulnerability with “High” criticality for one organisation may be a “Low” criticality for another organisation.  Therefore, our business aware security assessment reporting specifically considers and includes business specific risks in addition to the standard assessment process.
  • Specialist Testing: The security testing of various components, such as, Web App, Infrastructure, hardware devices is conducted by specialists in that area.
  • Research Led Security: Our team members spend a big percentage of their time researching vulnerabilities, crafting exploits, and training that provides them more techniques in their arsenal which they use in real world testing rather than just using the standard pen testing toolset.

Contact us if you would like to explore how we make a difference with our unique penetration testing, especially our unlimited remediation services.  Contact us.