IoT Penetration Testing & Device Security Assessment

IoT penetration testing is a security assessment of connected devices and their supporting platforms, covering firmware static analysis from a supplied binary, network protocol security, authentication mechanisms, companion mobile app review, and cloud backend APIs.

Cloud backend APIs, communication protocols (MQTT, CoAP, HTTPS, BLE), authentication and access control, firmware static analysis from a supplied binary, companion mobile apps, and OTA update mechanisms. Hardware extraction and JTAG, UART, or SPI testing are out of scope.

Firmware static analysis at Cybersecify starts with a supplied binary (vendor-provided image, OTA artifact, or factory dump). We extract the filesystem with binwalk, identify the architecture and bootloader, then disassemble user-space binaries with Ghidra or IDA Free for authentication routines, command execution paths, and hardcoded secrets. We grep the filesystem for AWS or Azure or GCP keys, hardcoded credentials, private SSL keys, debugging endpoints left enabled, telnet or SSH backdoors, and known-vulnerable library versions (BusyBox, OpenSSL, libcurl). We map signed-vs-unsigned firmware partitions and test OTA signature verification. Out of scope: physical hardware extraction (JTAG, UART, SPI flash dumping). If you can provide the firmware binary, we can analyze it.

MQTT pentest covers broker exposure (port 1883 unauthenticated or 8883 with weak TLS), topic ACL gaps (wildcard subscribe, cross-tenant topic read or write), Last Will and Testament abuse, retained-message disclosure, client-ID hijack, and SUBSCRIBE flood denial of service. We use Mosquitto clients, MQTT-PWN, and custom Python scripts. CoAP pentest covers DTLS handshake validation, observe-relationship abuse, block-transfer disclosure, and amplification-attack potential (CoAP is UDP). Both protocols are tested against the broker or gateway you supply, with documented topic and resource scope. Findings include exact reproduction commands and a remediation per protocol layer (broker config, TLS pinning, ACL templates).

The companion mobile app is a first-class scope in IoT pentest because it is the bridge between the user, the device, and the cloud. Companion app scope at Cybersecify covers everything the standalone Android or iOS pentest covers (insecure data storage, hardcoded secrets, certificate pinning bypass, intent injection on Android, URL scheme hijacking on iOS, root and jailbreak detection bypass, frida hookability) plus IoT-specific surface: device-pairing protocol (BLE provisioning, soft-AP credentials, QR-code claim tokens), local-LAN device discovery and direct control APIs, OTA trigger and rollback exposure, account-takeover paths via cloud API (one user pairing a device that another user owns), and lateral movement from app to device firmware via debug or bootloader commands. APK or IPA file is required; source code helpful but not required.

Yes. OTA update channel security is high-severity scope on every IoT engagement because a compromised update channel turns one bug into fleet-wide compromise. We test signature verification (does the device actually verify the firmware signature, or does the bootloader accept any signed-by-anyone image), rollback protection (can an attacker downgrade firmware to a known-vulnerable version), update-server authentication (TLS pinning, certificate validation, or HTTP delivery), update integrity in transit (man-in-the-middle on the update channel using mitmproxy), update authorization (which device fingerprint authorizes the update, can it be spoofed), and version-pinning gaps (forced update vs user-deferred). The OTA channel is also the most common compliance flag from enterprise IoT buyers, particularly when selling into healthcare or industrial use cases.

BLE (Bluetooth Low Energy) pentest at Cybersecify covers pairing security (LE Legacy Pairing with Just Works is unauthenticated, LE Secure Connections with passkey is required for sensitive devices), GATT service and characteristic enumeration (which services accept read or write or notify, what authentication is enforced), characteristic-level authorization gaps (read or write without bonding, unauthenticated notify), pairing-key extraction during initial provisioning, replay attacks on captured BLE traffic, and proximity-based attacks (BLE jamming, advertising-packet spoofing, RSSI manipulation). Tools: Wireshark with nRF52 sniffer dongle, gatttool, btlejuice, custom HCI scripts. Hardware required: a Bluetooth-supported Linux test bench. We do not do silicon-level RF analysis.

Firmware-only review is a static analysis of the supplied firmware binary in isolation: filesystem extraction, secret grep, library CVE scan, authentication-routine review, OTA signature verification check. It produces findings about what is in the binary but does not exercise the device in a runtime or networked context. IoT pentest is broader: firmware review is one of six layers (firmware, companion app, BLE or wireless protocols, MQTT or CoAP cloud channels, cloud backend APIs, OTA channel). Pentest exercises chained attack paths, runtime exploitability, and lateral movement between layers. Firmware-only review at INR 50,000 to 75,000 is appropriate when the binary is the only artifact available. Full IoT pentest at INR 1,79,999 (Growth plan, two scopes, typically firmware plus cloud API) is appropriate for any IoT product shipping to enterprise buyers or regulated sectors.

Single-scope IoT pentest at Cybersecify takes 7 calendar days under the Startup Pentest plan at INR 74,999 and covers one layer (firmware, companion app, BLE protocol, or cloud backend API). Multi-layer IoT pentest takes 10 calendar days under the Growth Pentest plan at INR 1,79,999 and covers two layers in parallel (typically firmware plus cloud backend, or companion app plus cloud backend). For a full device-to-cloud assessment covering all six layers, scope as 3 to 4 separate engagements or a custom proposal at INR 3.5 to 5 lakh. Hardware shipment to the testing bench is buyer responsibility; we work with up to three devices per engagement. All IoT pentests include 1 free retest within 30 days of report delivery.

Yes for IEC 62443 and ETSI EN 303 645; partial for CERT-In. IEC 62443-4-1 and 4-2 expect supplier-side security testing across the product development lifecycle; our IoT pentest reports cover the security requirements specification (SR) and component requirements (CR) testing. ETSI EN 303 645 (the IoT consumer device standard for UK PSTI Act and EU CRA alignment) maps directly to our firmware, OTA, default-credentials, and update-mechanism testing. For CERT-In hardware incident reporting compliance, our reports document discovered vulnerabilities with reproduction steps that align with the CERT-In disclosure format; however, CERT-In does not currently empanel IoT-specific testing firms separately. If your buyer requires a CERT-In empanelled vendor for IoT, that is a separate scope. We can do the testing; the empanelment letterhead has to come from an empanelled firm.