IOT Security Studies
A typical IoT Penetration Test includes the following steps:
1. Determination of IoT Service Scope
2. Information Gathering
3. Vulnerability Assessment
4. Exploitation Phase
- In order to ensure that security tests are carried out in the most effective way, all your needs are listened to and information is exchanged. Thus, the scope, type and required information are determined at the first safety meeting.
- At this meeting, it is decided whether physical security tests will be needed on IoT devices and which components will be included in the test.
In this step, attack vectors on IoT devices are first determined. The basic attack vectors on an IoT device are as follows:
- Implementation of Hardware Attacks
- Firmware Reviews (Reverse Engineering, etc.)
- Implementation of Network Attacks
- Implementation of Wireless Network Attacks
- Mobile and Web Applications
- Penetration Tests
- Cloud Services Penetration Tests
This process starts with vulnerability assessment, firmware and application analysis. The following steps are used in firmware analysis:
- Binary Analysis:
- Reverse engineering,
- Document analysis in the system (for finding sensitive information or certificates),
- Performing all necessary application tests according to the type of application during application analysis.
- Researching Communication Protocols:
- Determination of communication protocols (BLE, Zigbee, LoRA, 6LoWPAN)
- Sniffing, modifying and replaying communication protocols (relay-replay attacks),
- Jam-based attacks,
- Third party services (mobile application API services, etc.) that then communicate with the IoT devices specified in the information collection step.
- Physical Security Tests:
- External USB Access,
- External ports access,
- Location and storage environment,
- Availability of debug console access
- Availability of serial console access
- Allowed connection methods (wireless, wired, Bluetooth, etc.)
- Test controls.
- This phase aims to exploit the vulnerabilities collected in the information gathering and vulnerability assessment sections. In this way, the party receiving the penetration test service can see the possible damage after a real cyber attack. In addition, the risks are evaluated for the vulnerabilities found. Similar vulnerabilities may have different levels of criticality based on ease of exploitation, access to information required to exploit, and the like.
- Cyber security experts use the necessary attack techniques to show what a malicious attacker can do in this step, without damaging the systems as much as possible.
- All detected vulnerabilities and findings are reported. The report is prepared in a simple language, understandable by the developers, in a standard supported by screenshots and presented to the parties.
- The report consists of sections that include the purpose and scope of the test, the general testing methodology, the security tests performed, and finally the evaluation and summary information for administrators.
The widespread use of these systems causes security vulnerabilities that can have dramatic effects. Cyber Security Institute conducts security research on IoT systems, monitors current vulnerabilities and performs hardware and software penetration tests. Provides detailed technical reports and executive summaries as a result of penetration tests. It contributes to raising the awareness of institutions about security and eliminating possible security vulnerabilities.
- In Software Planning and Pre-Development Phase:
- Helping for designing a secure architecture,
- Recommending best practices for developers to follow,
- Integrating continuous IoT security testing into the DevOps cycle.
- During Development:
- Iteratively evaluating the product with its security requirements,
- Constantly reviewing secure code,
- Incorporating a security perspective as part of an automated process.
- Post Development:
- Performing penetration tests for all major releases,
- Managing the security program and interacting with external developers,
- Patch management and recommending security updates.
SGE conducts penetration tests and security audits for both public institutions/organizations and private sector companies. Penetration tests and security audits cover all components in the IT infrastructure. After the tests are completed, detailed technical reports and executive summaries are produced. In addition to technical security tests, social engineering tests are also carried out to increase the security awareness of the employees.
New exploitation methods and tools are being researched and developed by SGE researchers to perform more efficient and high-standard testing.
One of the main goal in this area is information sharing. In addition to the security tests carried out in both the public and private sectors, studies are carried out to increase the quality of the tests carried out within this scope in the sector. Workshops are organized to determine the scope and depth of tests, to increase the quality and objectivity of test result reports, and joint projects are carried out with regulatory agencies.
Security is not a feature that can be added to software and the system after installation. It should be considered as part of the development process. Implementing security functions in the development and deployment processes is both easier and more effective.
- Secure software development trainings,
- Software source code analysis to detect vulnerabilities as a result of mistakes made while developing software,
- Risk analysis and threat modeling to make secure software development processes more effective,
- Researching and implementing new secure software development methods,
- Conducting secure software development workshops and conferences.
SGE provides information security risk analysis services for military, public and private sector organizations. Risk analysis projects can be done on software and system basis. Risk analysis services are also provided within the scope of ISO 27001 certification on a corporate basis.
In this context, the business processes of the institution are analyzed and critical business processes are determined; assets in these business processes and dependencies between assets are removed and asset valuation is carried out. Afterwards, the probability and impact values for the risks that affect these assets are determined and the risk values for the asset or process are calculated. Risks are documented in detail in accordance with the content of the project. In accordance with the threats, the measures are issued according to the requirements defined in ISO 27001 and NIST SP 800-53 standards, the maturity levels of the measures are determined together with the customer and they are documented in accordance with the project content. Finally, after the implementation of the measures, a risk study is carried out and the remaining risk is evaluated.