NOTE: Some of the topics in this article are probably going to be a bit contentious, but part of the hope in publishing this article is to drive some additional discussion within the offensive security community Ransomware has become one of the most prevalent threats that companies face today. It [...]
The process of penetration testing IoT (Internet of Things) devices is unique and easy to overlook. Embedded components, non-standard firmware, and unique radio communications all increase the complexity of IoT device security. Despite new security challenges, there has been an exponential rise in embedded devices. IoT devices are found in enterprise, homes, or office environments.
BC Security provides advanced IoT pentesting services to identify these risks and prevent your device from being used against you – or your customers.
Application Security consists of protecting the information that is located on the user’s device and how it interacts with other devices and applications. Our application security assessment consists of three activities: Application Decompiling, Network Traffic, and Permission Misuse.
Application Decompiling
Application decompiling is a serious attack vector when secure coding practices are not employed during application development. Typically, application decompiling is focused on Android Application Packages (APKs) due to the nature of the platform.
BC Security will evaluate the application’s security posture and search for opportunities to exploit the user application in isolation in order to circumvent security measures. Specific items that will be identified during the user application bytecode analysis will be code obfuscation, hard-coded passwords and keys, firmware repositories, and over-the-air updates.
Network Traffic Analysis
Network traffic analysis requires setting up a network tap and analyzing the encrypted and unencrypted traffic to and from the application. This analysis will help build the foundation for how the application may interact with the server Application Programming Interface (API). The most common vulnerabilities identified during this test is degraded encryption schemes which may leak Personal Identifiable Information (PII), such as credit card or personal information.
Permission Misuse
Permission misuse involves evaluating the interactions the application has with other processes. In certain instances, permissions are granted to allow data leakages or elevated permission through other applications. This can be a serious security concern due to another application being used as a pivot point into applications.
Endpoint Security refers to the evaluation of the back-end servers supporting the user application and negotiation of authentication keys. These servers could also be used to store sensitive information such as firmware updates. While there are several methods to compromise a remote server, BC Security has found that problems most often manifest in the endpoint’s Simple Object Access Protocol (SOAP) or Representational State Transfer (REST) API.
BC Security uses automated tools to identify any major misconfigurations of the Endpoint servers, then will assess the API. API attacks can be broadly broken down into the following categories defined by OWASP.
Broken Authentication
Misconfiguration of authentication to the endpoint API can manifest in a variety of ways. Including no authentication required due to developers assuming users will authenticate through the front-end application to poor implementation of JSON Web Tokens.
Broken Object Level Authorization
This type of vulnerability occurs when access to objects is not properly authorized. An example of this would be changing the parameters in a web request to be able to see a different user’s account information.
Excessive Data Exposure
This most often occurs when data provided to the user is filtered by the application instead of the endpoint API, allowing for an attacker to dump all data related to an object whether users need access to that data or not. For example, when a user sends a request for the availability of a lock instead of just returning the availability data, it returns the log of all users who have accessed that lock.
Lack of Resources & Rate Limiting
API’s often don’t enforce any restrictions on request rates or the size of requests which can result in either denial of service attacks or further enable authentication attacks like brute forcing.
Broken Function Level Authorization
Front-end enforcement of user action limitations can result in APIs that fail to restrict functionality when accessed directly. This allows an attacker to perform actions above their authorization level.
Mass Assignment
Generic assignment of object properties regardless of context can allow attackers to manipulate object properties they should not have access to. An example of this class of vulnerability would be crafting a password reset request that includes a password in the request when normally one would not be present. A mass assignment vulnerability would result in overwriting the target user’s password, granting the attacker access to the account.
Injection
If an End Point API fails to validate input, it can result in injection vulnerabilities to the underlying database (SQL, NoSQL, Command Injection, etc.)
We offer a wide range of training courses to meet your needs. Please check out our courses page to see what we have to offer or the events page for pre-scheduled events.
Absolutely! We can customize any course or develop it from the ground up to meet any of your needs. Please contact us and we can discuss a specialized curriculum for your organization.
Many of our courses can be offered online. Please contact us and we can work to meet your online training needs.
You can find our current list of upcoming courses and dates here.
Penetration testing is an effective method of demonstrating tangible risk posed by a malicious actor. These comprehensive security assessments are an opportunity for organizations to baseline their security posture and look for ways to improve their stance.
Penetration testing results in a formal detailed report that outlines vulnerabilities in a system and assesses the risk they represent. The information provided is then used to remediate vulnerabilities and improve the overall security posture of the organization, web application, or device against future attacks.
White box testing focuses on identifying a products or systems defects and bugs with nearly complete information of the product or system. This type of testing is most appropriate when testing is time constrained or the current security posture is unknown. However, white box testing allows for a more exhaustive test compared to Gray and Black box tests.
Black box testing is the simplest test approach, not requiring any prior knowledge of product by the testers. This approach focuses on the products inputs and outputs which can simplify the assessment. However, this can superficially give a false sense of security due to not exhausting all potential attack paths.
Gray box testing is when a team attempts to find vulnerabilities in a system with incomplete information about the product’s inner structure, programming, or protocols.
The Internet of Things refers to the global collective of internet-facing embedded devices. These devices contain various sensors, actuators, and electronic components that interface with web-based applications and cloud environments. They are security cameras, alarm systems, thermostats, door locks, and vehicle technologies that are embedded into everyday items. With the expansion of IoT, we’re seeing a new wave of great accessibility benefits and impending security concerns.
