Internet of Things
Our comprehensive chip-to-cloud assessments cover a broad spectrum of products, from industrial, medical, security, and everything in between.
Hardware Testing
Hardware vulnerabilities can lead to significant loss of proprietary technology and customer information. Our team will analyze your device down to the circuit for potential issues.
​
Typical Findings
-
Debugging interfaces are active on production devices
-
Chip-to-chip encryption is improperly implemented
-
Hardcoded secrets are used across devices
Firmware Analysis
Our team will conduct in-depth code analysis of your firmware to identify issues that could lead to compromise. We combine manual review with static/dynamic code analysis to produce meaningful results and identify real vulnerabilities.
​
Typical Findings
-
Mismanaged memory leading to compromise or denial of service
-
Insecurely generated cryptographic secrets
-
Lack of security controls around firmware upgrades
-
Insecure data storage
Transport Security
Data transport often goes untested once implemented. Understanding if your data is encrypted properly while in transit is critical.
​
Typical Findings
-
Certificates are not validated properly
-
Cryptographic libraries are implemented incorrectly
-
Insecure practices such as static initialization vectors are used
Infrastructure Review
The supporting infrastructure your product relies on is crucial. Ensuring customer data is safe, and up-time is not impacted is our priority. Our team will assess your back-end environment and ensure the proper controls are in place to protect your crown jewels.
​
Typical Findings
-
Insufficient authorization controls allow users to access unauthorized data
-
Cloud infrastructure configured insecurely
-
Legacy test systems exposed to internet
Our Process
IoT truly is an ecosystem; we get that. Creating a holistic security assessment is essential to ensure unique attack vectors are not missed. The first phase of a RedSquall IoT assessment is focused on familiarization, where your team walks us through the end-to-end architecture of your product. RedSquall leverages the ASVS framework for any applicable components and designs custom testing scenarios to fill in the gaps.
Execution
The next phase involves testing each system within the product, everything from hardware, firmware, mobile applications, APIs, cloud infrastructure, and anything else you may have integrated. Our team will review IoT-specific attack vectors like malicious firmware upgrades, physical device exploitation, node impersonation, to name a few. Our team leverages SAST tooling combined with manual code analysis to identify issues and produce viable attack scenarios. RedSqull prefers to collaborate with your team in real-time via shared messaging channels, notifying you of vulnerabilities as soon as they are confirmed.
Delivery
Our team will deliver a detailed report documenting all findings and recommended remediation steps. Finally, a presentation is prepared for your stakeholders, where final comments and Q&A occur. Should you choose, RedSquall will validate any fixes you have made and document their status within the delivered report.