Introduction
While doing IoT security testing of a system a robust and foolproof assessment methodology is needed as these systems have multiple interacting components. If the assessment does not follow a set methodology, critical points of the IoT Security Testing could be missed.
In this blog, we will provide you with an IoT Security Cheat Sheet that you can use while doing an IoT system’s penetration testing. We’ll divide the attack surface into conceptual layers and divide the IoT Security Cheat Sheet accordingly.
- IoT Security Cheat Sheet
- IoT Threat Modelling
- Top IoT Security Threats
- Genymotion For Linux
- Run Kali Linux as a Windows Subsystem
1.Passive Reconnaissance (OSINT)
Test cases to look for in this type of IoT Security Cheat Sheet are:
- Patents.
- User Knowledge.
- Manuals and Documents.
2. Hardware or Physical layer
Test cases to look for in this type of IoT Security Cheat Sheet are:
- Boot environment.
- Debug ports.
- Peripheral interfaces.
- Locks.
- Firmware.
- Tamper protection.
3. Network layer
There are 3 phases in this IoT Security Cheat Sheet:
Reconnaissance
- Host Discovery
- Operating System Identification
- Topology Mapping
- Service Version detection
Network protocols/services testing
- Network traffic analysis
- Vulnerability scanning
- Service exploitation
Wireless protocol testing
- Authentication
- Encryption
- Perception layer vulnerabilities
4. Web Application Testing
Test cases to look for in this type of IoT Security Cheat Sheet are:
- Applcation Mapping
- Access controls/Authorization
- Client-side controls
- Authentication
- Session management
- Application server
- Input validation
- Logical flaws
5. Cloud Security Testing
Test cases to look for in this type of IoT Security Cheat Sheet are:
- Web Application connectivity
- Remote support
- API requests/responses
- Hardcoded secrets
6. Mobile Application testing
Test cases to look for in this type of IoT Security Cheat Sheet are:
- Packaging
- API requests/responses
- Application
7. Review of Host Configurations
Test cases to look for in this type of IoT Security Cheat Sheet are:
- Patch level
- User Accounts
- Account privileges
- Password strength
- Data encryption
- Server misconfiguration
- Remote maintenance
- Filesystem Access controls