Product security testing and assessment methodologies have traditionally served consumer products and enterprise applications. These programs are usually well defined, with established architectures, target markets and product development cycles that span months or years.
Enter the Internet of Things, where there are no pre-defined form factors. An “IoT product” may be a smart fridge, a pacemaker, or a traffic light in a smart city. Makers of these classes of devices are often small/medium sized businesses, who are racing against the large corporates and other similar sized competitors to launch their products first. They look for standards in communication protocols, software stacks, libraries, and reuse them wherever possible. But standards are few and rarely one-size-fits-all. When it comes to securing IoT products, there are myriad of challenges on both process and technical fronts.
In this presentation, we discuss the new era of IoT ecosystems (which include hardware form factors, mobile applications and cloud services all working together) and the various process as well as technical challenges involved in performing security assessments and penetration tests for these solutions. We will demonstrate examples of real vulnerabilities observed in market products (consumer and industrial IoT), and discuss how and why such vulnerabilities exist. We conclude with a presentation of next-generation product security assurance and testing methodologies that are better suited for modern computing solutions such as Cloud and IoT.