With the Internet of Things (IoT) becoming increasingly popular, organizations are realizing the need to prioritize the security of their embedded systems. While many organizations are conducting regular penetration testing for their applications and networks, they often forget to evaluate the security of their connected devices. This is where embedded pen testing comes into play.
Embedded pen testing involves analyzing connected devices, including IoT products, to identify potential vulnerabilities and weaknesses. Jean-Georges Valle, a senior vice president at Kroll, a cyber risk and financial services consultancy, has written a book called “Practical Hardware Pentesting” to guide security teams and individuals in conducting effective embedded pen tests. The book, currently in its second edition, provides practical techniques for testing embedded devices for vulnerabilities and weaknesses.
Valle emphasizes that embedded pen testing is a practical activity that involves physically interacting with the devices. Testers need to solder, open up parts, and reverse-engineer the physical devices to uncover potential security flaws. In an interview, Valle discusses the challenges in embedded systems security, the importance of embedded pen testing, and how he conducts such tests.
According to Valle, one of the biggest weaknesses in embedded systems security is the perception that these systems are fully trusted and not an attack vector. However, attackers can exploit vulnerabilities in embedded devices to gain access to an organization’s IT infrastructure. Organizations often overlook the potential vulnerabilities in their embedded devices, which leaves them susceptible to common attack vectors such as command injection or unauthorized access to sensitive information.
Valle acknowledges that there is increasing recognition from organizations regarding the need to improve security for IoT and similar devices. He attributes this recognition to the European Union (EU) cracking down on embedded systems security. The EU has introduced the Cyber Resilience Act, which establishes security baselines that connected devices must comply with in order to be sold in the European Economic Area. This regulatory pressure has forced manufacturers to rethink their products and focus on providing more secure connected devices.
When asked about the goal of embedded pen testing, Valle explains that it is similar to classic network or application pen testing. The aim is to identify and notify manufacturers about any vulnerabilities or weaknesses in their devices so that they can manage their own risks. Embedded systems, although not obviously computers, still need to be tested to help manufacturers and organizations take ownership of their risks.
Valle notes that embedded pen testing is no longer an afterthought for organizations, especially those that are mature in their security lifecycle management. With the increasing risk posed by IoT devices and impending regulations, organizations are starting to prioritize the security of their embedded devices. However, it takes time for the mindset of manufacturers to change, as historically, security was not a top priority for them.
The most challenging aspect of embedded pen testing is that every product and device is unique, according to Valle. Unlike network and application pen testing, which often involve common software and shared technology, embedded systems have varied hardware ecosystems and different IoT operating systems. Pen testers need to approach each device with curiosity and be prepared to read through a lot of documentation. They need to have a hacker spirit and not rely on checking off boxes on a list.
Valle explains that the typical approach to embedded pen testing involves opening up the device, identifying its components and functionality, and reverse-engineering the device to understand how it works. Some common attack vectors include examining debug ports, analyzing serial interfaces, and investigating the chips used in the device. Although embedded devices may have specialized components, they still function as computers with storage, memory, and communication lines.
After an embedded pen test, organizations should prioritize addressing the vulnerabilities and weaknesses that were discovered. This involves assessing the risk management strategy and remediation costs. Just like any other pen test, the focus should be on managing the identified risks effectively.
In conclusion, with the increasing adoption of IoT and connected devices, organizations need to pay more attention to the security of their embedded systems. Embedded pen testing is a crucial aspect of ensuring the security of connected devices. Jean-Georges Valle’s book, “Practical Hardware Pentesting,” provides practical guidance for conducting effective embedded pen tests. Organizations that prioritize embedded pen testing can mitigate security risks and protect their IT infrastructure from potential attacks.