Penetration Testing of Mobile IoT apps and Smart Security Cameras
The Customer is a US-based IoT provider whose market offer includes a proprietary IoT development platform and a wide range of IoT smart devices. Among their key clients are Schneider Electric, Phillips, and Lenovo.
The Customer wanted to make sure that their products – 2 types of security cameras as well as iOS and Android apps enabling the remote control of IoT devices – had no security vulnerabilities. They specifically wanted to confirm that when both the apps and the cameras connect to the AWS cloud, all the data traffic is communicated via the US servers only, thus excluding the risks of data leaks to other countries.
The Customer turned to ScienceSoft to run penetration testing using black box and gray box offender models. ScienceSoft assembled a team of a project manager, 2 penetration testing engineers, and a senior security testing engineer. The team performed comprehensive penetration testing in accordance with the best practices and recommendations from OWAST Mobile Testing Guide, NIST 800-86, and NIST 800-115.
While the penetration tests confirmed that the IoT apps and security cameras communicated with the AWS cloud solely via the US servers, they also uncovered some minor vulnerabilities in the Customer’s software and smart devices. The threat classification that ScienceSoft’s testing engineers used in the final test protocol was based on standards from Common Vulnerability Scoring System (CVSS) and OWAST Mobile TOP10.
The team completed penetration testing in just 5 working days.
ScienceSoft delivered the final report with found minor vulnerabilities and recommendations on how to handle them. As the overall security level of the apps and devices was estimated as quite high, the Customer could confidently continue to provide their services.
Technologies and Tools
Wireshark, Nessus, tcpdump, Burp Suite, Nmap, Mobile Security Framework (MobSF), custom scripts (based on Python, C, and Perl) to exploit vulnerabilities.
Need help with a similar project?
Drop us a line, and our rep will contact you within 30 minutes to arrange an initial discussion.