Embedded device/IoT device testing

protecting connected IoT devices

The Internet of Things (IoT) is growing at pace and organisations all over the world are starting to realise the benefits these embedded devices can bring to their operations, as well as their employees/customers. 

Security of such devices is vital, especially when they are processing sensitive data, where they have access to critical networks/systems within an organisation, or crucially, where a potential breach may endanger health.

When should you test?

We can provide security assurances at any stage during the IoT development lifecycle, however, the earlier you can engage with security testing, the more beneficial it will be. We would recommend engaging at one, or ideally both, of the following stages:

Design phase: This is the ideal place to start engaging with a security testing company such as ourselves. At this stage, we would work with your team to offer expert consultancy, ensuring your device is ‘secure by design’ and to help prevent potentially costly security mistakes from being made at the very earliest point.

Minimal Viable Product: We would recommend conducting more robust testing on the physical device prototype at this point. This will ensure that any security issues are rectified before costly manufacturing orders are placed or supply chains are established.

How is our testing delivered?

Our embedded/IoT device testing can be conducted onsite or remotely, depending on your requirements. In the case of physical testing, we would require access to a minimum of two devices and clients must accept the cost of any potentially broken devices during testing.

What we review

Embedded devices can be complicated in nature and no two devices are the same. Our testing is tailored to the device under review and our consultants will undertake whatever testing is necessary to fully assess the security of the entire IoT system. This could include:





The following shows the areas of a device that could also be tested as part of our assessments:

Firmware & hardware: Test/degbug points, anti-tamper protections, operating system hardening, default credentials, network services, APIs & network traffic interception.

Protocol fuzzing: Device protocol APIs, industry standard protocols, proprietary protocols, network, file, advanced debugging and stack tracing.

Our approach to IoT testing

Every embedded/IoT device test goes through a rigorous process to ensure you get the best possible results. Below we outline the key stages we go through:

1. Scoping

We work closely with you and your team to define your exact requirements, to understand your desired goals and to gain comprehensive knowledge of the area under review.

2. Proposal & prerequisites

A bespoke proposal of work will be drawn up based on your requirements, our experience and our consultant’s expertise. This proposal will outline our recommended test approach and provide details of the number of days we feel are needed to investigate the target device thoroughly.

We will work with you to ensure this proposal meets your exact requirements and once authorised; we will outline any necessary prerequisites that are needed to ensure testing starts on time.

3. Testing

Testing will commence on the agreed date and our consultants will communicate with you throughout the test, to your set requirements.

All our testing is conducted manually, and our consultants will look to identify as many issues as possible in the time allotted, verifying whether these could be exploited.

4. Reporting

A comprehensive, quality assured report of our findings will be delivered within 5 days of the test finishing. Our reports can be tailored to your needs, providing both a technical and managerial overview of findings, as well as our detailed remediation advice.

5. Post-test support

Our job doesn’t finish on the delivery of the report, your test consultant will be available after the test to explain any aspect of the report, as well as provide remediation support to internal teams and/or external suppliers.

6. Retest

You have the option to retest, ensuring reported vulnerabilities have been addressed.

7. Evidence of testing

Many of our clients need to supply evidence of testing for security assurance purposes. We can supply documentation which will provide these assurances to internal and/or external stakeholders.

Why choose us

We act as a trusted adviser, not just a test provider. So, whether it’s your first test or you’ve conducted hundreds, our team are dedicated to making the process as seamless as possible, to pass on their wealth of expertise and to provide you with the information security support you need.

Penetration test experts since 2001

Dedicated account management

Comprehensive, quality assured reporting

Unrivalled post-test support

Optional retest of issues

Contact us

Want to find out more about our embedded/IoT device testing? Our team are on hand to provide you with the information and support you need. Please fill out the form below and one of our team will be in touch shortly.

Our latest research

Our Labs page is the place to discover our latest research, advisories, tool releases and challenges.

Looking to improve your security? Our insights are a great place to start.