About

If you’re developing a device which will be sold to customers or deployed into untrusted environments, it’s important to understand what sensitive data somebody could obtain with the device, if any fraudulent actions could be carried out, or if it could be exploited.

How we can help

Pākiki have experts who can carry out testing against IoT and hardware devices. The particular type of tests, approaches and methodologies will vary depending on the type of hardware, what the device does, and how it’s going to be deployed. However, the types of questions we’d frequently answer would be:

• Can an attacker use a device’s built in communications mechanism to gain free Internet access or access the cloud-based infrastructure supporting the device?
• Is it possible to extract the firmware and gain access to encryption keys or secrets which are shared between devices and/or gain access to other sensitive resources?
• If you have access to one device, is it possible to compromise other people’s devices or data?
• Is the device vulnerable to network-based attacks when connected to a customer’s network, resulting in potential reputational damage?
• Can any physical ports on the device be used to bypass any other security mechanisms?
• Are the communications mechanisms generally fit for purpose and is it possible for an attacker to tamper with the device for their own gain?

Note: Not all hardware testing can be carried out without using potentially destructive techniques. This can be discussed during the scoping call.

What you get

At the end of the engagement, you’ll receive a written report, detailing:

• At a high level, what key issues were identified, and what they mean to the business.
• Detailed descriptions of all issues which were identified, including reproduction steps, and how you can remediate them.

Process

All of our engagements follow a similar process:

1. We start by scoping the engagement, understanding what you're looking for, discuss the technologies and platforms in use, and any key concerns that you may have. From this, we produce a Statement of Work detailing the effort required, cost, any prerequisites, and our approach to the engagement.
2. Once the Statement of Work is signed, we'll work with you to schedule the work.
3. Prior to the engagement starting, we'll be in touch to organise any prerequisites we require and where practical will test these prior to the engagement. This will ensure the engagement commences on time.
4. The consultant will start the engagement and will provide regular updates. Any high or critical severity issues will be notified when they are found.
5. At the end of testing, a report will be produced and provided.
6. A close-out meeting is held to provide any additional context around the business impact of what we identified, and to provide a chance for any further questions on how to remediate what was found.
7. Optional Retesting can be carried out in order to ensure that any vulnerabilities have been successfully remediated.

Get in touch

To organise a call to run through what you’re doing, and find out how we can help: