Firmware analysis
Extraction (binwalk, chip-off, OTA capture), filesystem inspection, hardcoded secrets, weak crypto, bootloader trust, signing verification.
pentest · iot + embedded
Test the hardware, firmware, and the cloud it talks to.
IoT devices, embedded systems, thick clients. Firmware extraction and analysis, hardware interface probing (JTAG, UART, SPI), radio communication (BLE, Zigbee, sub-GHz), and the cloud backend the device authenticates to.
01. in scope
What we test.
Coverage adapts to the device. Some engagements stay software-only; others involve hardware lab work.
Hardware interfaces
JTAG, UART, SPI, I2C debug interfaces. Bus sniffing. Glitching attacks where in scope. Secure-boot bypass evaluation.
Radio protocols
BLE security mode, Zigbee key handling, sub-GHz proprietary protocols, WiFi configuration security, Matter compliance where applicable.
Mobile companion app
Often the easier attack surface. Same coverage as our mobile pentest service, with focus on device-trust assumptions.
Cloud backend
Device-authentication flows, OTA update integrity, telemetry handling, tenant isolation. Often where a compromised device pivots into other customers.
Physical tampering
Device opening, chip identification, conformal coating, anti-tamper sensor evaluation. Documented but rarely the primary attack surface.
02. methodology
Methodology Methodology.
Multi-layer testing from chip to cloud. Hardware work happens in our lab; cloud and app work happens like a normal engagement.
- Device acquisition + setupYou ship us 2 to 3 sample devices, or we test on yours under coordinated access. Lab time arranged with you in advance.
- Firmware + hardware analysisTwo to four weeks of lab work. Extraction, reverse engineering, interface probing, radio capture.
- Companion app + cloud testingStandard mobile and API testing for the supporting stack. Coordinated to find pivots between layers.
- Report + readoutFindings catalog with severity, photos of hardware work, fix guidance per layer. Engineer call with device-team leads.
03. deliverables
What you walk away with.
IoT pentest deliverables.
Findings report (PDF + markdown)
Per-finding: severity, layer (firmware/hardware/radio/app/cloud), exploit chain, photos, fix guidance.
Firmware analysis notes
Reverse-engineering output: filesystem dump, binary observations, secret findings, suggested hardening.
Hardware-interface report
JTAG / UART / SPI accessibility, what we found, what would have prevented access.
Retest within 30 days
Post-fix retest on a new firmware build. Devices retained for the retest window unless you ask for return.
04. when
When teams hire us for this.
Common triggers for an IoT / embedded pentest.
Pre-launch certification
Matter, FIDO, PSA Certified, or sector regulator (FDA, FCC) requires security testing before launch.
Insurance + class-action exposure
Connected medical or automotive device. The cost of a public incident is far above engagement price.
Customer audit
A large enterprise customer asks for security report before deploying your device fleet.
Annual cadence
Connected device fleets need regular testing — firmware versions ship continuously, new attack surface with each release.
05. faq
Questions before the call.
Common questions for this engagement type. See main pentest FAQ for shared questions.
Do you need physical access to the device?
For most engagements, yes. Hardware interface testing (JTAG, UART) requires the device in our lab. Cloud and companion-app portions can run remote.
How many devices should we send?
2 to 3 sample devices. One for non-destructive testing, one for destructive (chip-off, bus-pirate), one spare. Specific firmware version pinned.
What about radio testing?
We have lab capability for BLE, WiFi, Zigbee, and sub-GHz protocols. Proprietary radio protocols may need custom tooling — scoped on a case-by-case basis.
Test an IoT or embedded device?
IoT engagements need 4 to 6 weeks lead time for device acquisition and lab scheduling. Book the scoping call early.