End-to-End IoT Security Evaluation Methods for the Next Decade

End-to-End Ecosystem Methodology

The IoT product ecosystem consists of the following aspects:

  1. The relationship between embedded devices and related sensors, receivers, and actuators.
  2. The relationship between mobile applications and command control software.
  3. The relationship between the cloud APIs and related network services. Developers can use a cloud API for encoding, and each API has a service of the cloud provider.
  4. All related network communication protocols in use, such as the Ethernet, 802.11 wireless networking protocols, and inter-component communication protocols including Zigbee, Z-Wave, and Bluetooth.

Configuring the Security Test Environment

When testing the IoT product ecosystem, we will first configure various functions of IoT products under the common product specifications. To achieve better test effects, we need to configure two mutually independent Internet product running environments to test the danger of attacks. This is because hackers may implement cross-user or cross-system attacks on two independent environments. Besides, we can use the two independent environments to compare security configuration of products. By testing the functions of each product, we can efficiently evaluate functional security features, component features, and the communication path of every product in the product ecosystem, thus covering the entire IoT product ecosystem.

Cloud Security Test

An IoT network typically uses various network services for remote control, data collection, and product management. Generally, network services and cloud APIs are the weakest parts in the IoT product ecosystem. Developers can use cloud APIs for encoding, and each API has a service of the cloud provider. Meanwhile, cloud APIs may bring security risks to cloud applications, because threat actors can easily attack APIs putting sensitive service data at risk. This means that providers and software developers must determine the security of cloud APIs on priority.

Mobile Application or Control System Test

The IoT technology often uses various types of remote control services, such as mobile applications (Android or iOS), to remotely manage and control IoT. In this test process, we perform an in-depth test and analysis of the mobile and remote applications that are used to manage IoT products. Like the cloud test, we test all functions of and communications between mobile applications and all components in the IoT product ecosystem to verify the general security state of the product. Also, we will use OWASP Top10 for the focus test during the mobile application test.

IoT Device (Hardware) Security Test

We will also check IoT devices to evaluate security against the physical layer attacks. Checked objects also include devices with the JTAG port and serial port, power devices of various components, and data and control pins. Although devices have different components or configurations, they have some common attack vectors, for example:

  1. External USB port.
  2. Access from external channels.
  3. Location and storage media.
  4. Access availability of the debug console.
  5. Operations required to disassemble a device.
  6. Risks caused by simple physical access to devices.
  7. Risks caused by extended physical access to devices.
  8. Risks caused by connection media, such as wireless connection, wired connection, and Bluetooth.
  1. Initiate attacks through available ports.
  2. Disable equipment protection, for example, ‘boot loader’ restriction or restricted BIOS.
  3. Access and modify the device configuration.
  4. Steal users’ access credentials when users are using the cloud service.
  5. Access firmware that is only accessible by users.
  6. Monitor operations by accessing the background or run logs when the device is communicating with the cloud component.
  1. The assembly pairing process is tamper-proof.
  2. The system prohibits unauthorized access or control.
  3. It is difficult for hackers to map communication with the bottom-layer commands and control traffic.
  4. It is difficult to initiate a rebroadcast attack.


We hope that this article will provide a fresh perspective to cybersecurity practitioners for evaluating security in the world of IoT devices.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com