IoT security testing for businesses
Every IoT device is a door you forgot.
We test your connected devices the way an attacker would with the board in hand: firmware, hardware interfaces, wireless protocols, companion apps and the APIs behind them.
The blind spot in the attack surface
Servers and endpoints get hardened, but the hundreds of devices chattering across the network usually get on with no one ever checking them.
Forgotten entry points
Every camera, sensor or gateway is a connected computer that no one patches or monitors. Installed once and forgotten, yet it keeps listening on the network for years.
Credentials and firmware left untouched
Default credentials, keys hardcoded into the firmware and no secure over-the-air updates. The device arrives insecure from the factory and no one ever closes that window.
The jump to what is critical
A compromised sensor is rarely the end goal. It is usually the springboard to management systems or, in industrial settings, to the OT network that runs physical processes.
What we test
A connected device is never a single thing: it is firmware, silicon, radios, an app and a cloud backend. We test each layer on its own and, above all, the seams where one layer trusts another without checking.
Firmware
Extraction over debug interfaces, a flash memory dump or an over-the-air download, then static analysis of the binaries: hardcoded credentials and cryptographic keys, embedded secrets and tokens, forgotten debug services, and a check on whether the image is signed and encrypted. This is the layer where critical findings surface fastest.
Hardware
Locating exposed debug interfaces (UART, JTAG, SWD), reaching external memory over SPI or I2C to read or rewrite the firmware, bypassing boot protections and running basic fault injection. The point is to measure what an attacker gets with the board physically in hand.
Wireless protocols
Every radio the device speaks: BLE (pairing, encryption and characteristic authorisation), Zigbee and Z-Wave in smart-building and industrial estates, LoRa for long-range telemetry, and MQTT or CoAP as the transport. We look for missing or weak encryption, reused keys, tamperable messages and node spoofing. When it hangs off a corporate network we cross-reference the WiFi security audit.
Companion app and cloud APIs
The mobile app that drives the device and the cloud APIs behind it: authentication and authorisation, direct object references that leak other users data, secrets baked into the app, and server-side controls that can be sidestepped. Often the weak link is not the gadget but its backend.
Identity, encryption and secure updates
How each unit identifies itself to the cloud, whether keys are unique per device or shared across the whole model, how data is protected in transit and at rest and, crucially, whether the OTA mechanism validates signatures: without secure updates, any flaw we find stays open forever.
Network exposure
Which ports and services the device opens on the local network, whether it answers from the internet, what it leaks when discovered and how well isolated it is from everything else. This is where it meets the infrastructure and network audit, which measures the jump from the device towards systems that matter.
Industrial IoT (IIoT/OT)
On the plant floor a connected device stops being a gadget and becomes embedded IT governing physical processes: gateways, sensors, controllers and cameras that once lived on an isolated network and now sit alongside the corporate one. That IT/OT convergence widens the attack surface exactly where a failure does not take down a service but a production line.
So work in these environments demands operational care: strict rules of engagement, a clear line between what can be tested in production and what belongs on a lab bench, and priority given to the pivot from the device towards the OT network. We match the approach to the real risk of each sector; you can see how we work in security for the industrial sector.
How we test your IoT devices
Ecosystem and surface reconnaissance
Mapping the device and everything around it: physical interfaces, wireless protocols, companion app, cloud APIs, services exposed on the network and the data flows between them all.
Firmware analysis
Extracting the firmware (via interface, memory dump or download), unpacking it and hunting for hardcoded credentials, cryptographic keys, insecure binaries and weak boot or update mechanisms.
Hardware and interface testing
Locating and exploiting exposed debug interfaces (UART, JTAG, SPI), reaching flash memory, bypassing boot protections and validating the physical isolation of the device.
Protocol and app/API testing
Analysing wireless communication (BLE, Zigbee, MQTT) and the companion app and its APIs: weak encryption, authentication, authorisation, message tampering and the absence of secure over-the-air updates.
Report and retest
Risk-prioritised findings with evidence, concrete recommendations per layer (hardware, firmware, protocol, cloud) and a follow-up retest to confirm closure.
What you get at the end
A technical and executive report with each finding, its real business impact and concrete remediation per layer, plus a retest to confirm the critical issues are closed.
- Firmware analysis: hardcoded credentials, keys and insecure binaries.
- A map of exposed hardware interfaces (UART, JTAG, SPI) and their risk.
- Assessment of protocols (BLE, Zigbee, MQTT), companion app and cloud APIs.
- Prioritised remediation plan and closure retest.
"The first finding almost always sits inside the firmware: a hardcoded password that opens every unit of the same model. Nobody had looked, because the device was only a sensor."
— Offensive Security Team, Hard2bit
When you need it
You do not have to wait for an incident. These are the moments when an IoT assessment stops being optional.
You are launching a connected product
If you build or integrate a device with connectivity, testing it before it ships spares you recalls, emergency patches and headlines. Far better that you find the hardcoded key than an outside researcher does.
You are rolling out sensors or cameras at scale
Hundreds or thousands of units of the same model multiply any flaw: a weakness in one is a weakness in all. Testing the model before the mass rollout changes the whole risk equation.
You live with legacy devices
Kit installed years ago that no one has touched since, unpatched and running firmware that is out of support. You need to know what it exposes today and how to isolate it while you plan its replacement.
You have compliance to meet
The Cyber Resilience Act and the RED directive make device security a condition for reaching the market. An assessment gives you the technical evidence to stand behind that compliance with customers and regulators.
You have just been through an incident
After a compromise where an IoT device may have been the way in or a pivot point, the assessment reconstructs what was genuinely possible and closes the vector before it happens again. It slots naturally alongside our technical pentesting and Pentesting & Red Team work.
What the report includes
The deliverable is built so the technical team knows exactly what to fix and leadership grasps the real business risk.
Ecosystem inventory
A map of every device tested, its interfaces, protocols, apps and cloud services, with the relationships and data flows between them. The full picture of the surface, not a loose list of gadgets.
Findings per device
Each finding with its severity, the layer it affects (hardware, firmware, protocol, app or cloud) and reproducible evidence: steps, captures and artefacts. No ambiguity about what it is or how it is exploited.
Firmware supply-chain risk
Third-party components and libraries inside the firmware, versions with known vulnerabilities and vendor dependencies. The risk you inherit without having written it yourself.
Remediation and retest
A remediation plan prioritised by impact and effort, with concrete recommendations per layer, and a follow-up retest that confirms in writing that the critical issues are closed.
Frequently asked questions about IoT security
Do I need to send you a physical unit of the device?
Do you test the device firmware?
Do you test wireless protocols such as BLE and Zigbee?
Do you cover industrial and OT environments?
What is the Cyber Resilience Act and how does it affect me?
How long does an IoT security assessment take?
How is testing the IoT different from auditing the WiFi it connects to?
Where does this fit within the Hard2bit portfolio?
What is hiding in your device firmware?
Request an IoT security assessment and we will tell you, with evidence, what an attacker would find with your device in hand.