What is an IoT pentest?

An IoT penetration test assesses the full attack surface of a connected device: its hardware (debug ports, chips), firmware, network and radio protocols, companion mobile app and the backend cloud/API, to find exploitable weaknesses before attackers do.

Which layers are tested?

Five layers: hardware (UART/JTAG, chip-off), firmware (binwalk, Ghidra, hardcoded secrets), network/radio (MQTT, CoAP, BLE, Zigbee, RF), the companion mobile app, and the cloud/API endpoints.

Why are smart devices risky?

Most IoT devices ship with default or hardcoded credentials, unencrypted firmware that leaks secrets, and exposed debug ports. Once an attacker gains hardware access, firmware and keys are dumped and the cloud and mobile trust chain often breaks with it.

IoT Device Pentest Interactive Guide

Explore the five layers of the IoT attack surface, what is tested at each, the real tools used and how it all maps to the OWASP IoT Top 10.

Pick a device to highlight the layers that matter most, then click any layer to explore what is tested.

1. Hardware

What is tested: Physical access: UART/JTAG/SWD debug interfaces, chip-off memory dumps, open test pads, serial consoles, glitch / voltage fault injection and exposed ports on the PCB are tested.

Common findings:

Open UART console giving a root shell or bootloader access
Unlocked JTAG/SWD allowing full memory read/write
Firmware dumped from unsoldered SPI/I2C flash
Secure boot disabled or no bootloader password

Real tools:

Bus Pirate
JTAGulator
Saleae Logic
OpenOCD
flashrom
Chip-off / SOIC clip

OWASP IoT Top 10: I8 Lack of Physical Hardening, I3 Insecure Ecosystem Interfaces

The secret most IoT vendors miss: The vast majority of real-world IoT compromises come from a tiny set of basics: default or hardcoded credentials, unencrypted firmware that leaks every secret, and exposed debug ports (UART/JTAG). Once an attacker has physical/hardware access, almost every other control tends to fall: firmware is dumped, keys are recovered and the cloud and mobile trust chain breaks with it.

Request an IoT pentest More security tools

The IoT attack surface

A connected device is never just one target. Its attack surface spans hardware debug ports, the firmware running on it, the network and radio protocols it speaks, the mobile app that controls it and the cloud backend behind it. A serious IoT pentest works across all five layers, because a single weak link, like an open UART console, can collapse the rest.

OWASP IoT Top 10

The OWASP IoT Top 10 frames the most common, highest-impact mistakes. The recurring themes are weak, guessable or hardcoded passwords (I1), insecure network services (I2), insecure ecosystem interfaces (I3), missing secure update mechanisms (I4), insecure data transfer and storage (I7) and a lack of physical hardening (I8). The interactive guide above maps each layer back to these items so you can prioritise remediation.

OT and embedded device security

Industrial OT/SCADA and embedded systems raise the stakes: long lifecycles, unpatched firmware and physical accessibility make hardware and firmware testing essential. A scoped pentest plus secure firmware analysis tells you exactly where your devices break and how to fix it.

DSET · Ankara based cybersecurity. Talk to us about an IoT/embedded pentest: +90 536 662 38 09 · [email protected]