Looking beyond devices for complete IoT security

In the Internet of Things, attackers try to find the weakest links wherever possible. We, the security testers, should also look at the whole system. Unfortunately, assessments often stop at the device itself, excluding backend cloud services and applications. For example, ETSI EN 303 645 “Cyber Security for Consumer Internet of Things: Baseline Requirements” covers only devices; related services are explicitly out of scope.

In my doctoral research (Transparent and tool-driven security assessment for sustainable IoT cybersecurity), I found that less than 40 % of documented IoT vulnerabilities live in device software and components. In comparison, about 50 % occur in backend cloud systems. Testing only the device means leaving most of the attack surface unchecked and unintentionally guiding adversaries toward the components we’ve overlooked.

A cloud backend can be reached anywhere, whereas attacking a device requires physical proximity. In this respect, the cloud is a much easier target than the devices. Moreover, a breach in the cloud can expose data for all users or even allow an attacker to push malicious commands to an entire fleet of devices — risks far more impactful than compromising a single device in the field.

A truly comprehensive security assessment must include services and applications alongside devices. At Test of Things, we take a holistic approach — combining static and dynamic analysis, protocol and web testing, authentication flows, update mechanisms and user interfaces — to ensure every link in the chain is as resilient as the next.