What devices are included in an IoT assessment?

GDF's IoT assessments cover IP cameras, smart building systems (HVAC, access control, lighting), medical devices and connected health equipment, industrial IoT sensors and actuators, network-attached storage appliances, VoIP phones, printers and multifunction devices, consumer electronics connected to corporate networks, and purpose-built enterprise IoT platforms. The assessment begins with discovery to ensure all connected devices are inventoried before testing begins.

Can IoT device data be used as evidence in court?

Data from IoT devices can be forensically preserved and admitted as evidence when collected using proper chain-of-custody procedures. GDF's forensic examiners extract data from IoT devices, document provenance, and produce expert declarations attesting to collection methodology. Smart home devices, wearables, vehicle telematics, and building automation logs have all been used as evidence in criminal and civil proceedings. GDF has experience with both collection methodology and expert witness testimony for IoT-sourced evidence.

What is the OWASP IoT Top 10?

The OWASP IoT Top 10 is a list of the most critical security issues affecting IoT devices, including weak, guessable, or hardcoded passwords; insecure network services; insecure ecosystem interfaces; lack of secure update mechanisms; use of insecure or outdated components; insufficient privacy protection; insecure data transfer and storage; lack of device management; insecure default settings; and lack of physical hardening. GDF uses the OWASP IoT Top 10 as one of several assessment frameworks to ensure comprehensive coverage.

How are IoT devices forensically imaged?

Forensic imaging of IoT devices depends on the device type and available access. Methods include NAND flash extraction via chip-off or JTAG/UART hardware access, network traffic capture during device operation, API-level data extraction from cloud backends, memory acquisition from running devices, and firmware extraction via exposed debug interfaces. GDF documents the extraction methodology for each device type to establish chain of custody and support admissibility.

CONNECTED DEVICE SECURITY

IoT Security Assessment

Connected devices expand the attack surface of every organization that deploys them. GDF's certified analysts assess IoT devices, smart systems, and enterprise IoT deployments for vulnerabilities, firmware weaknesses, insecure communications, and exploitable flaws, producing findings that support both technical remediation and litigation or regulatory proceedings.

The IoT Security Problem

The Internet of Things encompasses an enormous range of devices: industrial sensors and actuators, IP cameras, smart building systems, medical devices, network-attached storage appliances, consumer electronics brought into workplaces, and purpose-built enterprise IoT platforms. What most of these devices share is a security development history that prioritized cost, functionality, and time-to-market over security architecture. Default credentials, unencrypted communications, absent authentication on management interfaces, and firmware that cannot be updated are standard characteristics, not exceptions.

The scale of IoT deployment in enterprise and industrial environments has made these devices a preferred initial access vector. Attackers who compromise a building automation controller, an IP camera, or an unmanaged sensor node gain a foothold on the network segment where that device resides. From there, lateral movement to more sensitive systems is often straightforward because IoT devices are rarely monitored by security tools designed for conventional IT endpoints, and the networks they occupy are often inadequately segmented from operational or corporate systems.

The IoT security problem is compounded by organizational blind spots. Enterprise asset inventories frequently do not include IoT devices, or include them without accurate firmware version, configuration, or ownership information. For industrial IoT environments, our OT network assessment addresses IIoT risk in operational technology contexts. IT and OT security teams may both disclaim responsibility for IoT devices that span the boundary between their domains. Vendor relationships for IoT devices often include remote access arrangements that are not reviewed by security teams and are not visible in network monitoring. GDF's IoT assessments begin by addressing these gaps, establishing a complete and accurate picture of the IoT environment before any vulnerability analysis begins.

Specific IoT security risks that GDF regularly identifies include:

Default or shared credentials on device management interfaces, including web interfaces, SSH, Telnet, and proprietary protocols
Unencrypted communications between IoT devices and management platforms, including cleartext transmission of credentials, sensor data, and commands
Outdated firmware with known vulnerabilities that the manufacturer has patched but the operator has not applied, or for which no patch exists because the device has reached end-of-support
Insecure update mechanisms: firmware updates delivered over unencrypted channels without signature verification, allowing an adversary with network access to substitute malicious firmware
Excessive network permissions: IoT devices with access to segments or services they have no legitimate need to reach, enabling lateral movement after compromise
Vendor remote access: always-on connections established by device vendors for maintenance purposes, using shared credentials not under the operator's control
Insecure cloud connectivity: IoT devices that communicate with cloud management platforms over APIs that accept unauthenticated connections, use weak authentication, or expose customer data to other tenants
Physical attack surfaces: devices with accessible UART, JTAG, or USB ports that allow firmware extraction, debugging access, or privilege escalation without network access

GDF's IoT Assessment Methodology

GDF's IoT security assessments are structured around the OWASP IoT Top 10 and supplemented by GDF's proprietary methodology developed through years of hands-on device assessment across industrial, medical, building systems, and enterprise IoT categories. The assessment proceeds in four phases: asset discovery and inventory, network-level assessment, device-level assessment, and cloud and backend API assessment. For firmware source code analysis, see our source code review services.

The asset discovery phase establishes a complete inventory of IoT devices present in the assessment scope. GDF uses passive network monitoring, active scanning calibrated to avoid disrupting sensitive devices, and review of network infrastructure (DHCP logs, switch MAC address tables, wireless controller inventories) to identify every connected device. For each discovered device, GDF documents its make, model, firmware version, network location, management interface, communication protocols, and organizational ownership. This inventory frequently reveals devices that the client was unaware of or had classified incorrectly.

The network-level assessment examines IoT devices as they appear on the network: open ports and services, protocol security, traffic patterns, and segmentation. GDF analysts capture and analyze traffic between IoT devices and their management platforms, peer devices, and any cloud services they communicate with. This phase identifies unencrypted communications, authentication weaknesses visible at the network level, insecure protocol usage, and unauthorized connections to external infrastructure.

The device-level assessment examines individual devices in depth, using a combination of external interface testing and, where feasible, firmware analysis. External interface testing covers the web management interface (authentication, session management, injection vulnerabilities, information disclosure), API interfaces, and any protocols exposed by the device. Firmware analysis, where the firmware can be obtained from the manufacturer, extracted from the device via software update interception, or extracted via physical interface access, examines the firmware image for hardcoded credentials, cryptographic weaknesses, insecure configuration defaults, vulnerable third-party components, and backdoor functionality. GDF uses binwalk, Ghidra, IDA Pro, and specialized IoT firmware analysis tooling for this work.

The cloud and backend API assessment examines the cloud management platform and APIs that IoT devices communicate with, testing for authentication weaknesses, authorization failures (can one tenant's credentials access another tenant's devices), insecure direct object references in device management APIs, and data exposure. This phase is particularly important for enterprise IoT deployments where the security of the vendor's cloud platform is as critical as the security of the devices themselves.

Assessment findings are documented with full technical detail: affected device or platform, vulnerability description, evidence, risk rating, and remediation guidance. For each finding, GDF identifies whether it represents a single-device risk or a systemic issue affecting the entire device class, which affects both remediation prioritization and organizational risk posture. The assessment report is written to serve both technical teams responsible for remediation and legal or executive stakeholders who need to understand IoT security risk in business terms.

IoT Forensics and Litigation Support

IoT devices are increasingly relevant as evidence sources in litigation and regulatory proceedings. Surveillance cameras, smart building systems, vehicle telematics, industrial sensors, and medical devices all generate records of physical-world events that may be material to civil or criminal matters. GDF's digital forensic capabilities extend fully to IoT devices, including forensic acquisition of device logs, configuration data, stored footage, and communication records in a manner that preserves evidentiary integrity and maintains chain of custody.

In product liability matters, IoT security assessments and forensic analysis address questions about whether a device met the security representations made by its manufacturer, whether a known vulnerability was the proximate cause of a breach or physical harm, and whether adequate security testing was conducted before the product was released. GDF's analysts have conducted forensic examinations of IoT devices in support of product liability claims, insurance coverage disputes, and regulatory enforcement proceedings involving connected medical devices, industrial IoT, and smart building systems.

In data breach litigation, IoT devices frequently serve as the initial access vector or as nodes through which an attacker traversed to reach more sensitive systems. GDF's forensic analysis reconstructs this path: identifying which device was compromised, documenting the exploit or credential used, tracing the attacker's lateral movement through the environment, and quantifying the data accessed or exfiltrated. This reconstruction supports both the factual record in litigation and the notifications required under applicable breach notification laws.

In employment and insider threat matters, IoT devices including surveillance cameras, access control systems, and workplace monitoring equipment provide corroborating evidence for or against allegations of policy violations, physical theft, workplace harassment, and unauthorized access. GDF's forensic analysts preserve and examine this evidence with the same rigor applied to conventional computer forensics, producing court-admissible documentation and expert witness testimony where needed.

GDF provides IoT security assessments and forensic services nationwide and internationally, with on-site capability for any U.S. location and remote engagement models where site access is not required. Our analysts hold CCE, EnCE, GIAC, and related certifications and maintain current expertise in IoT security through ongoing research and sector-specific practice. Call 1-800-868-8189 for a confidential consultation.

Last updated: April 14, 2026

Firmware Analysis

GDF extracts and examines IoT firmware for hardcoded credentials, backdoors, cryptographic weaknesses, and vulnerable third-party components using professional reverse engineering tools.

Cloud API Testing

IoT cloud platforms and management APIs are tested for authentication failures, tenant isolation weaknesses, and data exposure that can affect entire device fleets.

Product Liability Support

GDF provides forensic analysis and expert witness testimony in product liability matters where the security of a connected device is at issue in civil or regulatory proceedings.

Breach Reconstruction

When an IoT device is identified as an entry point or lateral movement node in a breach, GDF reconstructs the attacker's path with forensic documentation suitable for litigation and insurance claims.

Request a Consultation

All consultations are strictly confidential. We'll assess your IoT environment and recommend the right scope and approach.

Request Consultation Call 1-800-868-8189

IoT Penetration Testing

IoT security assessments identify vulnerabilities in device configurations, network architecture, and cloud backend design. IoT penetration testing goes a step further: GDF's analysts actively attempt to exploit identified vulnerabilities to confirm exploitability, characterize the real-world impact, and test the controls that are supposed to prevent lateral movement from compromised devices into the rest of the network. The result is a finding set based on what an adversary can actually accomplish, not just what might theoretically be possible, giving organizations and their legal counsel a technically definitive basis for risk decisions and remediation prioritization.

Firmware Extraction and Analysis

Firmware is the foundation of IoT device security. The firmware running on a device determines its exposed services, default credentials, cryptographic implementations, update mechanisms, and the third-party components it includes. GDF's firmware extraction and analysis process begins with obtaining the firmware image: through download from the manufacturer's update infrastructure, interception of an over-the-air update, or physical extraction from the device using hardware interfaces.

Physical firmware extraction uses hardware debugging interfaces present on most IoT device circuit boards: UART console access, JTAG debugging interfaces, and SPI or NAND flash chip extraction. UART interfaces frequently expose bootloader access or a Linux shell with root privileges when security hardening has not been applied. JTAG interfaces provide low-level processor debugging access that allows firmware read-out even from devices that have disabled software-accessible debug modes. Chip-off extraction physically removes flash memory from the board for direct reading, applicable when other methods are not available.

Extracted firmware is analyzed using GDF's toolset including binwalk for filesystem extraction, Ghidra and IDA Pro for binary reverse engineering, and custom scripts for automated detection of known-vulnerable components, hardcoded credential patterns, and insecure cryptographic usage. Analysis identifies the exact firmware version and component manifest, hardcoded credentials and private keys, cryptographic weaknesses in authentication and update verification implementations, and backdoor functionality including undocumented administrative interfaces. For organizations involved in product liability or supply chain litigation, firmware analysis findings provide the technical evidence needed to establish whether a security defect was present at a specific point in time.

API Security Testing

IoT devices rely on APIs for communication with mobile applications, cloud management platforms, and peer devices. These APIs are frequently developed under significant time pressure, with security testing that does not extend beyond basic functionality verification. GDF's IoT API security testing examines these interfaces for the full range of application security vulnerabilities applicable to REST, GraphQL, MQTT, CoAP, and proprietary API protocols used in IoT ecosystems.

Authentication testing covers whether the API enforces proper credential requirements, whether default credentials used during device provisioning are required to be changed before the device becomes operational, and whether API tokens have appropriate expiration, revocation, and scope limitation. Authorization testing examines whether the API enforces that a user's credentials can only access that user's devices and data, testing for insecure direct object references and broken function-level authorization that could allow one customer to access another customer's device management interface or sensor data. GDF regularly identifies IoT APIs where the device identifier used in API calls is the only access control, allowing any authenticated user to access any device by substituting a different identifier in the request.

Data exposure testing examines what sensitive information is returned in API responses beyond what the requesting application requires, including device location data, user account information, and operational data that should not be accessible through the tested interface. Injection testing covers SQL injection, NoSQL injection, and command injection in API parameters that are processed by backend infrastructure. Rate limiting and resource exhaustion testing verifies that API endpoints apply controls to prevent abuse that could disrupt service for other users or generate significant cost.

Wireless Protocol Security Testing

IoT devices communicate over a wide range of wireless protocols, each with distinct security characteristics and vulnerability classes. GDF's wireless protocol testing covers the protocols most commonly found in enterprise and industrial IoT deployments.

Zigbee testing examines network join procedures for susceptibility to rogue coordinator attacks, tests whether the network uses link keys or only network keys (network-key-only configurations allow any joined device to decrypt all network traffic), and assesses whether the coordinator enforces device authentication before admitting nodes to the network. Zigbee relay attacks and traffic capture analysis are used to identify devices transmitting sensitive data without adequate encryption.

Bluetooth Low Energy (BLE) testing covers pairing security (verifying that Just Works pairing, which provides no authentication, is not used for security-sensitive device connections), advertisement data exposure (checking whether device advertisements include sensitive information such as serial numbers, MAC addresses not rotated, or operational status), and GATT service authorization (testing whether characteristics that control device function enforce appropriate access controls before responding to write commands). BLE man-in-the-middle testing is conducted where the pairing mechanism is susceptible to interception.

LoRaWAN testing examines network join procedures (OTAA vs ABP activation security), application session key handling, and whether devices implement replay protection. LoRaWAN networks using ABP (Activation By Personalization) with static session keys are particularly vulnerable to replay attacks and frame counter reset issues that can allow an adversary to inject commands or decrypt traffic.

MQTT protocol testing covers broker authentication requirements (whether brokers permit anonymous connections), topic-level authorization (whether clients can subscribe to topics belonging to other users or publish to topics they should not have access to), TLS implementation quality, and retained message security. MQTT brokers misconfigured to permit unauthenticated connections or broad topic subscriptions have been a source of significant data exposure incidents in enterprise IoT deployments.

Device-Level Exploitation

Device-level exploitation testing confirms whether identified vulnerabilities can be used by an adversary to gain unauthorized access to an IoT device and, from that position, move to other systems or extract sensitive data. GDF conducts device-level exploitation in a controlled manner: either against a test device provided by the client, or against production devices during a coordinated maintenance window with explicit approval from the device owner and network operations team.

Hardware interface exploitation tests whether exposed debug ports provide privileged access without authentication. A UART shell with automatic root login, a JTAG interface with an unprotected bootloader, or an accessible SPI flash chip can give an adversary complete control of the device. GDF documents the specific hardware access required, the tools needed, and the degree of physical access an attacker would need to exploit the finding, providing the context needed for risk assessment and physical security remediation.

Memory extraction techniques including cold boot attacks, bus probing, and debug interface memory reads are used to extract credentials, encryption keys, and sensitive configuration data from device RAM and non-volatile storage. Extracted credentials and keys are documented as exploitation evidence and support follow-on testing of connected cloud services and peer devices that use the same credentials.

Cloud Backend Security Testing

The cloud platforms that manage enterprise IoT deployments are as much a part of the attack surface as the devices themselves. A cloud backend with inadequate tenant isolation, weak API authentication, or insecure direct object references can expose data from an entire device fleet to an attacker who compromises a single user account. GDF's cloud backend testing examines IoT management platforms with the same rigor applied to enterprise web application security assessments.

Tenant isolation testing verifies that one customer's data, devices, and administrative capabilities are not accessible to another customer's credentials. This testing is particularly important for multi-tenant SaaS IoT platforms, where the data of thousands of organizations may be co-located in a shared infrastructure. GDF tests tenant isolation by attempting to access devices, data, and administrative functions belonging to a test tenant using credentials provisioned for a different test tenant. Failures in tenant isolation are among the most severe findings in IoT cloud assessments because they affect every customer of the platform simultaneously.

Device management API testing covers the full set of operations available through the cloud management interface: device provisioning and de-provisioning, firmware update initiation, configuration push, command execution, and data export. For each operation, GDF tests whether authorization is enforced at the device level (not just at the account level), whether operations can be performed against devices not belonging to the authenticated user, and whether the API validates that commands sent to devices are within the intended scope of the operation. For connected IoT platforms involved in litigation or regulatory proceedings, cloud backend findings document the specific technical mechanisms by which unauthorized access to device data or control was possible.

IoT Penetration Testing Coverage

Firmware Extraction
UART/JTAG Access Testing
Chip-Off Extraction
Binary Reverse Engineering
REST/MQTT API Testing
API Authorization Testing
Zigbee Protocol Testing
BLE Security Testing
LoRaWAN Testing
MQTT Broker Testing
Device-Level Exploitation
Memory Extraction
Cloud Backend Testing
Tenant Isolation Testing