IoT Pentest
Firmware, hardware and wireless protocols under the microscope
IoT devices introduce attack surfaces that traditional security tools miss. We analyse firmware, communication protocols (MQTT, Zigbee, BLE), hardware interfaces and cloud backends. From camera to industrial control system.
What is an IoT pentest?
An IoT pentest is a security assessment of Internet of Things devices and their ecosystem. We analyse not just the device, but the complete picture: firmware, hardware interfaces, wireless protocols, mobile apps, cloud backends and the APIs connecting everything.
Where a traditional pentest focuses on software, an IoT pentest also requires hardware knowledge. We solder onto UART and JTAG, read flash chips via SPI/I2C, reverse-engineer firmware with Ghidra and Binwalk, and fuzz wireless protocols with SDR. Our team combines software exploitation with hands-on hardware hacking.
What do we investigate?
- Firmware - extraction, reverse engineering, hardcoded credentials, debug interfaces, command injection, outdated libraries.
- Hardware - PCB inspection, debug ports (UART, JTAG, SWD), chip identification, flash memory readout.
- Communication protocols - MQTT, CoAP, Zigbee, Z-Wave, BLE, LoRa - encryption, authentication, replay attacks.
- Cloud backend - the API the device communicates with: authentication, authorisation, data handling.
- Mobile app - the companion app for configuration and control.
- Update mechanism - is the firmware update signed? Can an attacker inject a malicious update?
Why should you get an IoT pentest?
IoT devices are notoriously insecure:
- Large numbers: hundreds to thousands of devices, each a potential entry point.
- Rarely patched: IoT runs on outdated firmware for years.
- Physical access: cameras, sensors and locks are physically accessible to an attacker.
- Pivoting: a compromised IoT device is a stepping stone to the internal network.
- Privacy: cameras and sensors process sensitive data - a leak has direct privacy impact.
Our approach
We follow the OWASP IoT Security Verification Standard and go further. We are researchers who love puzzles:
- Device acquisition - we receive one or more specimens for destructive and non-destructive analysis.
- Hardware analysis - PCB inspection, debug interfaces, flash readout for firmware extraction.
- Firmware analysis - Binwalk, Ghidra and manual reverse engineering. Hardcoded credentials, vulnerable libraries, command injection.
- Protocol analysis - sniffing and fuzzing with SDR, BLE sniffers and protocol-specific tooling.
- Cloud & API - testing the backend API for authentication, authorisation and data handling.
- Reporting - technical report with firmware analysis, hardware photos, protocol captures and concrete recommendations. Retest available on request.
What does an IoT pentest cost?
Our hourly rate is €175 per hour. IoT pentests are labour-intensive due to their versatility:
- Single device, limited scope (firmware + communication): approximately €8,000 - €15,000
- Full ecosystem (hardware + firmware + protocol + cloud + app): approximately €15,000 - €30,000
Frequently asked questions
Do you need to receive the physical device?
Yes, at least one specimen. For destructive research (desoldering, PCB modification) we recommend two. Shipping not possible? We come to you.
Do you also test industrial IoT (IIoT)?
Yes. Industrial sensors, PLC controllers, SCADA gateways - we understand the risks and limitations of testing in operational environments. We test carefully and in consultation.
Which wireless protocols can you analyse?
WiFi, Bluetooth (Classic + BLE), Zigbee, Z-Wave, LoRa, MQTT, CoAP. For less common protocols we use SDR. If it communicates wirelessly, we can analyse it.
Ready to test your security?
Get in touch with our team for a no-obligation conversation about your security challenges.