IoT Security Evaluation
Evaluating security isn't just our job, it's our obsession. Tens of billions of internet-connected devices are expected by the end of the decade - enough for at least five devices per global inhabitant. The scale of devices in our future requires a proven security testing regime. Casaba’s IoT security processes combine years of experience in application, device, and hardware security testing and secure development across both consumer and enterprise products.
Automated or Manual Testing
Because security testing requires simulated repeated attacks on different facets of the IoT device's surface, many security specialists rely on automated tools to do the job. Some of these tools are very effective, but no single tool is a standalone solution and we rely upon them as a means to triage and identify focal areas for testing. At Casaba, we believe in an interactive security testing approach when evaluating IoT assets.
Embedded Device
Device security starts at the hardware layer and includes the entire software stack. At the device layer, we have experience analyzing firmware, wireless stacks, as well as ASIC implementations.
Firmware Security Assessement
We analyze not only the firmware image itself, but also the security best practices involved with the device handling of the image. Evaluations check for integrity-breaking conditions and advise means for tamper-proofing device firmware.
Wireless Security Evaluation
To best evaluate wireless technologies, we build them in-house. How thorough can one be in evaluating wireless technologies if they themselves have not constructed their own cellular base station? Certain IoT assets aren't even able to communicate over IP and rely upon a protocol gateway to proxy communications.
IoT Device Interface Security
Whether the IoT infrastructure is designed to be unidirectional or bi-directional, the API on both the device and the service can present security concerns. We evaluate for proper end-to-end communications between the node and the service, and we deeply understand application security where we can offer design guidance and implementation testing.
IoT Security for Device Lifetime
Our testing goes beyond short-term go-to-market needs by accounting for the entire lifetime of the device. Whether your IoT product is designed for years or decades, we ensure the security of the device is relevant for both the present and future. Communications from field devices can be sporadic and we evaluate proper Time-to-Live implementation for maintaining and tracking IoT assets over the long-haul.
Managing Secrets
Embedding secrets into a device is convenient. However, such a convenience presents immense security risk when deployed IoT assets are not able to be updated. Casaba can review and evaluate means for securely managing secrets and encrypting sensitive data in-transit. Casaba’s policy experts can assist your development team in authoring best practice policies for storing/using IoT credentials, secure asset provisioning, dynamic secret generation, and API keys for encrypting passwords.
IoT Security at Scale
Device-level evaluation is only part of the story. IoT assets are backed by infrastructure that is reliant on cloud services, with assets that come in all shapes and sizes. Their implementations can cover a multitude of communication protocols let alone various programming languages. Unlike some security firms, Casaba has wide experience in auditing nearly all major cloud infrastructures and development stacks used in IoT devices. Our diversity gives us the capability to quickly simulate heterogeneous IoT clusters and their interactions. We are able to identify and assess insecure behaviors that wouldn't be apparent in just one IoT node or architecture choice.