Device security poses unique challenges like limited processing power, a complex stack of technologies and attacks against physical interfaces. Our team has years of experience and developed a holistic testing metholodolgy, starting from accurate threat modelling.
“Our goal is to make the digital lives of millions of people more secure.”
Threat modelling
We accurately determine a device’s threat model, gaining an understanding of how it is used, what data it handles, and the realistic attack vectors.
Flexible security testing
No matter what technologies were used to build it, we can identify the issues in the security critical parts of a device by performing code reviews, reverse engineering, and debugging.
Support
We support our clients with mitigation suggestions for the issues we’ve discovered and answer any questions that may arise during implementation.
Our Approach
A device test executes in five steps
1
Information gathering
Provided firmware, documentation
OSINT
Explore device physical interfaces; functionality
2
Threat modelling
Decompose device stack
Determine and rank threats based on incentive, strengthened by damage it may cause, versus effort to exploit
Threat modelling is what we base our test on. We continuously adjust the threat model as we develop a better understanding of the device.
3
Artifact analysis
Firmware analysis
Scan device surface
Develop understanding of security critical functionality
Deep component exploration, reverse engineering
4
Vulnerability exploitation
Try attack ideas generated at the artifact analysis step
Develop Proof of Concept
5
Collect and report vulnerabilities
Create findings report
Specify risk and mitigation suggestion for each finding
Why it matters
Devices have become a part of our life. Whether it’s IP cameras, connected car adapters, SIM card vending machines, smart phones, or routers, security issues in them can lead to movie-like invasions of privacy, identity theft, fraud, information leaks, and more.
We perform a holistic security assessment identifying all relevant risks to our clients and to the end users, and we help mitigate them.
Our research
Some ideas generated while testing one device proved interesting for a larger group of devices. This has lead to us writing state of the art tooling, and creating cutting edge research.
Research done by our team like BadUSB and our Android patch analysis tool can be found on our blog.