Device Testing

Device security poses unique challenges like limited processing power, a complex stack of technologies and attacks against physical interfaces. Our team has years of experience and developed a holistic testing metholodolgy, starting from accurate threat modelling.

“Our goal is to make the digital lives of millions of people more secure.”

Threat modelling
We accurately determine a device’s threat model, gaining an understanding of how it is used, what data it handles, and the realistic attack vectors.
Flexible security testing
No matter what technologies were used to build it, we can identify the issues in the security critical parts of a device by performing code reviews, reverse engineering, and debugging.
Support
We support our clients with mitigation suggestions for the issues we’ve discovered and answer any questions that may arise during implementation.

Our Approach

A device test executes in five steps
1
Information gathering
  • Provided firmware, documentation
  • OSINT
  • Explore device physical interfaces; functionality
2
Threat modelling
  • Decompose device stack
  • Determine and rank threats based on incentive, strengthened by damage it may cause, versus effort to exploit

Threat modelling is what we base our test on. We continuously adjust the threat model as we develop a better understanding of the device.

3
Artifact analysis
  • Firmware analysis
  • Scan device surface
  • Develop understanding of security critical functionality
  • Deep component exploration, reverse engineering
4
Vulnerability exploitation
  • Try attack ideas generated at the artifact analysis step
  • Develop Proof of Concept
5
Collect and report vulnerabilities
  • Create findings report
  • Specify risk and mitigation suggestion for each finding

Why it matters

Devices have become a part of our life. Whether it’s IP cameras, connected car adapters, SIM card vending machines, smart phones, or routers, security issues in them can lead to movie-like invasions of privacy, identity theft, fraud, information leaks, and more.

We perform a holistic security assessment identifying all relevant risks to our clients and to the end users, and we help mitigate them.

Our research

Some ideas generated while testing one device proved interesting for a larger group of devices. This has lead to us writing state of the art tooling, and creating cutting edge research.

Research done by our team like BadUSB and our Android patch analysis tool can be found on our blog.

Explore more

aLL articles
Smarter is not always wiser: How we hacked a smart payment terminal
Smarter is not always wiser: How we hacked a smart payment terminal
blockchain
concept
hacking projects
15/8/2022
The Android ecosystem contains a hidden patch gap
The Android ecosystem contains a hidden patch gap
No items found.
2/6/2021
The Android patch ecosystem – Still fragmented, but improving
The Android patch ecosystem – Still fragmented, but improving
No items found.
2/6/2021