Skip to main content
HDWSec
HDW Sec IoT security illustration

IoT, Embedded & Hardware Security

From firmware to radio waves, we attack what gets connected.

Our team combines 0-day vulnerability research, IoT pentesting and hardware hacking. Consumer routers, professional equipment, industrial controllers or proprietary embedded systems: we identify what an attacker can do with your hardware.

Request an IoT audit
France Cybersecurity Label France Cybersecurity Label
10+ Years of experience
500+ Tests completed
100+ Satisfied clients
Expertise forged in critical environments

Notable engagements

What we have broken

A selection of findings and missions delivered by our team. Technical details are published after remediation and with the client's agreement, as part of our responsible disclosure process.

0-day research

Fritz!Box router compromise

Discovery and exploitation of a vulnerability chain enabling full takeover of the router from the local network.

Pentest engagement

Netgear router compromise

Access to a corporate private network through compromise of its Netgear edge router during an external penetration test.

Crypto research

BitLocker bypass

Development of an attack enabling decryption of an organisation's employee laptops without knowledge of the user password or recovery key.

Pentest engagement

Canon printer compromise

Exploitation of an internal-network printer granting access to the history of documents printed within the audited organisation.

Hardware hacking

Radio-operated door opening

Analysis and replay of the radio signal from a corporate access control system, enabling unauthorised opening of a secure door.

Three pillars

From upstream research to field engagements

Research

0-day vulnerability research

Discovery of unknown flaws in widely deployed equipment. Our findings feed both our client engagements and the wider community through responsible disclosure and CVE attribution.

Audit

IoT & connected device pentest

Real-world security assessment of your connected products: embedded firmware, radio communications, cloud integration and mobile ecosystem. Suitable for manufacturers and operators alike.

Hardware

Hardware hacking

Physical analysis of components: debug interfaces, memory extraction, fault injection, side-channel. Used in R&D as well as on client engagements.

Technical domains covered

From the software layer to the physical layer

Embedded software

Firmware

Extraction, static analysis and reverse engineering of the embedded binary. Hunting for credentials, cryptographic keys, hidden features and vulnerabilities exploitable remotely or through the update mechanism.

Physical access

Hardware

Identification and exploitation of debug interfaces (UART, JTAG, SWD, SPI), memory extraction, fault injection (glitching) and side-channel analysis on critical components.

Wireless

Radio & Wireless

Audit of BLE, Zigbee, LoRa, Wi-Fi and Sub-GHz protocols. Capture, replay, decryption and frame fuzzing to assess authentication, encryption and replay resistance.

OT & Industrial

Industrial protocols

Testing on Modbus, MQTT, OPC-UA, CAN and field buses. Assessment of OT equipment, PLCs and IIoT gateways while respecting production constraints.

Frequently asked questions

What you need to know before starting

How is IoT pentesting different from application pentesting?

IoT pentests cover attack surfaces that classical audits do not reach: embedded firmware, radio communications, physical debug interfaces, integration with a proprietary cloud and a mobile app. Our approach reproduces the full chain, from chip-off down to BLE frame replay, whereas an application pentest stops at the software layer.

How does hardware delivery work?

You provide one or more samples of the device, ideally in its target configuration. Our experts then perform firmware extraction, debug interface analysis and evaluation of both radio and wired communications. The hardware remains in our lab under access control for the duration of the engagement.

Can you audit industrial equipment (OT) in production?

Yes, with appropriate precautions. For live OT environments we favour a passive approach, network analysis, protocol capture, and limit intrusive tests to maintenance windows or pre-production benches. The exact scope and rules of engagement are defined during scoping together with your process teams.

What do you do with your 0-day findings?

All research findings go through a responsible disclosure process with the vendor, with CVE attribution where applicable. Technical details are only published once the vulnerability has been patched, in line with security community best practices.

Do you have an in-house hardware hacking lab?

Yes. Our lab is equipped for hardware audits: logic analysers, SDRs (HackRF, Ubertooth), glitching equipment, reprogramming stations, microscopes and chip-off tools. We also work with a network of partners for the most exotic components.

Explore further

Penetration Testing

Simulation of real attacks on your systems, applications and networks to identify and prioritize exploitable vulnerabilities before an attacker does.

Learn more

Red Team

Advanced attack scenarios combining physical intrusion, social engineering and cutting-edge offensive techniques to test your overall resilience.

Learn more

R&D & Tooling

Development of custom offensive tools, vulnerability proof-of-concepts and offensive security research to stay one step ahead.

Learn more

Data Leaks

Continuous dark web monitoring of your organisation's compromised credentials, with real-time alerts the moment they surface.

Learn more

A device to analyse?

Our experts scope the engagement with you, from firmware to radio bench, and provide a tailored quote within 48 hours.

Request an IoT audit