Pentest IoT
Before you ship, find out what an attacker can do with your connected device.
We test your connected device as a complete product: embedded firmware, hardware debug interfaces, radio links and the surrounding mobile and cloud ecosystem. The goal is to qualify the real security level of an existing device before deployment or release, and to hand you the exploitable flaws together with their fix.
France Cybersecurity Label The attack surface
A connected device exposes far more than its web interface
An IoT product accumulates surfaces that a standard application audit never touches. The firmware may hold hard-coded credentials, private keys or an unsigned update mechanism. Debug pins left active expose memory contents. Radio links sometimes carry commands with no authentication and no replay protection. The companion app, together with the associated cloud API, widens the perimeter further still. An attacker holding the device physically chains these layers together, and we reproduce that chain to measure what is genuinely reachable.
What we test
The whole product, from chip to cloud
Hardware and debug interfaces
Identification of UART, JTAG, SWD and SPI interfaces left accessible, access to the console and to memory, flash dump. We look for the disabled protections (memory read-out, debug-port lockout) that open physical access to the system.
Embedded firmware
Firmware extraction and analysis: hunting for secrets (credentials, keys, certificates), review of the binaries and verification of the update mechanism. An unsigned or unencrypted OTA image lets an attacker push their own firmware.
Radio communications
Audit of BLE, Zigbee, LoRa and Wi-Fi links: frame interception, command replay and pairing analysis. We assess authentication, encryption and replay resistance between the device and its peers.
Mobile and cloud ecosystem
Testing of the companion app (local storage, embedded secrets, communication with the device) and the associated API or cloud backend: authentication, access control over another user's devices, and server-side command exposure.
Frequently asked questions
IoT pentesting in practice
How does this differ from your IoT Security offer?
This offer is a penetration test: we qualify the security level of an existing product before deployment or release, within a scoped perimeter and timeframe. Our IoT Security offer is offensive R&D: advanced hardware hacking, fault injection and 0-day research on components or protocols. The two are complementary, see the IoT Security page for vulnerability research.
What do you need to get started?
At minimum one or two units of the device, the companion app and, when available, the technical documentation and access to the backend staging environment. Depending on the radio links involved, we bring our own test bench. The exact scope (test families retained, level of knowledge provided) is set during the initial scoping.
How is this more than an automated scan?
A scanner cannot open a casing, attach a probe to a UART pin, extract a flash image or replay a BLE frame. IoT pentesting is a manual analysis that chains the hardware, firmware, radio and software layers to reconstruct a realistic attack scenario. The deliverable is a report with the confirmed vulnerabilities, their impact and a prioritised remediation plan.
Other domains
Explore our other penetration tests
Pentest Web
Your web apps and APIs carry business logic that an automated scanner cannot probe.
Pentest Mobile
Find the flaws in your iOS and Android app before an attacker exploits them.
Pentest Cloud
One over-permissive IAM role or an open bucket is enough to compromise your whole cloud.
Pentest LLM
Your LLM applications open an attack surface that your usual tests do not cover.
Penetration testing overviewA connected device to qualify before deployment?
We define the scope with you, from firmware to the radio test bench, and provide a tailored quote within 48h.