Security shouldn’t be sacrificed


No matter where you look, dress, eat, drive or enjoy: a device looks after you, follows you, collects your experiences and knows how you are feeling. It adapts by learning about you. This is the era of IoT: where more “things” are connected to the Internet than people.

Nevertheless, Security and Safety do not shine and boast as the improvements, features and evolution of IoT with smart devices. Nowadays, there are many examples of how IoT may hide subtle security issues: for example, exploiting insulin pumps hackers can overdose diabetic patients or they can hijack remotely a self-driving car. Mainly, cyber security risks could be grouped into 4 key areas: safety, attackers can compromise safety by breaking into a system or medical equipment; economy, hackers can use IoT devices to create a network of infected hosts (“botnet”) and launch attacks against big companies; privacy, malicious users can steal pictures, live camera videos, contacts, SMS, phone calls through backdoors; brand reputation, companies could lose the trust of their stakeholders.


In this context, Reply mission is to proactively detect and thwart cyber-attacks and incidents against customers’ IoT solutions adopting a 5-building blocks approach (Concept Sketching, Security Requirements and Design, Secure Coding, Advanced Security Testing, Security Product Sustainment). Reply comes into play to address, suggest, support and satisfy all the security needs of customers from concept sketching to production: Reply is a driver of innovation in the IoT field where experience, communication, security and safety are the keywords toward the success. In this process, the main innovation put in practice by Reply is the Advanced Security Testing methodology, devised to perform tailored IoT Penetration Tests focusing on both Hardware & Software analysis and attacks. .


As the number of devices grows rapidly, security risks and threats are also growing. Security principles and assessment methodologies do not always apply directly, because of different requirements and constraints bound to the IoT world. Conversely, to ordinary Penetration Tests, IoT solutions deserve a different approach and skills ranging from hardware to software. Years of work experience and research allowed to devise and refined a methodology & framework that thoroughly embody the hacker perspective. In short, Reply Advanced Security Testing activities begin where ordinary Penetration Tests end.

  • strip-0


    Security tests begin with the retrieval of publicly available resources about the target, such as datasheets, device internals, firmware images, blogs, news, etc.


    Afterwards, Reply continues with an accurate definition of the attack surfaces available, by identifying exposed I/O interfaces (USB, GSM, CAN Bus, RS232, JTAG, etc.) and possible security threats and attack scenarios. This phase is crucial for planning subsequent analyses and attack attempts.

  • strip-2


    An IoT device, in its generic form, can be defined as a tailored combination of hardware and software, mostly custom and the latter often not directly accessible to end-users. Hardware analysis addresses these needs through reverse engineering techniques applied at the PCB-level, in order to understand the inner workings an unknown IoT device. In the hardware context, the common goal for an attacker is retrieving the firmware, whenever unavailable, or tampering with the normal device execution (e.g., for debugging purposes).

    Reply hardware analysis approaches can be broadly classified in two different solutions: passive and active.

    First, passive PCB analysis consists in observing the device without interfering with its normal operations. As an example, this solution may include the following activities (the list is not all-inclusive): ICs identification (e.g. EEPROM, Flash, CPUs, etc.), Communication and debug interface to uncover insecure functionalities (JTAG, UART, I2C, SPI, etc.), Monitor data buses to identify protocols and determine exchanged data.

    On the other side, active hardware analysis includes all those activities that involve some invasive action, including (but not limited to) the following: Live memory dumping though in-circuit techniques, De-soldering of non-volatile storage components from PCB, to extract their content (chip-off).


    Whether the firmware is gathered through exposed device services (e.g., SSH/Telnet, CLI), downloaded from official/3rd party locations or by means of hardware-based approaches (e.g., JTAG, chip-off) it needs to be unpacked an analyzed. The format of the firmware is often proprietary or encrypted, so specific analyses are necessary in order to understand its internal format and access any embedded resource (e.g., binary programs and configuration files).

  • strip-4


    This phase funnels the expertise and resources gathered during the previous ones. The I/O interfaces identified as drivers for the defined threat model are deeply analyzed in terms of binaries and resources involved either directly or indirectly.

    For each I/O interface, our security experts reverse engineer and understand protocols and algorithms involved in the communication, to spot any weaknesses or vulnerability that can be leveraged by an malicious user to craft and perform the attack.


    The activity ends by collecting the results and evidences of the security assessment, to provide the final report to the customer. This report includes an executive summary and a detailed description of all the security issues identified on the target, providing, for each of them, a “Proof-of-Concept” (PoC), i.e., a concrete demonstration of the presence of the vulnerability. Vulnerability risks are ranked according to IoT-specific metrics.