IoT Security Evaluation
Evaluating security isn't just our job, it's our obsession.
Business Insider estimates 34 billion internet-connected devices by 2020 - just enough for roughly three devices per global inhabitant. The scale of devices in our future requires a proven security testing regime.
Automated or Manual Testing
Because security testing requires simulated repeated attacks on different facets of the IoT device's surface, many security specialists rely on automated tools to do the job. Some of these tools are very effective, but no single tool is a standalone solution and we rely upon them as a means to triage and identify focal areas for testing. At Casaba, we believe in an interactive security testing approach when evaluating IoT assets.
Device security starts at the hardware layer and includes the entire software stack. At the device layer, we have experience analyzing firmware, wireless stacks, as well as ASIC implementations.
Firware Security Assessement
Firmware exists at the heart of every IoT asset. We analyze not only the firmware image itself but security best practices involved with the device handling of the image. Casaba evaluates for integrity-breaking conditions and advises means for tamper-proofing device firmware.
Wireless Security Evaluation
To best evaluate wireless technologies, we build them in-house. How thorough can one be in evaluating wireless technologies if they themselves have not constructed their own cellular base station? Certain IoT assets aren't even able to communicate over IP and rely upon a protocol gateway to proxy communications.
IoT Device Interface Security
Whether the IoT infrastructure is designed to be unidirectional or bi-directional, the API on both the device and the service can present security concerns. We evaluate for proper end-to-end communications between the node and the service, and we deeply understand application security where we can offer design guidance and implementation testing.
IoT Security for Device Lifetime
We account for the lifetime of the device. Whether your IoT device is designed to live only for hours or lay beneath the soil for years, we want to ensure the security of the device is relevant for present and the future.
Communications from field devices can be sporadic and we evaluate proper Time-to-Live implementation for maintaining and tracking IoT assets.
Embedding secrets into a device is convenient. However, such a convenience presents immense security risk when deployed IoT assets are not able to be updated. Casaba can review and evaluate means for securely managing secrets and encrypting sensitive data in-transit. Casaba’s policy experts can assist your development team in authoring best practice policies for storing/using IoT credentials, secure asset provisioning, dynamic secret generation, and API keys for encrypting passwords.
IoT Security at Scale
Casaba security recognizes that device-level evaluation alone is only part of the story. IoT assets are backed by infrastructure that is reliant on cloud services, with assets that come in all shapes and sizes. Their implementations can cover a multitude of communication protocols let alone various programming languages.
Unlike some security firms, Casaba has wide experience in auditing nearly all major cloud infrastructures and development stacks used in IoT devices today. Our diversity gives us the capability to quickly simulate heterogeneous IoT clusters and their interactions. We are able to identify and assess insecure behaviors that wouldn't be apparent in just one IoT node or architecture choice.