By Tyler Bell

Following is an abbreviated version of a blog post by Tyler Bell, director of application security for the professional services team at Flexential. Click here to read the full post.

Embedded systems security is nothing new. Flexential's Senior Vice President of Professional Services Trent Hein even wrote an article on securing such devices years before it was cool. However, given the rise in the use of these devices at home, in the workplace, and beyond, we established a penetration testing methodology that could be used to ensure at least some level of secure configuration and deployment of such devices. As with anything involving application security, we first referenced the Open Web Application Security Project for guidance in the world of the Internet of Things. OWASP has an awesome project for this very subject area. For the most part though, Flexential Professional Services already had established testing methodologies for the key components that comprise an IoT device: infrastructure/network testing, web application/application programming interface testing and mobile application testing.

There may be more to an IoT device than just an embedded system. Many devices now, such as the new Spider-Man toy from Sphero, include mobile applications that facilitate interaction with the toy and a cloud-based API that allow for communication and updates of the embedded system and mobile application, as well as infrastructure that hosts that API.

All of these components work together to complete functionality of the device and create an amazing end-user experience. There are also many components that increase risk and expose new attack vectors. These components are important to be aware of and are common in IoT devices. To summarize, they include the following:

Embedded Systems

Some devices can range from having fairly basic internal hardware with limited functionality to hardware running complete operating systems, such as Android.

Mobile Applications

Many IoT devices support mobile applications that allow for some level of management or interaction.

IoT Device or Mobile APIs

In some cases, an embedded system may have no interaction with anything; in other cases, it may simply communicate with a mobile application with limited functionality, such as Bluetooth. In still other cases (a lot lately), we’ve seen the embedded system itself receiving internet access to communicate to a cloud-based API. IoT devices and their mobile applications may or may not talk to the same API; it all depends on how they were developed.

API Infrastructure

One of the OWASP Top 10 threats to application security is misconfiguration of the infrastructure on which it is hosted. This can be anything from the web server hosting the application or API, a database hosting sensitive content, or the operating system on which services run, to the network and infrastructure where everything sits.


Everyday consumers can help protect their privacy by being aware of what their IoT devices can do, and what they talk to! Ask for, or do an online search for, statements from manufacturers on their stance on consumer privacy and information security. Make sure they’ve implemented some baseline of security measures on their end to help protect you!

Tyler Bell is director of application security for the professional services team at Flexential. In this role, he leads many types of assessments, including penetration testing. Tyler has been in the information security industry for more than seven years.