Open the device.Read the chain.
Bench-level pentest on your actual device. We pull JTAG, dump firmware, sniff the radio, and chain to the cloud, every finding ships as a working exploit with the patch path and a verified re-test.
BENCH · FIRMWARE · RADIO · CLOUD
Five surfaces
Hardware bench · firmware · radio · mobile companion · cloud / MQTT, one engagement, every layer.
Bench evidence
UART shell, dumped flash, captured pairing handshake, proof-of-exploit on the actual device.
Re-test included
We verify your fixes, firmware reflash, OTA patch, radio config, at no extra cost.
The window from vulnerability discovery to exploitation has gone from weeks to hours.
Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure
On record
What we test —
Six surfaces. Every one read on the bench.
IoT is a stack — a board, a firmware, a radio, a mobile companion, a backend the device dials home to. Each layer is reviewed by hand against the real attack surface, in the protocols and tools your team ships in.
Hardware bench — UART · JTAG · SWD · SPI flash · I²C
Enclosure opened. Test points probed with a logic analyzer. Debug interfaces brought up under OpenOCD / J-Link. SPI flash desoldered or read in-circuit, then dumped. Boot ROM and bootloader behaviour exercised against fault-injection where in scope.
Firmware — binwalk · squashfs · u-boot · secure-boot · hardcoded creds
Image carved with binwalk, root filesystem mounted, init scripts and busybox binaries reviewed by hand. Hardcoded API tokens, TLS keys, and PEM blobs extracted. Weak secure-boot anchors and unsigned bootloader-stage upgrades reported with the patch path.
Radio — BLE · Zigbee · Z-Wave · LoRa · Sub-GHz · 802.11
Packet captures with HackRF, Ubertooth, RFCat. BLE GATT walked for unauth read / write. Pairing bypass under Just Works mishandling. Zigbee key-establishment replay. LoRa join-accept tampering. Wi-Fi WPS and EAP downgrade where the device exposes them.
Mobile companion — paired iOS / Android binary
Companion app pulled from the store, instrumented under Frida, the pairing flow and deeplink handlers walked end to end. Hardcoded device secrets, weak certificate pinning to the cloud, and OAuth-state mishandling in account-linking flows.
Cloud, MQTT & OTA channel
Broker authentication walked for client-id reuse and topic over-subscription. Topic tree walked from a low-priv account for tenant isolation gaps. OTA update channel tested for unsigned image acceptance, downgrade attacks, and roll-back to a vulnerable build.
Web / device admin UI
Local admin UI, mDNS / SSDP service, and any cloud portal tested for default credentials, CSRF on state-changing endpoints, exposed /debug or /diag routes, command injection in network-config forms, and authentication-bypass via unauth API parity.
Why a network scan misses the device
Scanners read the manifest. IoT penetration testing reads the board.
A vulnerability scanner reads what the device advertises, a MAC, a few open ports, a banner, maybe a CVE match against the firmware string. That's the manifest. None of it survives contact with the hardware bench. IoT penetration testing lifts the lid. Probe the test points, attach UART, desolder or in-circuit-read the SPI flash, and the hardcoded TLS key resolves out of the firmware image. The BLE pairing accepts Just Works on a device the datasheet calls 'secure'. The MQTT client-id is the serial number printed on the label. Scanners can't capture a Zigbee replay, can't walk a GATT service, can't downgrade an OTA channel, can't read a debug credential out of squashfs. Bench work does. Every IoT engagement we close ends the same way: a working proof-of-exploit on the device, the patch path, and a written re-test.
WHAT LANDS IN SCOPE.
Counted, not claimed.
An IoT engagement at SecureLayer7 covers the full stack of a connected device. Numbers below describe what's in scope on a typical engagement. Not market-size claims.
Hardware bench · firmware · radio · mobile companion · cloud / MQTT · device admin UI. Each reviewed by hand on the bench.
BLE · Zigbee · LoRa · 6LoWPAN · NFC · Sub-GHz. Captured with HackRF, Ubertooth, RFCat. Z-Wave and Wi-Fi added when the device exposes them.
Keys · creds · endpoints. Hardcoded TLS keys, debug credentials, OTA-update endpoints, and signing material pulled from extracted images.
Same researcher, same chain. Firmware reflash, OTA patch, or radio-config change verified and signed in writing.
FIRMWARE TO RF.
What a bench engineer finds on a device a network scanner cannot see.
- 01Firmware extraction
Dump SPI flash with a clip and a Bus Pirate, unpack the squashfs, recover hardcoded API keys and update-signing certificates.
- 02Hardware debug to root
Find UART headers under the shield can, drop to U-Boot, enable single-user mode, read /etc/shadow and the device private key.
- 03Radio capture and replay
Sniff BLE, Zigbee, or LoRa with an SDR, replay pairing or join frames, forge sensor messages the gateway treats as authentic.
- 04Companion app to backend
Reverse the Android APK for the device API, find an IDOR on the device-id route, control any unit on the fleet.
- 05OTA chain to cloud
Push a signed image with a recovered key, pivot from the device MQTT identity into the broker, read tenant topics.
IOT METHODOLOGY.
Eight phases. Bench to cloud.
Threat-modelled to your device class, board revision, radio mix, and cloud reach. Not a checklist run against every device that lands on the bench.
- 01Scope & threat-model
- 02Surface recon
- 03Hardware bench
- 04Firmware extraction
- 05Radio capture & replay
- 06Mobile companion & cloud
- 07Exploit synthesis
- 08Patch verification
Insights
IoT & device Resources.
Firmware extraction notes, radio-side findings, and hardware bring-up, published by the same operators who run device pentests.
Meet our engagement lead
One lead across firmware, cloud, and radio.
John Dill
vCISO at SecureLayer7
Bench-led
IoT engagement model
HW · FW · Radio
In scope by default
98%
Engagement-lead close rate
John scopes IoT pentest engagements against your device class, board revision, radio mix, and cloud reach. He runs kick-off, status reviews, and sign-off so the bench pod stays heads-down on the device.
- Scopes engagements across consumer, industrial (IEC 62443), automotive, and medical IoT against your real risk model.
- Owns kick-off, mid-engagement walkthroughs, and live review of every bench, firmware, and radio finding.
- Drives remediation review and re-test until every chain is closed and the patch is verified on the device.
Ready to scope an IoT pentest? Book 30 minutes with John to walk through your device class, board revision, radio mix, and timeline.
Book a 30-min callTested by industry.
The bug classes named below come from real engagements in each sector. Pick the closest fit.
HealthTech
Medical devices, infusion pumps, monitor networks, MQTT/HL7 IoT gateways.
Built for India engagements
What changes when we deliver here.
Compliance scoping
Hardware teardown and firmware diff in scope
Regulatory framework
TRAI M2M and NCIIPC CII controls cited per device
Local engagements
Indian OEM smart-metering and EV-charger engagements
Local pricing
INR per-device-class pricing with GST
Compliance scoping
DPDP Section 8 device-data review with cloud sync trace
IoT security questions Indian OEMs ask.
Do you cover TRAI M2M and connectivity rules?
Yes. SIM profile, eUICC, MNO interface and OTA channels are reviewed. Findings cite the TRAI M2M guideline section and date.
Hardware teardown and firmware extraction in scope?
Yes. UART, JTAG, SPI and eMMC paths attempted. Firmware diffed across versions. Each finding shows the bytes and the chip.
How is NCIIPC CII alignment handled?
Devices in CII deployments map to NCIIPC controls. Each finding tags the NCIIPC clause and the impact on the protected system.
DPDP Section 8 for device-collected data?
PII at rest, BLE pairing keys and cloud sync paths reviewed. Findings cite the Reasonable Security Safeguard violated.
Delivery in India
TRAI M2M aligned. NCIIPC and DPDP ready.
Hardware, firmware, radio and cloud reviewed. TRAI M2M guidelines, NCIIPC CII controls and DPDP Section 8 device-data clauses cited per finding.
- Direct line
- +91-20-71600505
- Office
- Pune, Maharashtra, India
Frameworks scoped: CERT-In · DPDP Act · RBI CSF · SEBI CSCRF · ISO/IEC 27001 · PCI DSS.
Sample IoT engagement report
See what arrives in your inbox.
A pre-vetted sample report: full IoT pentest narrative, working proof-of-exploit on the device (hardware, firmware, radio, cloud), the patch path, and the re-test confirmation. Sent on request after a 5-minute scoping call.