Open the device.Read the chain.
Bench-level pentest on your actual device. We pull JTAG, dump firmware, sniff the radio, and chain to the cloud, every finding ships as a working exploit with the patch path and a verified re-test.
BENCH · FIRMWARE · RADIO · CLOUD
Five surfaces
Hardware bench · firmware · radio · mobile companion · cloud / MQTT, one engagement, every layer.
Bench evidence
UART shell, dumped flash, captured pairing handshake, proof-of-exploit on the actual device.
Re-test included
We verify your fixes, firmware reflash, OTA patch, radio config, at no extra cost.
The window from vulnerability discovery to exploitation has gone from weeks to hours.
Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure
On record
What we test —
Six surfaces. Every one read on the bench.
IoT is a stack — a board, a firmware, a radio, a mobile companion, a backend the device dials home to. Each layer is reviewed by hand against the real attack surface, in the protocols and tools your team ships in.
Hardware bench — UART · JTAG · SWD · SPI flash · I²C
Enclosure opened. Test points probed with a logic analyzer. Debug interfaces brought up under OpenOCD / J-Link. SPI flash desoldered or read in-circuit, then dumped. Boot ROM and bootloader behaviour exercised against fault-injection where in scope.
Firmware — binwalk · squashfs · u-boot · secure-boot · hardcoded creds
Image carved with binwalk, root filesystem mounted, init scripts and busybox binaries reviewed by hand. Hardcoded API tokens, TLS keys, and PEM blobs extracted. Weak secure-boot anchors and unsigned bootloader-stage upgrades reported with the patch path.
Radio — BLE · Zigbee · Z-Wave · LoRa · Sub-GHz · 802.11
Packet captures with HackRF, Ubertooth, RFCat. BLE GATT walked for unauth read / write. Pairing bypass under Just Works mishandling. Zigbee key-establishment replay. LoRa join-accept tampering. Wi-Fi WPS and EAP downgrade where the device exposes them.
Mobile companion — paired iOS / Android binary
Companion app pulled from the store, instrumented under Frida, the pairing flow and deeplink handlers walked end to end. Hardcoded device secrets, weak certificate pinning to the cloud, and OAuth-state mishandling in account-linking flows.
Cloud, MQTT & OTA channel
Broker authentication walked for client-id reuse and topic over-subscription. Topic tree walked from a low-priv account for tenant isolation gaps. OTA update channel tested for unsigned image acceptance, downgrade attacks, and roll-back to a vulnerable build.
Web / device admin UI
Local admin UI, mDNS / SSDP service, and any cloud portal tested for default credentials, CSRF on state-changing endpoints, exposed /debug or /diag routes, command injection in network-config forms, and authentication-bypass via unauth API parity.
Why a network scan misses the device
Scanners read the manifest. IoT penetration testing reads the board.
A vulnerability scanner reads what the device advertises, a MAC, a few open ports, a banner, maybe a CVE match against the firmware string. That's the manifest. None of it survives contact with the hardware bench. IoT penetration testing lifts the lid. Probe the test points, attach UART, desolder or in-circuit-read the SPI flash, and the hardcoded TLS key resolves out of the firmware image. The BLE pairing accepts Just Works on a device the datasheet calls 'secure'. The MQTT client-id is the serial number printed on the label. Scanners can't capture a Zigbee replay, can't walk a GATT service, can't downgrade an OTA channel, can't read a debug credential out of squashfs. Bench work does. Every IoT engagement we close ends the same way: a working proof-of-exploit on the device, the patch path, and a written re-test.
WHAT LANDS IN SCOPE.
Counted, not claimed.
An IoT engagement at SecureLayer7 covers the full stack of a connected device. Numbers below describe what's in scope on a typical engagement. Not market-size claims.
Hardware bench · firmware · radio · mobile companion · cloud / MQTT · device admin UI. Each reviewed by hand on the bench.
BLE · Zigbee · LoRa · 6LoWPAN · NFC · Sub-GHz. Captured with HackRF, Ubertooth, RFCat. Z-Wave and Wi-Fi added when the device exposes them.
Keys · creds · endpoints. Hardcoded TLS keys, debug credentials, OTA-update endpoints, and signing material pulled from extracted images.
Same researcher, same chain. Firmware reflash, OTA patch, or radio-config change verified and signed in writing.
FIRMWARE TO RF.
What a bench engineer finds on a device a network scanner cannot see.
- 01Firmware extraction
Dump SPI flash with a clip and a Bus Pirate, unpack the squashfs, recover hardcoded API keys and update-signing certificates.
- 02Hardware debug to root
Find UART headers under the shield can, drop to U-Boot, enable single-user mode, read /etc/shadow and the device private key.
- 03Radio capture and replay
Sniff BLE, Zigbee, or LoRa with an SDR, replay pairing or join frames, forge sensor messages the gateway treats as authentic.
- 04Companion app to backend
Reverse the Android APK for the device API, find an IDOR on the device-id route, control any unit on the fleet.
- 05OTA chain to cloud
Push a signed image with a recovered key, pivot from the device MQTT identity into the broker, read tenant topics.
IOT METHODOLOGY.
Eight phases. Bench to cloud.
Threat-modelled to your device class, board revision, radio mix, and cloud reach. Not a checklist run against every device that lands on the bench.
- 01Scope & threat-model
- 02Surface recon
- 03Hardware bench
- 04Firmware extraction
- 05Radio capture & replay
- 06Mobile companion & cloud
- 07Exploit synthesis
- 08Patch verification
Insights
IoT & device Resources.
Firmware extraction notes, radio-side findings, and hardware bring-up, published by the same operators who run device pentests.
Meet our engagement lead
One lead across firmware, cloud, and radio.
John Dill
vCISO at SecureLayer7
Bench-led
IoT engagement model
HW · FW · Radio
In scope by default
98%
Engagement-lead close rate
John scopes IoT pentest engagements against your device class, board revision, radio mix, and cloud reach. He runs kick-off, status reviews, and sign-off so the bench pod stays heads-down on the device.
- Scopes engagements across consumer, industrial (IEC 62443), automotive, and medical IoT against your real risk model.
- Owns kick-off, mid-engagement walkthroughs, and live review of every bench, firmware, and radio finding.
- Drives remediation review and re-test until every chain is closed and the patch is verified on the device.
Ready to scope an IoT pentest? Book 30 minutes with John to walk through your device class, board revision, radio mix, and timeline.
Book a 30-min callTested by industry.
The bug classes named below come from real engagements in each sector. Pick the closest fit.
HealthTech
Medical devices, infusion pumps, monitor networks, MQTT/HL7 IoT gateways.
Built for Saudi Arabia engagements
What changes when we deliver here.
Compliance scoping
NCA OTCC control rows cited per IoT finding
Regulatory framework
Vision 2030 programme report templates supported
Local engagements
Red Sea Global property closed 18 OTCC findings on smart-room kit
Local pricing
SAR per-device firmware scoping with VAT 15%
Compliance scoping
LoRaWAN, NB-IoT, and LTE-M path testing
IoT pentest questions from KSA OT and product teams.
Are findings mapped to NCA OTCC controls?
Yes. Device, network, and cloud back-end gaps cite the OTCC row that applies. OT auditors trace evidence without a mapping doc.
Does Vision 2030 programme cybersecurity fit?
Yes. Reports format to NEOM, Red Sea Global, and Qiddiya programme cybersecurity templates. The vendor handover is faster.
How is firmware handled during the test?
Firmware images stay on a KSA jump host. Cryptographic key material extracted from devices never leaves the Kingdom.
Do you cover LoRaWAN and cellular IoT?
Yes. LoRaWAN, NB-IoT, and LTE-M paths are tested for join procedure, key handling, and back-end auth.
Delivery in Saudi Arabia
IoT testing for NCA OTCC and giga-projects.
Device, gateway, and back-end findings cite NCA OTCC controls and Vision 2030 sectoral programme rules. SAR pricing, KSA-region firmware handling.
- Direct line
- +966-11-000-0000
- Office
- Riyadh, Saudi Arabia
Frameworks scoped: NCA ECC · SAMA CSF · PDPL · ISO/IEC 27001.
Sample IoT engagement report
See what arrives in your inbox.
A pre-vetted sample report: full IoT pentest narrative, working proof-of-exploit on the device (hardware, firmware, radio, cloud), the patch path, and the re-test confirmation. Sent on request after a 5-minute scoping call.