Application Security Flaws in the Internet of Things

Ken Munro

Pen Test Partners

While we have researched and documented many examples of hardware security issues with IoT devices, the most common source of IoT security flaws lies within the apps that are used to manage them.

In this session we’ll explore and examine the reasons for that, be it commercial pressure, code re-use, or even simple ignorance of the importance and brand benefits of securely coded apps. We’ll also explain and offer advice that applies equally to IoT device manufacturers, app developers and anyone else in the IoT supply chain.

Mobile app
By far the most common source of compromise in our experience is the mobile app that your customer uses to interact with your IoT device. Decompiling the app is usually trivially easy and allows the hacker to understand exactly how your device interacts with the mobile app and then interacts with your online services.

The most common flaws we find are:
• Failing to implement SSL or implementing it badly. This can allow the attacker to intercept your customer’s data.
• Using static credentials in the mobile app. Putting a password to your API or any other resource in the mobile app is asking for trouble
• Insecure storage of data in the mobile app. It is perfectly possible to store data safely on a mobile device, it’s just that many mobile app developers don’t.

API / web services
Most mobile apps interact with a web service to send data to servers. Developers and manufacturers often seem to forget that they are publishing their APIs to the public internet. even though you only intended it to interface with your mobile app. This means that anyone who can reverse engineer a mobile app can work out how to interact with those web service.

Critical issues with web services include:
• Failing to enforce strong session management. One user can see another users data
• Not implementing encryption properly. Sounds familiar, doesn’t it!
• Injection attacks. Anyone can extract all the customer data that the web service has access to, or worse

Key Takeaways

  • Discover why application security flaws in IoT devices exist
  • Learn about the failures and successes in this space
  • Understand the security techniques that IoT devices, and the public, deserve

About Me!

Ken is a regular speaker at the ISSA Dragon’s Den, (ISC)2 Chapter events and CREST events, where he sits on the board. He’s also an Executive Member of the Internet of Things Security Forum and spoke out on IoT security design flaws at the forum’s inaugural event. He’s also not averse to getting deeply techie either, regularly participating in hacking challenges and demos at Black Hat, 44CON, DEF CON and Bsides amongst others.

Ken and his team at Pen Test Partners have hacked everything from keyless cars and a range of IoT devices, from wearable tech to children’s toys and smart home control systems. This has gained him notoriety among the national press, leading to regular appearances on BBC TV and BBC News online as well as the broadsheet press. He’s also a regular contributor to industry magazines, penning articles for the legal, security, insurance, oil and gas, and manufacturing press.


See more



Similar Categories