Services

IoT Penetration Test (VAPT)

Our IoT penetration test uncovers security issues with protocols, firmware and APIs for hardened device security.

IoT VAPT for real-world device compromise

Testing IoT the way attackers actually attack it

An Internet of Things (IoT) Vulnerability Assessment and Penetration Test (VAPT) identifies and actively exploits vulnerabilities across IoT device firmware, hardware interfaces, and communication protocols — going beyond passive scanning to demonstrate real-world exploitability. Unlike a network penetration test, which assesses infrastructure, it targets device-specific attack surfaces: firmware extraction, hardware debug ports, and IoT-specific protocol weaknesses that infrastructure tools cannot reach. Swarmnetics conducts IoT VAPT through Offensive Security Certified Professional (OSCP) and CREST Registered Penetration Tester (CRT) certified consultants.

When connected devices become attack infrastructure

End-to-end IoT security validation—from hardware to cloud

In June 2025, the FBI warned that more than 10 million consumer IoT devices — including smart-TV streaming boxes, digital projectors, and aftermarket vehicle infotainment systems — had been compromised by firmware backdoors as part of the BADBOX 2.0 botnet, with malware pre-installed before delivery in many cases. Criminals enrolled the devices into residential proxy services used for distributed denial-of-service attacks, account takeover attacks, and malware distribution. An IoT VAPT would have identified the firmware backdoor and insecure update mechanisms on the affected devices before they were enrolled into the botnet.

Read more

Organisations often need to validate the effectiveness of IoT security controls through regular testing. Scanning alone does not satisfy that obligation. An IoT VAPT provides documented evidence of exploitable weaknesses across firmware, hardware interfaces, and communication protocols that scanners cannot reach. That matters because a compromised device can become a pivot point into gateways, management networks, cloud services, or other operational assets downstream.

Gartner Peer Insight Review

Testing IoT devices the way attackers do

Proven IoT security you can show, not just claim

Guided by the OWASP IoT Top 10 – 2018, the assessment examines the device and supporting ecosystem through techniques including firmware extraction and analysis, hardware interface testing, update mechanism review, and communication protocol inspection. In a black-box method, Swarmnetics evaluates the IoT ecosystem without prior knowledge or credentials, simulating an external attacker attempting to compromise connected devices remotely and testing how unauthorised access could be achieved through insecure network services, default configurations, and weak authentication. For a grey-box configuration, consultants work with background knowledge and user-level access, enabling assessment from both external and internal perspectives. This is recommended when your IoT ecosystem includes gateways, management interfaces, backend APIs, or other authenticated components where trust relationships can expose higher-risk attack paths.

Our consultants use firmware analysis tools including Binwalk and Firmware Mod Kit to extract and analyse firmware images, protocol analysers including Wireshark and Scapy to capture network traffic, and hardware debugging tools including JTAGulator and Bus Pirate to interface with physical debug ports. These techniques help identify issues such as exposed secrets, insecure update flows, hidden services, weak trust boundaries, and opportunities for privilege escalation through physical or logical access. Ethical hackers on our team deploy nmap for port and service enumeration, Burp Suite Professional to evaluate web interfaces, and wireless assessment tools including Aircrack-ng and BLE Sniffer to test Bluetooth and Zigbee communications.

Yes, we are CREST accredited

Our core team is based in Singapore and consists of CREST certified penetration testers who are also Offensive Security Certified Professional (OSCP) certified. The team has delivered numerous penetration testing projects for customers in Singapore and other locations, from large multinational enterprises to small and medium business, and across various industries.

Learn more
CREST Pentest

Inside the firmware and protocol attack surface

Because a compromised device can become a pivot point

The following scope items, vulnerability types, and attack vectors are assessed on every IoT VAPT engagement, selected by our consultants based on your specific IoT device security requirements:

  • Firmware extraction and static analysis — binaries examined for hardcoded credentials, insecure functions, and embedded sensitive data
  • Hardware debug interfaces — UART, JTAG, USB ports assessed for exposed access enabling firmware extraction or privilege escalation
  • Insecure update mechanisms — firmware update processes tested to verify authenticity validation, integrity checks, and secure delivery channels
  • Weak authentication and default credentials — brute-force testing, default password enumeration, and credential storage evaluation across device interfaces
  • Insecure network services — open port enumeration, service configuration review, and exploit testing against identified services
  • Ecosystem interface vulnerabilities — web interfaces, backend APIs, mobile applications, and cloud interfaces tested for injection, authorisation, and data exposure flaws
  • Unencrypted communication protocols — Wi-Fi, Bluetooth, Zigbee, NFC, and MQTT traffic captured and analysed for data transmitted in cleartext
  • Physical tamper resistance — device enclosures assessed for side-channel attack exposure and secure boot implementation
  • Outdated and vulnerable components — software inventory mapped against CVE databases for known vulnerabilities in firmware dependencies
  • Insecure default settings — factory configurations reviewed and tested for settings that expose devices to unauthorised access

FAQ

An IoT penetration test actively exploits vulnerabilities in IoT device firmware, hardware interfaces, and communication protocols. These are attack surfaces a network penetration test does not reach. A network penetration test focuses on infrastructure — servers, routers, and network segments — and does not address firmware extraction, hardware debug port analysis, or protocol-level testing unique to connected devices.

An IoT VAPT covers the full device and ecosystem stack. Firmware is examined for hardcoded credentials and insecure functions. Hardware debug interfaces including UART and JTAG are tested for physical exploitation paths. The assessment also covers update mechanisms for firmware integrity validation failures, network services for weak authentication, ecosystem interfaces including web UIs and backend APIs, wireless protocols including Bluetooth and Zigbee for unencrypted transmissions, and physical tamper resistance. Scope is determined by the device types and IoT ecosystem components in your environment.

Black-box testing simulates an external attacker with no prior knowledge and suits deployments where exposure to opportunistic compromise — via default credentials, insecure services, and unencrypted protocols — is the primary concern. Grey-box testing provides Swarmnetics with device documentation and user-level access, enabling assessment of authenticated interfaces such as device management portals, backend APIs, and mobile applications where authorised-user attack paths carry higher risk. Most production IoT environments benefit from grey-box testing.

A compromised IoT device gives attackers a persistent foothold for lateral movement into the corporate network – bypassing perimeter controls entirely. From there, they can exfiltrate sensitive data over unencrypted protocols, enrol devices into botnets, or silently maintain access through firmware-level backdoors that survive factory resets. In smart building and industrial deployments, a single compromised device can extend from data theft to disruption of physical systems. Manipulating physical processes in operational technology environments is a documented consequence of IoT compromise.

An IoT penetration test from Swarmnetics produces a draft report for your review, followed by a final report upon acceptance. The report includes an executive summary, a detailed technical section with every finding listed by CVSS severity, proof-of-concept evidence demonstrating exploitability, and specific remediation guidance. After you have addressed the findings, we conduct a follow-up retest to confirm adequate remediation.

Any organisation that operates IoT devices connected to corporate networks should consider an IoT penetration test. It is particularly relevant for organisations subject to regulatory, contractual, or industry security requirements, which requires regular penetration testing of IoT systems. An IoT penetration test is also recommended before launching new IoT systems, after significant changes, and as part of an ongoing security assurance programme. Swarmnetics has conducted IoT penetration tests across all sectors since 2015.

The duration of an IoT penetration test depends on the scope — the number of devices and ecosystem components, their complexity, and whether a black-box or grey-box approach is used. A typical IoT security assessment takes five to ten business days for the assessment phase, followed by an initial report within five business days for your review.

An IoT penetration test is often required for compliance with applicable regulatory, contractual, or industry security obligations where organisations must demonstrate that IoT security controls are effective through regular testing, not just scanning. Swarmnetics recommends conducting an IoT penetration test at least annually, after significant changes, and before launching new IoT systems into production.

Every IoT penetration test follows a three-phase process. In the planning phase, Swarmnetics agrees the scope, testing approach, and schedule with your team. In the assessment phase, our OSCP and CREST-certified consultants conduct manual IoT security testing based on the OWASP IoT Top 10 methodology to identify and actively exploit vulnerabilities, determining their real-world impact. In the reporting phase, we deliver a draft report for review and a final report with detailed remediation guidance for every finding.

All Swarmnetics penetration tests are conducted by our Singapore-based team of security consultants holding the Offensive Security Certified Professional (OSCP) and CREST Registered Penetration Tester (CRT) credentials. Swarmnetics has been delivering technical security assessments to organisations across Singapore since 2015 and acts as a trusted VAPT delivery partner to service and solution providers, supporting their customers across multiple sectors.

The security assessment report includes specific, actionable remediation guidance for every finding – not generic advice. For each vulnerability, we describe the fix, its priority based on CVSS severity, and any dependencies between remediation steps. Once your team has addressed the findings, Swarmnetics conducts a follow-up retest to verify that each vulnerability has been adequately remediated. The final report confirms closure and provides documented evidence of remediation.