icon

Digital safety starts here for both commercial and personal

Explore our comprehensive Cyber Security Services, featuring Red Team Assessment, Penetration Testing, Digital Forensics, Web Application Testing, and Network Security Audit. Our expert solutions ensure robust protection for your digital assets and infrastructure.

+91 9433 93 2620

IoT Security Audit

IoT Security Audit · Hardware · Firmware · Radio · Cloud · Mobile

Every device is a door.
We test all of them.

End-to-end security audit of your IoT product — hardware interfaces, firmware binaries, radio protocols, cloud backend, and companion mobile app. Aligned with OWASP IoT Top 10, NIST 8259 / SP 800-213, and ETSI EN 303 645. Certification-ready reports for regulators, retailers, and enterprise buyers.

Request Free Scoping Call → See Methodology
5-Layer
Full-Stack Audit
ETSI · NIST · OWASP
Standards Mapped
CRA · CE · UL
Cert Preparation
insec@lab ~ iot-audit --device=smart-lock-v2
$ insec-iot --stack full --std owasp-iot10
// Hardware recon…
UART @ 115200 · JTAG pins identified
SPI flash (W25Q128) dumped · 16 MB
// Firmware analysis…
Debug shell over UART: root, no pw
Hardcoded creds: MQTT + API
Unsigned OTA: update hijack
// Radio capture (BLE)…
! Just Works pairing: no MITM protection
! Replay-able command: /unlock
// Cloud + mobile…
API IDOR: cross-tenant device control
TLS 1.3 enforced: backend
CVSS + CVD-ready report
98%
of IoT device traffic is unencrypted (Palo Alto)
57%
of IoT devices vulnerable to medium/high attacks
1.5B
IoT attacks blocked in H1 · growing YoY
2027
EU Cyber Resilience Act mandatory for IoT
// The 5-Layer Attack Surface

A device isn't secure until every layer is.

Attackers don't stop at the chip. Neither do we. We audit the full ecosystem — where most audits only cover one or two layers.

Hardware

PCB analysis, JTAG/SWD, UART, SPI/I²C, chip extraction, fault injection.

Firmware

Binary extraction, reverse engineering, secrets hunt, OTA integrity, secure boot.

Radio

Wi-Fi, BLE, Zigbee, LoRaWAN, Z-Wave, Matter, Thread — sniff, replay, inject.

Cloud / API

MQTT, HTTPS, backend auth, IDOR, multi-tenant isolation, telemetry abuse.

Mobile App

Android/iOS companion — crypto, pairing, cert pinning, local storage, deep links.

// The 9-Step Framework

Hands-on lab. Standards-aligned reporting.

Physical device access in our secure lab, paired with OWASP ISVS/IoT-TG testing discipline, ETSI EN 303 645 baseline verification, and MITRE ATT&CK for ICS/IoT TTP mapping.

01 · SCOPE

Planning & ROE

Devices, layers in scope, destructive-testing allowance, CVD policy, legal sign-off.

02 · RECON

Device Reconnaissance

Product teardown, PCB photography, chipset ID, FCC-ID recon, public-CVE triage.

03 · HARDWARE

Hardware Attack

UART/JTAG access, SPI flash dump, glitching, tamper-response validation.

04 · FIRMWARE

Firmware Analysis

Binwalk/Ghidra reverse, hardcoded secret hunt, weak crypto, debug iface, secure boot.

05 · RADIO

Radio & Protocol

SDR capture, BLE/Zigbee/LoRa analysis, pairing attacks, replay, jam, relay.

06 · CLOUD

Cloud & API Pentest

MQTT broker abuse, backend auth, IDOR, multi-tenant leak, OTA server integrity.

07 · MOBILE

Companion App

OWASP MASVS review, cert pinning, local storage, deep-link abuse, pairing flow.

08 · E2E

End-to-End Abuse

Chain findings across layers. Simulate real attacker flows: app → cloud → device → adjacent.

09 · REPORT

Report & CVD

Exec + technical report, CVSS, ATT&CK, standards mapping. CVD coordination if applicable.

// Standards We Align To

Regulator-grade references. Not vendor marketing.

OWASP

IoT Top 10 & ISVS

Consumer-IoT vulnerability categories plus IoT Security Verification Standard for structured verification.

  • OWASP IoT Top 10 (2018/latest)
  • IoT Security Verification Standard (ISVS)
  • OWASP Firmware Security Testing Methodology
  • OWASP IoT Attack Surface Areas Project
  • OWASP MASVS / MASTG for companion apps
  • OWASP API Security Top 10 (backend)
NIST

SP 800-213 & NISTIR 8259

Federal-grade baseline for IoT device cybersecurity capabilities and lifecycle management.

  • NISTIR 8259A · Device Cybersecurity Core Baseline
  • NISTIR 8259B · Non-Technical Capabilities
  • NIST SP 800-213 · Federal IoT Guidance
  • NIST SP 800-53 control mappings
  • NIST SP 800-115 test methodology
  • NIST CSF 2.0 function alignment
ETSI + MITRE

EN 303 645 & ATT&CK

The consumer-IoT baseline accepted across EU / UK / India, plus attacker-TTP mapping for SOC teams.

  • ETSI EN 303 645 · Consumer IoT Baseline
  • ETSI TS 103 701 · Conformance Assessment
  • MITRE ATT&CK for ICS
  • MITRE EMB3D · Embedded Threat Model
  • IoXT Alliance Pledge alignment
  • IoT Security Foundation · Compliance Framework
// Radio & Protocol Coverage

Your stack is our shelf.

SDR + purpose-built dongles + protocol analyzers in our lab. If it's on the device, we can capture, fuzz, and replay it.

Wi-Fi
2.4 / 5 / 6 GHz

WPA2/3, PMF, evil-twin, KRACK, WPS.

BLE
2.4 GHz · BT 4-5.4

Pairing, GATT, sniff, MITM, replay.

Zigbee
2.4 GHz · 802.15.4

Trust center, key transport, touchlink.

Z-Wave
868 / 908 MHz

S0/S2, include-node attack, key scheme.

LoRaWAN
Sub-GHz

Join procedure, replay, ABP/OTAA keys.

Matter / Thread
802.15.4 + IP

Commissioning, DAC, operational cert.

MQTT / CoAP
TCP / UDP

Broker abuse, TLS, ACL, topic squat.

NFC / RFID
13.56 MHz / 125 kHz

Mifare, relay, emulation, clone.

// OWASP IoT Top 10

Every category. Hardware through cloud.

Each finding maps to the specific IoT Top 10 item plus the relevant ETSI 303 645 provision — so certification mapping is one-click.

I01

Weak · Guessable · Hardcoded Passwords

Default admin creds, universal keys, factory pins, hardcoded MQTT/API tokens.

I02

Insecure Network Services

Exposed telnet/SSH/UPnP/debug ports, unauthenticated services on LAN/WAN.

I03

Insecure Ecosystem Interfaces

Weak cloud, mobile, API auth. IDOR in fleet management. Cross-tenant leakage.

I04

Lack of Secure Update Mechanism

Unsigned OTA, rollback attacks, no anti-rollback, unencrypted update channel.

I05

Insecure / Outdated Components

Known-vuln SDKs, EOL OSes, unpatched bootloaders, unsafe third-party libs.

I06

Insufficient Privacy Protection

PII leakage in telemetry, unconsented data sharing, lack of local-only mode.

I07

Insecure Data Transfer & Storage

Cleartext on radio, unencrypted flash, weak crypto, missing mutual-TLS.

I08

Lack of Device Management

No fleet visibility, no revocation, no provisioning lifecycle, orphaned devices.

I09

Insecure Default Settings

Services on by default, debug enabled, open pairing windows, weak out-of-box posture.

I10

Lack of Physical Hardening

Exposed debug headers, unpotted chips, trivial enclosure, no tamper detection.

// Regulatory & Certification Support

Get audit-ready for the market you sell into.

Evidence and report formats that satisfy labels, regulators, and enterprise buyer security reviews.

OWASP IoT Top 10 ETSI EN 303 645 ETSI TS 103 701 NIST IR 8259A/B NIST SP 800-213 EU CRA UK PSTI US Cyber Trust Mark UL 2900 IEC 62443 FDA Pre-market (Medical) ISO/IEC 27001 ISO/SAE 21434 (Auto) TEC India
// Industry Verticals

Domain-aware auditors. Not generalists.

// CONSUMER

Smart Home & Wearables

Locks, cameras, thermostats, fitness bands. ETSI 303 645 & Cyber Trust Mark readiness.

// INDUSTRIAL

OT / ICS / IIoT

PLCs, gateways, sensors. IEC 62443 alignment, ICS-safe testing, air-gap considerations.

// MEDICAL

Medical Devices

Infusion pumps, patient monitors, imaging. FDA pre-market & post-market cybersecurity.

// AUTOMOTIVE

Connected Vehicles

Telematics, IVI, BLE keys. ISO/SAE 21434 & UN R155 alignment, V2X considerations.

// BUILDING

Smart Buildings

Access control, HVAC, lighting, elevators. BACnet/Modbus/KNX safety in scope.

// RETAIL

Retail & Payments

POS, PIN pads, kiosks, ESL. PCI-PTS alignment, tamper-evidence validation.

// Why INSEC

A lab full of tools. A team full of breakers.

Dedicated Hardware Lab

JTAGulators, logic analyzers, SDRs (HackRF/Ubertooth), bus pirates, chip-off rig — physical access is table-stakes for us.

Multi-Layer Chained Findings

We don't stop at a bad cloud API. We chain it with radio and firmware to prove real-world impact.

Certification-Ready Reports

Evidence mapped to ETSI 303 645 provisions, NIST 8259A capabilities, and OWASP categories simultaneously.

Shift-Left Friendly

We audit prototypes too. Catching issues at EVT/DVT is 10× cheaper than post-launch recalls.

Responsible Disclosure

We manage CVD when findings affect third-party components — protecting your brand and the broader ecosystem.

Device-Safe NDA

Samples returned or securely destroyed. Firmware images, schematics, and evidence stored encrypted under your control.

// Engagement Timeline

Kickoff to final report in 4-6 weeks.

WEEK 0

Scoping & Device Intake

Free 30-min scoping call. NDA & ROE signed. Devices shipped. Firmware / app builds provided.

WEEK 1

Recon & Hardware

Teardown, PCB mapping, debug-iface identification, flash extraction, boot chain analysis.

WEEK 2

Firmware & Radio

Reverse engineering, secret hunt, SDR capture, protocol fuzzing, pairing attacks.

WEEK 3

Cloud, API & Mobile

Backend pentest, MQTT analysis, MASVS review of companion app, end-to-end chaining.

WEEK 4

Reporting & Debrief

Exec + technical report, CVSS/ATT&CK/ETSI mapping. Live walkthrough with your teams.

WEEK 5+

Remediation & Retest

Fix-support office hours. Free retest of critical/high findings within 45 days. CVD assistance.

// FAQ

What product teams ask us first.

How many physical devices do you need?
Minimum 3 per model — one for non-destructive testing, one for invasive hardware analysis (potential chip-off), and one kept pristine for reference / regression. More is better for parallelism.
Do you need source code or schematics?
Not strictly required — we can reverse the firmware and reverse-engineer the PCB. But providing them halves the timeline and deepens coverage. Delivered under NDA; purged on request.
Will your testing destroy our devices?
Non-destructive by default. Destructive tests (chip-off, decapsulation, fault injection) are opt-in and performed only on designated sacrificial units after written authorization.
Can you help us get ETSI EN 303 645 / Cyber Trust Mark / CRA ready?
Yes. We pre-map findings to each specific provision and deliver an evidence pack the labeling/certification body accepts. We've supported clients through multiple cert submissions.
What about handling third-party component vulnerabilities?
When findings affect upstream vendors (SoC, SDK, library), we handle Coordinated Vulnerability Disclosure (CVD) with the vendor on your behalf, protecting your launch timeline and brand.
Do you test pre-production / prototype devices?
Strongly recommended. Pre-launch audits on EVT/DVT prototypes are where security issues are cheapest to fix. We scale scope to prototype maturity.
How much does it cost?
Single-device consumer product audits typically start ₹3L. Complex multi-layer (e.g. medical, auto, industrial) with full firmware + radio + cloud + app coverage scale to ₹8-20L. Fixed quote after scoping call.
// Get Started

Ship a device attackers can't own.

Book a free 30-minute scoping call. Tell us about your product, your market, and your timeline — we'll send a fixed quote within 48 hours.

Email Us → Call +91 9433 93 2620
✉ contact@insec.in ☎ +91 9433 93 2620