Skip to content Skip to footer

Loading Results

Making IoT Devices More Secure with Scenario-Based Penetration Tests

12 April, 2021

The term “Internet of Things (IoT)” has become an integral part of our professional and private lives in recent years. “Things” are network-connected products (“smart devices”) that are being used more and more frequently in business, industrial and private environments. Examples include smart home components, IP surveillance cameras, as well as network-attached drilling tools with automatic wear compensation. This consequentially means: IoT devices cannot function without a network connection.

However, this connection inevitably raises the question: Is the whole construct behind it also secure, for example, against cyber attacks? One thing is certain: During development, not only the functions but also the IT security must be considered through testing. Comprehensive IoT penetration tests can become a cost driver − especially for SMEs. The scenario-based approach for efficient security testing of IoT devices outlined here defines a focused scope of testing in five steps. Manufacturers can thus, use a prioritisation matrix to apply a budget- and security-conscious approach when conducting IoT penetration tests.

The most important in 30 seconds

  • IoT devices are increasingly spreading in business and consumer environments. 
  • The topic of IT security is gaining great importance for “smart devices” with a network connection. 
  • Comprehensive IoT penetration testing contributes to an adequate level of security but can also be a cost driver. 
  • A scenario-based approach to IoT penetration testing enables you to achieve a prioritisation in five steps that combines budget with security awareness. 

Your expert for questions

Dr. Oliver Hanka
Director, PwC Germany
Tel: +49 160 510-5836

IoT Penetration Test: Define Scope in a Targeted Manner

Penetration tests are often performed comprehensively to find as many potential vulnerabilities as possible. In contrast to this “broad” method, the concept presented here takes a more “focused” approach. Inspired by the IT basic protection methodology (IT-Grundschutz-Methodik) of the German federal office for information security (Bundesamt für Sicherheit in der Informationstechnik, BSI), the scenario-based IoT penetration test is intended to provide a “core safeguard”. The following applies to all sub-steps: It is recommended to follow the suggested sequence. However, it is possible to jump forward or backward from an analysis step.

Test Planning Step 1 to 3: From the Worst-Case Scenario to the Most Probable Attack Paths

Step 1: What can happen in the worst case (“worst case scenario”)?

The first step deals with the question of what can happen in the worst case: The IoT device has a vulnerability in its primary functions, which is exploited. 
An example: A hacker manages to hack an IP surveillance camera and thus to penetrate the private sphere of an apartment or - in a business environment - deliberately switches off the camera.

Step 2: Which attack paths lead to the worst case?

Step two focuses on the attacker's approach. This also brings the subcomponents and interfaces of the IoT product into focus. If we stay with the “surveillance camera is manipulated remotely” scenario, the worst case could occur in the following ways:

  • A hacker accesses the user interface via the Internet and the password protection is insufficient.
  • A cloud service runs on outdated software. A hacker gains access to customers’ cameras via this vulnerability.
  • A hacker uses specialised hardware to analyse a camera he has bought himself to find vulnerabilities, and then uses this knowledge to attack the cameras of other users. 


This would already identify central points of the focused test list:

  • Is the user interface protected against unauthorized access?
  • Are the cloud services that are operating the camera secured?
  • Are there any weaknesses in the firmware?

Step 3: Which attack paths are most likely to occur?

The third step sheds light on which attack paths have a high probability of being targeted by a hacker and should therefore be prioritised for IoT penetration testing. Guiding questions can be:

  • How accessible are communication channels for third parties?
  • Have similar cases occurred in the past?

Based on these questions, you can determine, for example, that in the case of the surveillance camera, an attack via the Internet on the web interface is very likely.

Test planning Step 4 and 5: Effected Components and Test Scope

Step 4: Which components are affected?

Step four shifts focus towards the subcomponents and interfaces that enable various functions of the IoT device. Examples of a “typical” set-up for IoT devices are:

  • Hardware: processors, sensors/actuators
  • Software: firmware, web application
  • Interfaces: wifi, sensors
  • Services involved: server, cloud back end

Step 5: Which test scope is useful?

In step five, a focused plan for the penetration test of the IoT device emerges. A matrix (see figure) serves as orientation for this, which shows, among other things, the following:

  • A web application accessible via the Internet is used to control the camera.
  • A cloud-based application exists, but which is not necessary for core functions of the camera.
  • Physical access to read out the firmware is possible.

In the context of an IoT penetration test for the IP surveillance camera, for example, the focus would be on the access to the web application via the Internet. In conclusion, regardless if a device is fully tested for security or “only” in a focused and scenario-based manner, IoT penetration tests should become a natural and integral part of every development process in the near future.

Further information on the topic can be found here: “Erlijn van Genuchten und Oliver Grasmück, IoT-Geräte gezielt absichern, in: A. Sowa (Hrsg.), IT-Prüfung, Datenschutzaudit und Kennzahlen für die Sicherheit, Springer Vieweg: 2020”.

IT Security & Data Protection News

This article is part of the quarterly newsletter IT Security & Data Protection. The Newsletter IT Security & Data Protection News provides you with regular updates on the latest changes and developments in IT security and data protection.

More content and articles

“Regardless if a device is fully tested for security or 'only' in a focused and scenario-based manner, IoT penetration tests should become a natural and integral part of every development process in the near future.”

Dr. Oliver Grasmück, Senior Associate at PwC Germany
Follow us

Contact us

Dr. Oliver  Hanka

Dr. Oliver Hanka

Director Cyber Security & Privacy, PwC Germany

Tel: +49 160 510-5836

Dr. Oliver Grasmück

Dr. Oliver Grasmück

Manager, PwC Germany

Tel: +49 711 250 341-302