Home
/Checklists
/IoT Security Testing Checklist

IoT26 items

IoT Security Testing Checklist

A security testing checklist for Internet of Things devices and ecosystems. Covers firmware security, communication protocols, hardware interfaces, cloud backend integration, and device lifecycle management aligned with the OWASP IoT Top 10.

OWASP IoT Top 10NIST IR 8259ETSI EN 303 645IEC 62443

Progress: 0 of 26 items

Obtain device hardware samples and firmware imagesinfo

Request physical devices, firmware binaries, mobile companion apps, and cloud API documentation.

Identify all communication interfaces (Wi-Fi, BLE, Zigbee, LoRa, cellular)

Document all wireless and wired protocols used by the device for communication.

Set up IoT testing lab with protocol analyzers and debug tools

Prepare SDR equipment, logic analyzers, JTAG/SWD debuggers, and network capture tools.

Map the complete IoT ecosystem (device, gateway, cloud, mobile app)

Document data flows between all components to identify the full attack surface.

Review regulatory compliance requirements for the device category

Understand applicable regulations such as medical device, automotive, or industrial control standards.

Extract and analyze firmware for hardcoded credentials and keyscritical

Use binwalk, firmware-mod-kit, or FACT to extract filesystem and search for secrets.

Commands

binwalk -e firmware.bin

grep -aRiE "(password|api[_-]?key|secret|token)" _firmware.bin.extracted/

trufflehog filesystem _firmware.bin.extracted/

Evidence to capture

extracted firmware path containing the secret, the offending file/line, and proof the credential authenticates to a live device or service.

References

OWASP IoT Top 10 - I1 Weak, Guessable, or Hardcoded Passwords
binwalk documentation

Identify outdated and vulnerable software components in firmwarehigh

Check versions of embedded Linux, BusyBox, OpenSSL, and other common IoT components.

Commands

cve-bin-tool firmware.bin

Verify firmware update mechanism integrity and authenticationcritical

Test whether firmware updates are cryptographically signed and validated before installation.

References

NIST SP 800-193 - Platform Firmware Resiliency Guidelines

Check for debug interfaces and development artifacts left in production firmwarehigh

Search for enabled SSH, Telnet, debug consoles, and test scripts in the firmware.

Commands

strings firmware.bin | grep -iE "(telnet|debug|/bin/sh|dropbear)"

Analyze bootloader security and secure boot implementationhigh

Check if secure boot is enforced and whether the bootloader can be interrupted or modified.

Test for command injection in firmware web interface and CLIcritical

Inject OS commands into management interface inputs that may be passed to system calls.

References

PortSwigger - OS command injection

Cheat sheet · /cheat-sheets/command-injection

Capture and analyze wireless communications for encryptionhigh

Use SDR or protocol-specific tools to sniff BLE, Zigbee, or Wi-Fi traffic for cleartext data.

Commands

tshark -i wlan0mon -w capture.pcap

Test MQTT, CoAP, or custom protocols for authentication weaknesseshigh

Check for anonymous access, weak credentials, and missing TLS on IoT messaging protocols.

Commands

mosquitto_sub -h <broker> -t "#" -v

nmap -p 1883,8883 --script mqtt-subscribe <target>

Attempt to replay captured commands to the devicehigh

Record and replay device commands to test for replay attack protections.

Test BLE pairing security and GATT service accessmedium

Enumerate BLE services and characteristics, test for unauthenticated read/write access.

Commands

bluetoothctl scan on

gatttool -b AA:BB:CC:DD:EE:FF -I

Assess device-to-cloud API communication securityhigh

Intercept cloud API calls for authentication tokens, certificate validation, and data encryption.

Identify and access UART, JTAG, and SWD debug portshigh

Physically inspect the PCB for debug headers and test pads to gain console access.

Commands

jtagulator

screen /dev/ttyUSB0 115200

Evidence to capture

photograph of the PCB with the identified debug interface marked, plus a screen capture of the resulting root or bootloader console session.

Dump flash memory contents for offline analysishigh

Read SPI/NAND flash chips using hardware programmers to extract firmware and stored data.

Commands

flashrom -p ch341a_spi -r flash_dump.bin

Test for physical tamper detection and response mechanismsmedium

Check whether the device detects and responds to case opening or component removal.

Assess the factory reset process for data remnantsmedium

Perform factory reset and check if credentials, keys, and user data are fully erased.

Test for side-channel attacks on cryptographic operationsmedium

Monitor power consumption or electromagnetic emissions during cryptographic operations.

Map findings to OWASP IoT Top 10 and applicable regulatory standards

Reference OWASP IoT categories and compliance framework requirements for each finding.

Provide firmware and hardware-specific remediation guidance

Include recommendations for secure boot, encrypted storage, and protocol-level fixes.

Document attack paths across the IoT ecosystem

Illustrate how device compromise could lead to cloud, network, or user data compromise.

Include physical testing photographs and hardware diagrams

Provide annotated PCB photos showing debug interfaces and points of physical access.

Recommend lifecycle security improvements

Address secure provisioning, OTA update security, and end-of-life device decommissioning.

Related Vulnerabilities

Security Misconfiguration

medium

Cryptographic Failures

high

Injection

critical

Identification and Authentication Failures

high

Industries Using This Checklist

Manufacturing & OT

Healthcare

Report Vulnerabilities Faster with Vulnsy

Stop rewriting the same findings. Use Vulnsy's reusable templates, collaborative workflows, and professional report generation to deliver pentest reports 10x faster.

Start Free Trial

Modern penetration testing reporting platform. Built by pentesters, for pentesters.

Platform

Features
Pricing
FAQ

Resources

Vulnerability Knowledge Base
Pentest Checklists
Cybersecurity Glossary
Industries
Blog
Free Tools

Company

About
Contact
luke@vulnsy.com

IoT Security Testing Checklist

Pre-Engagement

Firmware Analysis

Communication Protocol Testing

Hardware & Physical Testing

Reporting

Related Vulnerabilities

Industries Using This Checklist

Report Vulnerabilities Faster with Vulnsy