Loading...
Loading...
Full device-to-cloud kill chain assessment for Malaysian manufacturers, smart building operators, and industrial OT environments. We test hardware interfaces, firmware binaries, BLE/Zigbee/LoRaWAN radio protocols, and cloud APIs — not just the network perimeter.
A conventional web or network pentest operates on documented, standardised platforms — HTTP, TCP/IP, Active Directory. IoT devices introduce layers that most security firms are not equipped to test: embedded firmware compiled for ARM or MIPS processors, proprietary radio protocols operating at 2.4 GHz or sub-GHz frequencies, and debug interfaces physically exposed on the PCB that bypass software authentication entirely.
Malaysian manufacturers shipping connected products to the EU or UK face regulatory pressure under the EU Cyber Resilience Act and the UK PSTI Act. Building owners operating smart HVAC, access control, and energy management systems face a different risk: a single compromised gateway device can bridge from an isolated OT network into corporate IT infrastructure, enabling lateral movement that no network firewall anticipated.
nCrypt's IoT penetration testing methodology follows a four-layer model — hardware, firmware, radio, and cloud — ensuring every component of the device-to-cloud kill chain is evaluated, not just the parts visible from the network perimeter.
Each layer of the device-to-cloud architecture is tested independently and as part of the full attack chain. A finding at one layer — a hardcoded credential in firmware, for example — is traced through to its impact at the cloud layer.
Physical access to the device is the attacker's first opportunity. We examine exposed debug ports — JTAG, UART, SPI, I2C — for unlocked access that bypasses authentication entirely. We probe test pads, identify chip markings, and attempt to dump memory directly from flash chips using clip-on readers when firmware extraction through software channels is blocked. Secure boot chain verification confirms whether a device will refuse tampered firmware or silently execute it.
Firmware is the operating system of an IoT device — and most of it has never been audited. We extract firmware via software update mechanisms, debug ports, or direct chip reads, then unpack and analyse it statically. Binwalk unpacking reveals hidden filesystem structures, hardcoded credentials, private keys, and certificate chains baked into the image. We identify the OS, kernel version, and all third-party libraries to flag known CVEs. Dynamic analysis under QEMU emulation confirms exploitability where full hardware isn't required.
IoT devices communicate using a range of wireless protocols — each with distinct attack surfaces. BLE devices are probed for unauthenticated GATT service enumeration and characteristic write access. Zigbee networks are tested for unencrypted traffic, network key extraction, and device spoofing. LoRaWAN deployments used in smart metering and industrial sensors are reviewed for DevEUI/AppKey exposure, replay attacks, and gateway authentication. Wi-Fi-connected devices are additionally subject to WPA2/WPA3 and captive portal testing from the wireless assessment playbook.
Almost every IoT device talks to a cloud backend — and the cloud is where attacker impact scales. We test the companion mobile application and its API endpoints using OWASP-aligned methodology: authentication bypass, broken object-level authorisation (BOLA), insecure direct object references that expose other users' device data, and weak or missing API rate limiting that enables device enumeration. Cloud infrastructure hosting the device management platform is reviewed for publicly exposed management interfaces, overly permissive IAM policies, and misconfigured storage that may expose telemetry data at scale.
The right delivery model depends on whether you are validating a product before shipment or testing devices already deployed in your environment.
You ship us one or more physical devices. We conduct all hardware, firmware, and radio testing in our facilities and test cloud/API endpoints remotely. Ideal for product manufacturers validating a device before launch or at a pre-shipment milestone.
Best suited for:
Our consultants attend your facility to test devices in their deployed environment: factory floor, server room, retail fit-out, or building management system. On-site testing captures network-layer attack paths that only exist when the device is connected to your production infrastructure.
Best suited for:
Every nCrypt IoT assessment produces a structured written report covering all four layers. Findings are mapped to the OWASP IoT Top 10 and, where relevant, ETSI EN 303 645 provisions for manufacturers requiring regulatory evidence.
Common questions about IoT penetration testing for Malaysian manufacturers and building operators.
We test a wide range of connected devices: industrial controllers and PLCs used on factory floors, building management system (BMS) gateways and smart HVAC controllers, medical devices (subject to additional scoping for patient-safety constraints), retail POS terminals with embedded OS, asset-tracking tags and smart meter gateways, and consumer-grade devices such as IP cameras and smart locks. If your device runs embedded firmware and communicates over any wireless or wired protocol, we can scope a test against it.
Hardware and firmware layers require a physical device. Chip-level flash extraction, JTAG probing, and radio testing cannot be done remotely. Cloud backend and API testing can be conducted remotely once we have test credentials and API documentation. For most engagements we combine lab-based hardware/firmware testing with remote API testing. Where devices are embedded in immovable infrastructure (building BMS, factory equipment), we attend on-site with specialist hardware.
Standard web and network pentests operate on well-documented, standardised platforms (HTTP, TCP/IP, Active Directory). IoT testing requires specialist hardware tools — logic analysers, JTAG adapters, SDR radios, and clip-on flash readers — and the ability to analyse compiled firmware binaries, often for custom or modified RTOS environments. The attack chain also spans more layers: from physical hardware through embedded software, proprietary radio protocols, and up to cloud APIs. This breadth requires a different toolset and skill set from a web or network-only practitioner.
Yes — this is increasingly a commercial requirement. The EU Cyber Resilience Act (CRA) and UK PSTI Act both impose security requirements on connected products. The EU CRA applies to products sold in the EU market from 2027; it requires vulnerability handling processes and security-by-default design. ETSI EN 303 645 is the baseline security standard referenced by both regimes. nCrypt's IoT assessment maps findings to ETSI EN 303 645 provisions, providing evidence useful for manufacturers preparing compliance documentation for EU/UK market access.
It can, if not scoped carefully — which is why we agree a testing plan before any activity begins. For production devices, we use test units isolated from the live network wherever possible. Radio testing (BLE, Zigbee, LoRaWAN) is conducted within agreed frequency ranges and power limits. Any fuzzing or exploit attempts that could crash a device are conducted on test units, not production hardware. All testing proceeds under a signed scope document with an agreed abort procedure. We have not caused production outages on any engagement to date.
The OWASP IoT Top 10 is a reference list of the most significant security risks affecting IoT products, covering areas including weak/guessable/hardcoded credentials, insecure network services, lack of a secure update mechanism, use of insecure or outdated components, and insufficient physical security. nCrypt's IoT assessment methodology covers all ten OWASP IoT Top 10 categories and maps each finding to the relevant category in the deliverable report. We also map to ETSI EN 303 645 provisions where relevant for compliance evidence.
Share your scope. We'll respond within 24 hours.
Share your scope. We'll respond within 24 hours.
From device firmware to cloud API, nCrypt's IoT penetration testing maps the full attack chain so you can remediate what matters most.
Complementary services Malaysian buyers commonly pair with iot security testing.
Purdue-model OT/ICS architecture review and IEC 62443-aligned hardening.
Learn moreWi-Fi, rogue AP and wireless segmentation security testing.
Learn moreInternal and external network pentests with lateral-movement simulation.
Learn more