Blackbox-type examination via network and various connectivities is initiated to see if security problems are found in an embedded appliance under construction/development.

Examples of security issues

• Intended halting of services by malicious third-party individuals
• Invalid acquisition and falsification of information in appliances (ID information, authentication information, etc.)
• Network hacking via embedded devices (configuration, information exposure, etc.)

Objectives of this testing

• Identifies security issues inherent to devices available on the market
  For devices in production, modification is applied to cover grave issues
  When an incident occurs, prompt action can be taken with issues in mind
• Identifies security issues inherent to devices in development
  Issues can be discovered and fixed prior to the product's release
  With security screening, products can be released with added values

The following items will be tested manually by our well-experienced engineer.

• DoS resistance test
• Authentication bypass test
• Individual protocol test
• Default setting vulnerability test
• Information exposure / information leakage test

DoS resistance test

Denial-of-service risk is examined against malicious packets, information overflow, and other means sent to an embedded device via protocol level and TCP/IP level.

Authentication bypass test

This is to examine if password and other authentication can be bypassed then logged in to embedded devices, by means of brute force attack, forged HTTP communication, and invalid privilege upgrading.

Individual protocol test

This is to discover security risks hidden in all services using embedded devices. All protocols are examined to see whether they match the standard of confidentiality, integrity, and availability. If an HTTP server is being used for administrative use, cross site scripting, directory listing, invalid JavaScript execution, and other possibilities will be tested. In case FTP is used, anonymous FTP access, FTP bounce attack, rewritable directory check, and others will be tested.

Default setting vulnerability test

Checking the initial password, access control listings, and other default settings of an embedded appliance enables us to grasp hidden vulnerabilities, so that security measures can be implemented before users embed such devices.

Information exposure / information leakage test

Some information may be exposed, and therefore be advantageous to attackers and intruders. Leakage of file name(s) and paths via error message, exposure of guessable information via cookie, data leakage via SNMP, and other possibilities will be examined.

• Loaning of devices and manuals under screening
• Communication channel between the client's developer(s) under screening
  Notification of mobile phone number(s) so that technical questions and answers can be exchanged