IoT / Consumer
Smart locks, cameras, hubs, speakers — proximity + onboarding are critical.
Device security presents unique challenges like limited processing power, complex technology stacks, and attacks against physical interfaces. Our team has years of experience and has developed a holistic testing methodology informed by accurate threat modeling.
A practical flow that starts with threat modeling and ends with verified fixes.
Decompose the device stack, enumerate attack surfaces, and frame attacker incentives. We build a live surface map to focus effort where impact is highest.
Firmware extraction, static/dynamic triage, protocol/file-format targets, and emulation prep. We light up code paths and capture traces.
Turn ideas into proof. We craft PoCs for update chain, radios, local services, and privilege boundaries to demonstrate real-world impact.
Concise reporting with actionable fixes. We keep it operational and device-focused, ready for engineering sprints.
We re-run relevant PoCs/harnesses to confirm mitigations and close the loop, so the same class of bug does not return.
Every engagement begins with an architectural deconstruction. We map the device's ecosystem, starting at the physical and wireless edges to identify every potential entry point. From there, we trace the internal data flows and trust boundaries between critical components like the OS, secure elements, and application logic.
This foundational model, illustrated here with an Android PoS terminal, is the output of the first stage of our testing process. It serves as a strategic map, allowing us to focus our analysis and exploitation efforts on the most critical and likely points of failure to find impactful vulnerabilities faster.
Android OS
Root / Privilege Escalation
Secure Element / TEE
Key Extraction
From consumer IoT to mobility and industrial — if it ships firmware and talks to the world, we can test it.
Smart locks, cameras, hubs, speakers — proximity + onboarding are critical.
WAN/LAN boundaries, updaters, and service exposure decide safety at home & edge.
Update chain, key material, local services and app/device trust.
BLE, OTA safety, and sensor trust with tight power constraints.
Update chain, sensors/actuators, and device↔cloud policy under safety constraints.
Safety interlocks, identity, OTA and secrets under regulated environments.
Pick the access level that fits your stage. We can also mix modes per surface when that’s the fastest path to impact.
Realism over context. We handle the device like an unknown adversary would.
Pragmatic access. Limited artifacts accelerate depth while preserving attacker perspective.
Depth with access. Internals (firmware/docs/debug) enable the most thorough coverage.
Some ideas generated while testing one device prove interesting when looking towards a larger group of devices. Our ability to apply technical findings at scale has led to us writing state-of-the-art tooling and creating cutting-edge research, such as BadUSB and our Android patch analysis tool.
For a granular look at our methodology, explore the interactive atlas below. Filter by device type to see which attack surfaces we prioritize for different products.
Compromise here survives reboots and scales fleet-wide. We verify trust from immutable boot ROM through loader and kernel, then stress the update mechanism that changes the device in the field.
Factory conveniences often ship to production. If debug survives, attackers get privileged shells and flash access.
Secrets in the wrong place leak control: API keys, tokens, device identities. We validate how keys are created, stored, rotated, and consumed.
Short-range interfaces are often treated as “safe enough.” We test pairing, onboarding, and replay to prevent drive-by abuse.
Hidden endpoints and weak authorization turn convenience into compromise. We treat the device like a local attacker would.
If the device trusts spoofed inputs, attackers steer actuators. We validate bounds, plausibility checks, and fail-safe behavior.
The cloud side decides who controls devices. We test registration, identity strength, and cross-channel trust with the companion app.
Security Research Labs is a member of the Allurity family. Learn More (opens in a new tab)