866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Don't Start Your Hardware Penetration Test Before Reading This Blog Feature
Austin Bentley

By: Austin Bentley

Print/Save as PDF

Don't Start Your Hardware Penetration Test Before Reading This

Penetration Testing

Published: Mar 26, 2025

Your IoT devices sit on your client’s networks. They may even sit there for years without the ability to obtain software updates. Your clients may even expose these devices directly to the Internet with no network firewall in place. All the same, your clients still expect these devices to always be available and secure. Before deploying these devices, your team should consider a IoT/hardware penetration test. However, before you begin this process, let’s discuss the uniqueness of this style of engagement, followed by traps to look out for when selecting a provider. 

Unique Challenges of Hardware Testing

It's important to understand that hardware testing is a specialized niche within the broad penetration testing field and your typical penetration tester likely won’t have much experience testing hardware. Oftentimes, their employment history may not have required any hardware knowledge because these tests are required by only a minority of organizations.

Hardware testing also requires knowledge from other domains – notably electronics engineering. And lastly, a variety of expensive tools ranging from oscilloscopes to even x-rays may be required. When you combine all of these factors, it’s no secret why hardware testers are of short supply in the industry.

Furthermore, here is a deeper look at the specialized knowledge and tools which are required for almost all hardware assessments: 

Domain Requirement Reason

General Electronics Safety & PPE 

Electronics have a notable shock risk. Individuals with little electrical experience should not interact with the internals of devices which operate at dangerous voltage and current levels – this is especially true for AC circuitry. 

Logic Analyzer and Oscilloscope Operations 

Used to identify various circuits, signals and protocols within a device. The information gathered may then be used in further attack scenarios ranging from interface interaction to glitching scenarios. 

Data Bus Identification and Interaction/Decoding 

Onboard communication protocols such as SPI, I2C, or debug protocols serve as rich attack surfaces. Accessing these protocols may be simple or difficult, depending on physical size limitations, fusing, locking or other security lockdown practices. 

Direct Reading and/or Reprogramming of ICs 

Storage ICs have a large variety of possible configurations. As such, reading and understanding the datasheet, as well as proper PCB analysis, is required in order to read or program these circuits. 

Proper PCB Disassembly and Reassembly 

When a fully constructed non-development PCB is being analyzed, it may not be possible to interact with ICs on an individual basis, as other in-circuit components will often cause interference, ringing (oscillations) or low impedance. As such, these ICs may need to be desoldered to access or modify the data within. 

Fault Injection Attacks 

Various hardware and firmware security protections can be bypassed via fault injection attacks, such as power, clock or even temperature glitching. 

Radio Networking Protocols 

A large variety of networking protocols exists for hardware/IoT devices. Examples include LTE, 5G, Zigbee, LoRaWAN or BTLE. Each of these protocols has their own unique attack surface and associated research in the public domain. 

Firmware Analysis and Reverse Engineering 

Once access to firmware has been obtained, reverse engineering will help identify issues ranging from backdoor credentials to management interface vulnerabilities.

Device Compromise Assessment 

Once all vulnerabilities have been analyzed, each vulnerability will be sized up according to the device’s threat profile and your true business risk.

Questions to Ask Your Hardware Penetration Test Provider

With the stage set for the nuances of hardware assessments, let’s dive into the questions you should ask your provider in order to ensure an effective hardware pen test experience: 

What physical tools will your team use?

Your basic multimeter and serial USB adapter isn’t going to cut it. At a minimum, we’d expect an oscilloscope, logic analyzer, various USB adapters for debug interface access, and de/re-soldering tools. Excellent providers will have additional tools, including fault injection equipment, SDR transceivers, and a high-quality illuminated microscope. 

How many physical devices will your team need?

In a black-box scenario, it’s possible that a thorough test is not being performed if only a single device is being provided. We recommend that you ship a minimum of two of each in-scope devices to your provider. The reason for this is that there’s a possibility that the tester may need to disassemble a PCB, which is likely to result in the device no longer functioning. 

Will testing destroy a device?

While the provider shouldn’t outright seek to destroy a device for zero purpose, it is possible that a device could be rendered inoperable as a result of testing. Problems can include accidental component damage, software failures that render devices inoperable, and unsuccessful attempts at soldering or desoldering components. 

Can your team test radio protocols?

Ideally, the team will have the hardware necessary to test radio protocols. While there are specialized tools depending on the exact protocol being used, at a minimum, the provider should have a Software Defined Radio (SDR) transceiver, which serves as an incredibly flexible RF tool. This tool allows the team to quickly adapt to RF-enabled products by implementing the components that would otherwise limit a radio to a single application (via fixed mixers, exciters, modulators) in software rather than traditional hardware. The result is a powerful, yet general use RF tool. 

While having an SDR is a large component of the radio test, it’s not everything. Next, the team should explain that they will research the associated protocol for accompanying vulnerabilities; each radio protocol has their own unique quirks and research, which is largely outside the scope of this article. 

Will your team need a firmware dump?

The answer to this question depends on your goals of the assessment. You should consider if you are wanting to test how easy it is for an attacker to retrieve device firmware given device lockdown practices. If so, we would not recommend providing the firmware. However, if you are wanting more focus on the actual firmware itself to identify vulnerabilities within network services, software or configurations, we’d recommend providing the firmware. 

Will reverse engineering be performed?

A major component of every hardware assessment is the actual reverse engineering process of device firmware. This will help identify misconfigurations and vulnerabilities within the actual device image and application code that make up the device. The majority of vulnerabilities discovered in networked hardware devices arise from reverse engineering and are typically associated with interfaces virtually exposed to attackers. 

Will management interfaces be tested?

These interfaces usually include legacy telnet, SNMPv1/2, and web interfaces to name a few. And, unfortunately, these will likely serve as the largest attack surface into your device from the virtual realm. Therefore, if a client were to have a device exposed on a network, these open interfaces serve as the largest risk. As such, manual testing of these interfaces should be conducted with the assistance of the reverse engineering component of the assessment. 

Taking the Next Steps in Your Hardware Pen Test Journey

Hardware testing represents a critical yet complex aspect of penetration testing that requires specialized knowledge, tools, and expertise. As organizations continue to deploy IoT and embedded devices in various environments, the importance of thorough hardware security testing cannot be overstated.

When engaging with a penetration testing provider for a hardware assessment, it's crucial to ask the right questions and understand their capabilities, tools, and methodologies to make sure they align with your goals. If you’ve decided you're ready to start talks with providers, Schellman is here to answer all of your hardware hacking methodology questions. Please consider filling out our Penetration Testing Scoping Questionnaire and we'll be in contact soon.

In the meantime, discover additional helpful tips and insights for securing an effective pen test in more of our pen testing articles

About Austin Bentley

Austin Bentley is a Manager at Schellman, headquartered in Kansas City, Missouri. With a robust background in penetration testing, Austin has developed a distinctive procedural methodology that sets his assessments apart. His expertise spans various forms of penetration testing, ensuring comprehensive security evaluations. Before stepping into his managerial role, Austin honed his skills in Application Security at a major financial institution, where he was instrumental in safeguarding critical systems.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.