Laptop and Mobile Device Security Reviews
A security review of a company laptop or mobile device requires a tester to assess the security of the device hardware, operating system, applications and locally stored data for potential vulnerabilities. The ultimate goal is to see if sensitive data can be accessed locally or externally - typically from the perspective that the device is lost or has been stolen.
Why do you need a laptop/mobile device security review?
Mobile devices, are being increasingly adopted by large organisations and SMEs for their portability, functionality, and improving support for existing internet technologies. If such devices are lost or stolen, it is critical that the interception of such a device cannot pose a risk of data leakage or unauthorised access to corporate network resources.
How can we help you?
Company laptops and smart phones can have the same privileged access to business data resources as a desktop connected to the internal corporate network. Internal security policies often cannot map fully onto mobile devices and therefore such devices can be exposed to risk. Business laptops and mobile devices typically have trust relationships with the corporate network. As part of our testing methodology, we attempt to subvert or elevate any available privileges to gain access to data and services - reporting any entry points or opportunities for further attacks.
ProCheckUp currently offers the following services in this area:
- - Android Device Security Review
- - iPhone Security Review
- - iPad Security Review
- - Laptop Security Review (Stolen Laptop Case Study)
As part of the security review, our testers provide comprehensive testing of the laptop or mobile device hardware, operating system, applications, and locally stored data for security issues related (but not limited) to the following:
- - Cached or unlocked credentials
- - Weak password policies
- - Sensitive data disclosure
- - Encryption vulnerabilities
- - Information leakage
- - Missing security patches
- - Local Security Policy Circumvention
Working with a personal account manager and dedicated member of the technical team, we will support and guide your company from initial enquiry stage through to fixing vulnerabilities. You can read more about our processes here.
Please contact us for more information on how ProCheckUp Device Testing/IOT testing Services can help you.
ProCheckUp can help you secure your IoT devices with our IoT testing and certification solutions.
We have a state of the art IoT laboratory which enables us to address the increasing risks posed by technology developments in the area of connected devices.We also offer assurance for IoT functionality.
ProCheckUp uses the following IoT testing methodology:
Mapping the attack surface
This step helps the architecture of the solution to be understood, and helps establish the various tests that would be run on the product, sorted by priority.
The architecture can broadly be divided into three categories:
1) Embedded device
These devices include hubs, smart lightbulbs, motion sensors, smart switches and additional connected devices.
2) Firmware, software and applications
After hardware testing the next component to be tested is software.
This includes firmware running on the device, mobile applications which are used to manage the device and the cloud components connected to the device.
3) Radio communications
Radio communications provide a way for some devices to communicate with each other. Some of the radio communications used are Cellular , Wi-Fi, Bluetooth low energy, Zigbee, Z-Wave and more
Embedded device – hardware analysis
This stage allows us to understand the devices hardware from a security perspective by using both internal and external analysis. This consists of two stages: -
Cellular , Wi-Fi, Bluetooth low energy, Zigbee, Z-Wave and more
Internal interfaces, USB, Serial, JTAG SPI
Embedded device – Gaining shell access
At this stage we would attempt to gain shell access to the device, using the following techniques:-
Protocol implementation weakness.
HackRF, KillerBee, Ubertooth
PoisonTap, BashBunny and Facedancer21
Identifying the connections, identifying the baud rate, interacting with the device to gain a shell
Identifying the connections, reading writing to the EEPROM
Identifying the connections, reading writing to the EEPROM. Reading memory contents. Analysing binaries.
Embedded device – Firmware Analysis
From a security perspective, firmware is the most critical component of an embedded device. Firmware resides on the non-volatile section of the device, allowing and enabling the device to perform different tasks required for the functioning of the device.
Obtaining the firmware
Downloading from the Internet
Extracting from the device
Sniffing during an update
Automated method - binwalk
Looking for hardcoded secrets
credentials, backdoor, sensitive URLS, access tokens, local pathnames
Embedded device – Backdooring the firmware
Backdooring the firmware is one of the main security issues which IoT devices face
Perform integrity checks and signature validation.
Firmware, software and applications - Auditing the file system and programs in use
At this stage, the operating system is audited to ensure that industry hardening best practices are followed.
Key management audit
Data store audit
Firmware release diffing
Firmware, software and applications - Analysing binaries
Disassembly and emulation of firmware binaries, running the binaries so we can analyse/exploit them.
Firmware, software and applications - Exploiting binaries
Looking for security vulnerabilities within the binaries/setting breakpoints, and creating exploits.
Cloud and supporting network audit
User Interface audit - Web/iOS/Android/API/thick client
Mobile application tests – see section on mobile application testing
Download our sample IOT report.
Please contact us for more information on how ProCheckUp IOT Testing Services can help you.