Hello. I am new to Bugcrowd and bug bounty hunting, and I’ve recently delved into the world of IoT pentesting. While I’m not new to web application testing, I decided to pursue a different route and learn more about IoT security. I find it extremely fascinating, and I’m excited to start finding bugs in IoT devices.
I’m aware that there are far fewer programs pertaining to IoT devices, which is part of the reason why I decided to get started in that area. I’ve also noticed that there are far fewer resources available, and more so, I’ve found that it’s not extremely common to see IoT vulnerabilities disclosed publicly. While I’m aware of the resources on this forum and I’ve read at least parts of the IoT Hacker’s Handbook, I learn best by example, and as a newcomer to the IoT world I’m curious as to what classes of IoT vulnerability are the most common. My question boils down to this: What are the most common types of IoT vulnerability reports that get accepted? Should I familiarize myself with ARM binary exploitation? Is a private SSL certificate for use with the web application found on the firmware a valid vulnerability? Or is it mainly only common to find bugs in mobile app to device communication? Just to clarify; I’m not asking for help finding resources on how to learn about IoT pentesting. I am capable of doing research. I’m simply asking what are some of the most common things that people prioritize when looking for IoT bugs. Speaking candidly with someone who is experienced in finding valid IoT bugs would be extremely helpful to me as a beginner.
This is a great question! Thanks so much for dropping by
This is what I got from one of my teammates who works on our IOT programs:
From what i see is Remote Code Execution, Authentication Bypass, buffer overflow and the normal vulnerabilities in the web interface such as XSS, CSRF, SSRF etc.
What are the most common types of IoT vulnerability reports that get accepted?
In my experience, the ones Sam mentioned. RCE (either through command injection or memory corruption bugs) and Auth bypasses are particularly prevalent, and what I look for first.
Should I familiarize myself with ARM binary exploitation?
Yes - ARM is really common in IOT targets.
Is a private SSL certificate for use with the web application found on the firmware a valid vulnerability?
I assume you mean the web interface on the device.
If you can retrieve the private key corresponding to the certificate (without admin access to the interface), I’d say it is a valid vulnerability. Caveat, many devices ship with preconfigured self-signed certificates which are not very useful, but will later generate new ones or let the user import a real certificate. Context is important here.
Or is it mainly only common to find bugs in mobile app to device communication?
This is also a fairly common attack vector; look for the usual bugs due to lack of input validation. Again, RCE through command injection is fairly common here.
Thanks for the replies! It always helps to hear about personal experiences. I’ve also found a cool resource for some great examples of IoT bugs here: https://www.exploitee.rs/, in case anyone else is searching for the same things I am.