Since its initial development in 2015, the firmware analysis platform ONEKEY (formerly known as IoT Inspector) has analyzed tens of thousands of firmware images for vulnerabilities and compliance violations. Not only have we been able to identify countless misconfigurations and security issues. We have also detected many previously unknown security vulnerabilities for the first time. 

Increasing Connectivity = Growing Security Risks  

It is
conductedby Nokia,IoT devices already accounted for one-third of all devices affected by security vulnerabilities in 2020. By comparison, the figure was only 16 percent in 2019.

But the Internet of Things goes well beyond smart homes and personal gadgets such as hobby drones and fitness trackers. In over

Automated Analysis Tools for Efficient Security Checks 

Thesenumbersarestartling,thoughunsurprising, as thevastmajorityofIoTdevicesoperateunderquestionablesecuritystandards:57% ofthemare“
to medium- or high-severity attacks, making IoT the low-hanging fruit for attackers."

SEC Consult recognized the rapidly growing problem of insecure IoT devices early on and set the success story of IoT Inspector in motion as early as 2015. With the increasing demand for product testing of IoT and embedded devices (due tostricter regulatory requirements, particularly), the security consultants saw the need for an automated solution to support the relevant security checks. This laid the foundation for IoT Inspector.

House of Keys and the Tale of Black Widow 

The first large-scale research project took place the same year. Security researcher
. 580 security keys were reused and found ina large number ofdevices - making their encryption obsolete and exposing numerous devices to an increased security risk.

The brand "IoT Inspector" was first used in 2016, when a
was uncovered in several devices from the American conference room equipment manufacturer AMX - whose products were used at the time in the White House, particularly. The devices had secret credentials(code name: black widow)thatallowthe manufacturer (and possibly others) to easily gain access to the devices and spy on its customers.This backdoor was discovered during a manual analysis and subsequently added to IoT Inspector's database.It isalsoworth mentioningthat the manufacturer has assured that it hadgotten rid ofthe backdoor during a security update. However, a new analysis by IoT Inspector showed the backdoor was not removed, only renamed...

In the same year, we achieved another brilliant success:Many companies use cameras to monitor their premises and protect themselves from intruders. Paradoxically, sometimes the cameras themselves are not sufficiently secured against external attacks. For example, a

A vulnerability of even greater magnitude was discovered in 2018 in the course of research around the automated detection of management protocols and supported cloud backends in IoT firmware at the Chinese OEM manufacturer Xiongmai. Its white-label components are used in products around the globe. Accordingly, over 9 million cameras were equipped with a remote monitoring feature enabled by default ("XMEye P2P cloud"), which was affected by critical security vulnerabilities. Of course, since then, vulnerable connections to the XMEye P2P cloud can be detected automatically by IoT Inspector, in addition to dozens of other management protocols. 

An Overview of IoT Inspector in Action 

Togointoallthefindingsindetailwouldbebeyondthescopehere, butwecansaythismuch: TheresearchteamofSECConsultisalwaysveryambitiousinitsfightformorecybersecurity.

To continuously develop IoT Inspector's analysis capabilities, we work with established security experts, including Red Alert Labs, QGroup, TÜV Rheinland, TÜV Hessen and VDE-Cert. Our analysis platform supports the security research of our research partners, and insights from their manual security analyses in turn migrate into the vulnerability modules of IoT Inspector. If you are also interested in a research partnership, we look forward to hearing from you.  

#makeIoTsecure - IoT Security for Your Company  

Ourmissionis to make the Internet of Things secure. That's why we developed IoT Inspector - the leading European solution for automated firmwaresecurityanalysis and compliance checks. To make our technology accessible to the widest possibleaudience, in June 2020 we completely separated from
by Atos).

Since then, IoT Inspector has been an independent company based in Bad Homburg, Germany. In September 2020,we received a

ONEKEY - How it Works

Whether you manufacture IoT products yourself, distribute them (e.g.as a telecommunications service provider), perform security audits for your customers, certify devices, or use them in your company: we can help. Don't ignore the security risk of your IoT devices and

Our Advisory Archive

2015

2016

2017

2018

2019

2020