TutorialsIoT device scanning

Tutorial: IoT device security testing

Test the security of a camera, drone, robot vacuum, or router by analyzing its firmware — the safe, repeatable way to assess an IoT device without touching the live hardware or putting it on the network.

Scenario

  • Device. A Wi-Fi security camera (the same flow applies to a drone, robot vacuum, or router).
  • Artifact. The camera’s firmware image, obtained from the vendor’s update site or an OTA capture, hosted at a URL you control.
  • Goal. Find default credentials, embedded keys, backdoor services, and vulnerable components before an attacker does.

Get the firmware

SourceHow
Vendor update/support siteDownload the latest firmware .bin/.zip
OTA captureIntercept the device’s update request (it fetches the image over the network)
Flash dumpRead the SPI flash with a programmer (CH341A) and flashrom

Inputs you need

ItemWhere it goes
Firmware URLArtifact URL field
SHA-256 of the fileSHA-256 field
Vendor / model / device class (optional)labelling fields
shasum -a 256 camera-fw.bin

Steps

1. Register the target

app.pencheff.comRegister targetOT / IoT & Hardware SecurityIoT Device:

  • NameAcme Cam 2 — fw 1.4
  • Artifact URLhttps://updates.acme.com/cam2/fw-1.4.bin
  • SHA-256 — the digest above

2. Run the scan

Commission scan. Pencheff verifies the image, maps its components (binwalk), and analyzes the extracted strings.

3. Read the findings

The highest-value IoT findings:

  • Default credentials (admin:admin, root:root) — the exact weakness the Mirai botnet weaponized to build a camera/router botnet.
  • Embedded private keys — shared across every device of that model.
  • Telnet / debug services — remote-access backdoors.
  • Cleartext update endpoints — let an attacker MITM a firmware update.
  • Outdated components — BusyBox/Dropbear/OpenSSL versions with CVEs.
⚠️

No live probing. Pencheff analyzes the firmware image only — it never connects to the device or your network. That makes it safe to run and means it works even for a device you can’t reach from the cloud.

Deliverable

An IoT device risk register exportable to DOCX/JSON/CSV.

Next