Secure Every
Endpoint
From consumer electronics to industrial controllers. We dissect hardware, firmware, and radio protocols to expose vulnerabilities before they ship.
Securing Every Vertical
IoT risks vary by industry. Our testing methodologies are tailored to the specific protocols, threat models, and regulatory requirements of your sector.
Automotive Security
Securing ECU communication, OTA updates, and infotainment systems against remote exploitation.
Medical Devices (IoMT)
Protecting patient safety and data privacy in connected pacemakers, insulin pumps, and hospital networks.
Consumer Electronics
Ensuring privacy and preventing botnet recruitment for smart home devices, cameras, and wearables.
Industrial IIoT
Bridging the gap between IT and OT to prevent production downtime and physical damage.
Comprehensive
Device Intelligence
Firmware Binary Analysis
Deep dive into bootloaders and filesystems to uncover hardcoded credentials and logic flaws.
Hardware Interface Testing
Physical attacks via JTAG, UART, and SPI to extract secrets and bypass secure boot.
Wireless Protocol Fuzzing
Stress testing BLE, Zigbee, and LoRaWAN implementations for crash-inducing vulnerabilities.
Compliance Mapping
Detailed mapping to ETSI EN 303 645, NIST IR 8259, and ISO/SAE 21434 standards.
Field Reports
Real-world examples of how we've secured connected devices against determined attackers.
Connected Medical Device (IoMT)
The Challenge
A medical device manufacturer needed FDA 510(k) cybersecurity clearance for a new connected infusion pump.
The Vulnerability
We identified a vulnerability in the BLE pairing process that allowed an attacker to inject lethal dosage commands without authentication.
The Fix
The manufacturer patched the firmware before submission, preventing a potential recall and ensuring patient safety.
Smart Home Hub Ecosystem
The Challenge
A smart home vendor wanted to ensure their new hub couldn't be used as a pivot point into user networks.
The Vulnerability
We extracted the firmware via JTAG and found a hardcoded root password. This allowed us to install a persistent backdoor and sniff network traffic.
The Fix
The vendor implemented secure boot and unique per-device passwords, significantly hardening the device against physical attacks.
Industrial Sensor Gateway (IIoT)
The Challenge
A factory automation company needed to verify the security of their MQTT implementation for a new sensor gateway.
The Vulnerability
We discovered that the MQTT broker accepted wildcard subscriptions ('#') from unauthenticated clients, leaking sensitive production data.
The Fix
The company implemented TLS mutual authentication (mTLS) and strict ACLs, securing the critical telemetry data.
Secure Your Connected Future
From consumer gadgets to critical industrial sensors, we find the flaws before the bad guys do.
Where Devices Break
IoT security is multidimensional. We attack the device, the data it transmits, and the cloud it talks to.
Hardware Interfaces
Exploiting exposed UART, JTAG, and SWD ports to dump firmware or gain root shells.
Attacker connects to exposed UART pads on the PCB, interrupts the boot process, and modifies kernel arguments to boot into a root shell.
Physically disable debug ports in production, use epoxy potting, and implement secure boot.
Firmware Analysis
Reverse engineering binaries to find hardcoded credentials, encryption keys, and logic flaws.
Extracting the filesystem from a flash dump reveals a hardcoded 'admin:admin' account and a private SSH key used across all devices.
Encrypt firmware at rest, sign updates cryptographically, and use unique per-device credentials.
Radio Protocols
Intercepting and jamming BLE, Zigbee, LoRaWAN, and proprietary RF communications.
Capturing a BLE pairing handshake and cracking the weak PIN offline to spoof a legitimate user and unlock a smart lock.
Implement robust encryption (AES-128/256), use rolling codes to prevent replay attacks, and enforce strong pairing methods.
Cloud APIs
Testing the backend infrastructure that controls devices for IDOR, injection, and auth bypass.
Manipulating the device ID in an API request allows an attacker to view the video feed of a stranger's security camera.
Enforce strict authorization checks (IDOR prevention), validate all inputs, and implement rate limiting.
Many IoT vulnerabilities originate in the cloud API layer. Ensure your backend infrastructure is as secure as your hardware.
Review Cloud Security ServicesDeconstructing
The Code
We extract and analyze firmware to identify hardcoded credentials, insecure encryption keys, and logic flaws that automated scanners miss. Our process involves unpacking filesystems, decompiling binaries, and analyzing bootloaders.
Hardcoded Secrets
Finding AWS keys, API tokens, and admin passwords embedded in the binary.
Insecure Bootloaders
Bypassing secure boot to load malicious firmware or gain persistence.
Logic Flaws
Identifying buffer overflows and command injection vulnerabilities in custom services.
Tools of the Trade
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 TRX firmware header, little endian, image size: 3788800 bytes, CRC32: 0x45C2C67A
28 0x1C LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 5498880 bytes
2112 0x840 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 9823122 bytes, 1284 inodes, blocksize: 131072 bytes
> Extracting filesystem... OK
> Searching for private keys... FOUND (id_rsa)
> Analyzing /etc/shadow... FOUND (root hash)
Protocol Fuzzing
We don't just listen; we speak. Our custom fuzzers inject malformed packets into BLE, Zigbee, and proprietary RF streams to crash stacks and bypass authentication.
Bluetooth Low Energy (BLE)
We fuzz GATT services and characteristics to find buffer overflows in the stack or logic flaws in the pairing process.
Zigbee / Z-Wave
Injecting malformed frames into the mesh network to cause denial of service or replay captured commands to control devices.
MQTT / CoAP
Testing the messaging layer for topic wildcard injection, payload manipulation, and authentication bypasses.
Proprietary RF
Reverse engineering Sub-GHz protocols (433/915 MHz) to decode signals and create custom transmitters.
Fuzzing Methodology
We employ both Generation-based (creating packets from scratch based on spec) and Mutation-based (flipping bits in captured valid packets) fuzzing to ensure maximum code coverage of the target's network stack.
Security is Cheaper than a Recall
In IoT, you can't just "patch it later" if the device is bricked or physically inaccessible. A security flaw discovered after shipping can destroy product margins and brand equity.
The RadiumFox Advantage
Pre-Market Validation
Identify critical flaws before mass production, avoiding costly hardware revisions.
Reduced Liability
Demonstrate due diligence with comprehensive third-party testing reports.
Faster Time-to-Market
Integrate security early to prevent last-minute blockers that delay launch.
Full Lifecycle Protection
Security isn't a feature you add at the end. We integrate with your engineering team from prototype to production.
Design Review
Threat modeling and architecture review before a single line of code is written.
Secure Coding
Static analysis (SAST) and firmware hardening during the development phase.
Pre-Ship Testing
Physical penetration testing and FCC compliance checks before mass production.
Post-Market
Vulnerability disclosure programs (VDP) and OTA update security verification.
Global Compliance Ready
Navigating the fragmented landscape of IoT regulations can be daunting. Our assessments are mapped to the specific standards that matter to your market.
ETSI EN 303 645
The global standard for consumer IoT security, covering default passwords, vulnerability disclosure, and secure updates.
NIST IR 8259
Foundational cybersecurity activities for IoT device manufacturers, required for US federal procurement.
ISO/IEC 21434
Automotive cybersecurity engineering standard, essential for connected vehicles and ECUs.
FDA Premarket
Cybersecurity guidance for medical devices (IoMT), ensuring patient safety and data privacy.
Why RadiumFox?
We don't just run automated scans. We desolder chips, dump flash memory, and reverse engineer proprietary protocols in our state-of-the-art hardware lab.
Hardware Lab
Equipped with logic analyzers, oscilloscopes, and BGA rework stations to attack the physical layer.
Custom Tooling
We build custom fuzzer harnesses and breakout boards for proprietary interfaces that standard tools can't touch.
Zero-Day Research
Our team regularly publishes CVEs and presents at conferences like DEF CON and Black Hat.
IoT Security FAQ
Answers to your questions about hardware hacking, firmware analysis, and compliance.
Join Us. Cut Costs.
Focus on What Matters.
Unlock high-impact penetration testing that drives real security gains. Led by experts, tailored for results, and designed to stay budget-friendly.
Submit Info
Share your environment, scope, or compliance needs via our quick form.
Senior Review
A lead RadiumFox engineer reviews and tailors your assessment—no junior handoffs.
Optional Scoping Call
We'll clarify priorities and technical details if needed.
Clear Quote
Expect a fixed-cost proposal—no hidden fees or fluff.
Fast Kickoff
Once approved, most projects launch within 5–7 business days with full support.