When I was preparing my talk for TROOPERS I noticed that there aren't a lot of ressources on penetration testing for IoT devices that's why I wrote this short todo list in the speaker’s lounge. Use it as a checklist. ;-)

1. Check what services are running on the device, nmap it! Enumerate the attack surface!
   • Is a ssh/telnet server running? Get a list of common user names & passwords, bruteforce it!
   • Does it use Bluetooth? Intercept the traffic!
2. How's the session management working? Is basic access authentication used? Are you able to bypass it?
3. Does the device use weak default credentials? Does it use rate limiting?
4. What web server is used? GoAhead?
5. Check for common web vulnerabilities (e.g. command injections, local/remote file inclusions, XSS, CSRF, path traversal).
   • Testing for Command Injection
6. Is there an auto-update feature? If so, play man-in-the-middle!
   • Prepare an unsigned malicious firmware and try to update it.
7. Look at the firmware, binwalk it!
   • binwalk - Quick Start Guide
   • Look for juicy files e.g. private keys, cleartext passwords, password hashes etc.
   • Basic access authentication? Search for .htpasswd files. Backdoor accounts are more common than you might think!