LNE
Cart
0 item
Search
Information request
Obtain a quote
  • Partager sur Twitter
  • Partager sur LinkedIn
Back
  1. Home
  2. Testing
  3. Cybersecurity: audits and intrusion tests on embedded products

Cybersecurity: audits and intrusion tests on embedded products

To ensure the security and robustness of your embedded products, LNE, an independent organisation and experienced testing laboratory in the industrial sector, evaluates their compliance, qualifies their overall performance, and assists you in securing both hardware and software components.

Why carry out tests of cybersecurity of on-board products?

The rise of remote-controlled equipment and the proliferation of IoT (Internet of Things) devices increase cybersecurity risks, affecting domestic appliances, medical devices, and industrial products alike.

Technological innovations compel manufacturers to integrate radio communication modules into all their products, making embedded systems increasingly vulnerable to remote attacks, often without proper control over these vulnerabilities.

Pictogramme-cadenas

To counter cyber threats and secure your product’s design effectively, it is essential to identify potential security flaws early in development through a documentation audit and penetration testing. These processes allow for the identification and remediation of security vulnerabilities, as well as the evaluation of necessary improvements at the application and structural levels (algorithms, software, connectors, electronic components, etc.). The ultimate goal is to ensure the product’s resilience and security robustness.

What is an penetration test on an embedded product?

A penetration test is a security assessment where an evaluator simulates a real attack on the product, using the same tools and techniques employed by hackers. This process goes beyond merely identifying known vulnerabilities; it also uncovers previously unidentified security weaknesses in applications, systems, products, or networks.

Penetration testing is also known as pentesting, security auditing, ethical hacking, or cybersecurity testing.

Penetration tests on embedded products focus on specific technologies, such as IoT smart devices, medical devices, industrial controllers, electronic equipment, autonomous vehicles, etc. These tests cover both the product itself (hardware and software) and its application environment.

illustration-pentests-areas-EN

They enable:

  • Assessment of the effectiveness of security mechanisms and their management against threats such as:
    • Breach of sensitive information confidentiality
    • Violation of stored or transmitted data integrity and information theft
    • Logical attacks (viruses, trojans, etc.) through the installation of malicious programs affecting compromised systems
    • Exploitation of weak protections to infiltrate other machines within the IT system
  • Identification of embedded system security challenges against both physical and software attacks
  • Evaluation of corrective actions (e.g., strengthening user access, restricting updates, encryption, compromise alerts, etc.)
  • Definition and identification of the appropriate security level for certification
  • A comprehensive security approach, from the electronic board to the overall system

Why perform penetration tests?

Systems are vulnerable to hardware and software attacks, and intrusion tests call into question applications executed as well as the data manipulated by the embedded systems. Thanks to these tests, it then becomes possible to measure the security levels of systems, both on an application and structural level.

The intrusion tests are the main techniques used for identify and correct the flaws of Cybersecurity which are often unknown and complex. The main objective is to ensure the strength and robustness of the integrated components to any type of intrusion to avoid any compromise of the product.

 The pentests make it possible to achieve the following objectives :

  • Evaluate the effectiveness of protection systems and their administration against threats such as :
    • Reach to the confidentiality of sensitive information,
    • Reach the integrity of the data stored or exchanged, theft of information,
    • Logical attacks ( Viruses, Trojan horses, etc.) via the installation of programs to act on compromised systems, exploiting the lack of protection in order to bounce back on other machines in the Information System.
  • Identify the security issues of embedded systems with regard to physical and software attacks.
  • Evaluate the corrective actions to be taken (strengthening access to users, restricting update, encryption, compromise alert, etc.).
  • Define and identify the appropriate level of security for certification.
  • Have a global approach to security of the electronic card up to the system as a whole.

How to identify security vulnerabilities in my product?

Our penetration testers and cybersecurity experts adopt a structured approach to identify, characterise, and assess cybersecurity vulnerabilities.

The first step involves analysing possible entry points on the product and developing threat scenarios. The second step entails testing the product’s robustness by executing tests based on these scenarios.

The initial level of analysis can be conducted through a security verification audit of systems and/or applications, simulating attacks, performing code analysis, or auditing equipment configurations. This process involves risk assessment through a structured methodology that includes risk source mapping, attack pathways and severity estimation, operational modalities, and risk mitigation strategies. The analysis helps model attack scenarios for identified threats.

The product can be examined, audited, and tested with or without prior knowledge of its design and electronic architecture (black box, grey-box, or white-box testing).

The duration and complexity of the study are proportional to the amount of shared information and the product’s usage environment.

To demonstrate risks, this audit can be supplemented by more or less in-depth penetration tests as required:

  • Communication analysis between modules
  • Hardware security analysis
  • Software security analysis

#At the end of the tests, the client receives a report detailing the identified vulnerabilities along with corrective recommendations.

 

Schematic-presentation-of-the-methodology
Schematic representation of the intrusion test methodology

What regulations apply to my product?

To address security requirements and support your product’s compliance, LNE’s services align with various applicable regulations specific to your industry.

Our cybersecurity experts integrate the most common vulnerabilities listed in the OWASP standard to identify security flaws specific to each smart device.

Depending on your product’s application domain, we ensure compliance with relevant regulations, including

  • All industries: European regulations such as the AI Act and the Cyber Resilience Act (CRA)
  • Pictogramme-antenne

    Radio equipment: RED Directive 2014/53/EU and standard EN 18031. LNE is a notified cybersecurity body assessing compliance with essential RED Directive requirements (issuance of EU Type Examination Certificates)

  • Pictogramme-coeur

    Medical devices: MDR (Medical Device Regulation) or FDA (Food and Drug Administration), considering standards such as EN 14971, IEC/EN 62304, EN 13485, EN 62366, IEC 60601 series, UL2900, etc.

  • Pictogramme-robot

    Industrial equipment (including medical): IEC 62443 series standards with CB Scheme CYBR certification for companies seeking international market entry

  • Pictogramme-telephone
    Pictogramme-ordinateur

     IoT and consumer goods: ETSI EN 303 645 standard with CB Scheme CYBR certification if require

 

Our teams continuously monitor cybersecurity regulation developments to provide full support based on your industry’s needs.

Do you have a project or a question ?

Would you like some support ?

Tell us about your needs

Complementary Services

Product cybersecurity certification

#Did you know? The international CB Scheme CYBR certification grants access to over 50 markets through a single test campaign.

 

Thanks to its partnership with LEXFO, LNE provides CB Scheme CYBR certification, based on cybersecurity standards such as IEC 62443 and ETSI 303 645, covering IoT, domestic equipment, medical devices, industrial controllers, and electronic equipment:

  • IEC 62443-3-3: Security requirements for systems and security levels
  • IEC 62443-4-1: Risk management and security policy requirements
  • IEC 62443-4-2: Technical security measures for systems
  • ETSI EN 303 645: Cybersecurity for consumer IoT devices

Evaluations can cover hardware security (e.g., electronic components), software security, and communication between modules (connectors, communication modules, etc.).

>> Discover the CB Scheme

 

Radio frequency testing under the RED Directive

In addition to cybersecurity analysis, ensure the reliability and compliance of your chipsets, antennas, and radio communication modules by conducting radio frequency testing under Directive RED 2014/53/EU or through an LNE technical assessment.

Tests apply to all radio equipment operating within 0–3,000 GHz, including radars, motion detectors, and broadcast receivers, featuring WiFi, Bluetooth, GSM, LTE, NB-IoT, NFC, RFID technologies, etc.

As a RED Directive notified body, LNE issues EU Type Examination Certificates attesting to your product’s radio and cyber compliance.

Environmental testing

The demonstration of the conformity of your products may require going through different types of tests: electrical safety, electromagnetic ccompatibility  , mechanical constraints ( vibration, shock, endurance, etc.), climatic constraints (accelerated aging, water, salt spray, etc.)

With a comprehensive range of environmental tests, LNE can characterise your products in their operating environment. By defining an appropriate qualification plan, we can assess performance and recommend corrective measures if necessary.

Thanks to a unique multi-disciplinary approach, these tests can be supplemented by the following methods : acoustic measurements, of optical characterizations, of reaction tests to fire and/or chemical analyses

AI System Evaluations

When your product or processes incorporate an AI algorithm, our AI evaluation experts possess specialised skills in data qualification (images, audio, video) to assess its reliability and robustness.

>> Find out more about our range of services for evaluating artificial intelligence systems

Why choose LNE

  • An independent, trusted third party
  • Unique skills in a single testing laboratory
  • Experts with in-depth knowledge of regulations and standards.

See also...

ISO 27001 certification: Information security management system
Data theft, intrusions, industrial spying, pirating, leaks, phishing, malware, etc. Many threats are capable of compromising the security of your information. Without introducing appropriate protection measures, like an Information Security ...
Read more
International certification of electrical and electronic equipment (CB Scheme or OC System)
CB Scheme certification, or the OC system (in French), is an international system of mutual acceptance among IECEE member countries for test reports and certificates concerning the safety of electrical and electronic components, equipment, and ...
Read more
Certification of processes for AI
In response to the growing number of artificial intelligence solutions, LNE has created a certification that provides users with objective criteria for making their selection, and enables developers to demonstrate that they have mastered all the ...
Read more
Logo de la Répblique française Logo du LNE
SUBSIDIARIES
SPECIALIZED WEBSITES
JOIN US
SOCIAL MEDIA