SITUATION
A market-leading Chinese-based technology company sought a third-party vendor to evaluate the U.S. Government’s concerns regarding its manufactured technology. FTI Cybersecurity was engaged to provide an assessment of two devices, identifying potential vulnerabilities and determining best practices to deter or prevent exploitation of vulnerabilities.
OUR ROLE
FTI Cybersecurity conducted an application source code review, hardware cybersecurity review, penetration testing, and vulnerability assessment of the client’s two devices, which were purchased independently through an authorized distributor.
- We conducted a source code review to achieve a clear understanding of communication protocols and destinations.
- We conducted four testing configurations for the hardware using all available functions for the device. We collected data for up to a week at a time for each device in addition to the setup, boot, and shutdown periods of the devices. We also performed a review of all schematics, documentation, conventions, communications protocols, integrated circuits, and input/output connectors.
- We conducted penetration testing and vulnerability assessments focused on the web application component and network communications of the devices and mobile application.
OUR IMPACT
We provided the client with a thorough cybersecurity technology assessment report, documenting all findings, configuration errors, and improvement recommendations as a result of our source code review, hardware review, penetration testing, and vulnerability assessment. We helped the client’s developers identify two separate errors in geographical configuration files that caused unintended operational communications to servers based in China rather than the appropriate servers located in the United States.
In addition to our technology assessment report, we provided the client with a document that provides a review of the various user configurations and the associated protections, cybersecurity best practices, and end-user defenses for each device.
The reports were used to inform the client’s response to the U.S. Government.