Akto for IoT / OT

What middleBrick covers

Black-box scanning with no agents or code access.
Detection of authentication bypass and JWT misconfigurations.
BOLA and BFLA checks for privilege escalation paths.
Input validation focusing on CORS and dangerous methods.
LLM security probes across multiple scan tiers.
OpenAPI 3.0 and Swagger 2.0 parsing with $ref resolution.

API Security Posture for IoT and OT Ecosystems

IoT and OT environments expose management, telemetry, and control APIs that were not designed for public exposure. These surfaces often lack authentication, use weak identifiers, and return detailed error messages that reveal device models and firmware versions. The scanner evaluates these APIs using black-box techniques, focusing on HTTP and HTTPS interactions without requiring code access or agents.

Coverage of Standards and Frameworks

Findings map to OWASP API Top 10 (2023), align with security controls described in SOC 2 Type II, and validate controls from PCI-DSS 4.0. For other frameworks, the tool helps you prepare for audit evidence related to access control, encryption, and input validation. It surfaces findings relevant to protocols common in constrained IoT environments, such as CoAP over HTTP gateways, device provisioning APIs, and legacy management interfaces.

Authentication and Authorization Testing

Authentication checks probe for JWT misconfigurations, missing or weak tokens, and inconsistent validation across endpoints. Authorization checks look for BOLA and BFLA patterns by probing sequential identifiers and privilege paths. The scanner supports authenticated scans with Bearer tokens, API keys, Basic auth, and cookies, gated by domain verification to ensure credentials are only tested against environments you own.

Bearer token validation and scope inspection.
JWT alg=none and key confusion testing.
Role and permission field enumeration.
Header allowlist limiting forwarded credentials.

IoT-Specific Risks and Data Exposure

IoT APIs frequently expose sensitive device data, firmware metadata, and operational telemetry. The scanner detects PII patterns such as email addresses and context-aware SSNs, alongside API key formats used in device management platforms (AWS, Stripe, GitHub, Slack). It also identifies dangerous HTTP methods, CORS wildcard configurations without credentials, and error or stack-trace leakage that can aid reconnaissance in constrained networks.

GET /api/v1/devices/12345 HTTP/1.1
Host: manage.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Limitations and Complementary Testing

The scanner does not perform active SQL injection or command injection, as those require intrusive payloads outside its scope. It does not detect business logic vulnerabilities that demand domain understanding, nor does it perform blind SSRF or replace a human pentester for high-stakes audits. Use it as an early indicator of misconfigurations and a source of remediation guidance, not as a comprehensive security certification.

Frequently Asked Questions

Can the scanner test APIs behind device gateways that require mutual TLS?

The scanner does not support client certificate authentication. It focuses on bearer tokens, API keys, Basic auth, and cookies delivered over HTTPS.

Does the scanner validate compliance with HIPAA or GDPR?

It aligns with security controls described in SOC 2 Type II and helps you prepare for audit evidence relevant to data exposure and encryption checks. It does not certify compliance with HIPAA, GDPR, or other regulations.

How are IoT device identifiers handled during scans?

Sequential ID enumeration and adjacent-ID probing are tested using generic numeric patterns. No device-specific data is stored beyond scan results you provide.

Can the scanner integrate into CI/CD for IoT backend pipelines?

Yes, via the CLI and GitHub Action. The action fails the build when the score drops below your configured threshold, enabling automated gatekeeping for API changes.