Back to Top

Digital Product Assurance - DPA

Digital Product Assurance (DPA) goes far beyond compliance and claims based testing by subjecting digital products to aggressive, real-world attacks.

Identify and understand security flaws in your digital product before somebody else does.

We have the skills and equipment to de-construct most types of hardware and software combined with a deep knowledge of security testing that allows us to identify flaws and weaknesses in products. Our DPA assessments range from brief and focused tests through to comprehensive security assessment of products during design, pre-production and post-production. If you are dependent on products that your organisation is developing, purchasing or already have in service then consider subjecting them to DPA testing and understand your exposure and more importantly how to reduce it and avoid reputational and financial damage.

In general DPA assessments will be conducted against either hardware, software or, in many cases, hybrid solutions consisting of both hardware and software components.

Hardware Products

We will generally assess hardware from a number of perspectives, in many cases starting by simulating an attacker with physical access to the product. Initially the focus of testing will be concerned with access to management ports, debugging headers and other externally presented interfaces. This is followed by analysis of internal elements such as the printed circuit boards including analysis of storage devices and ICs, extraction of program code and analysis of inter-IC buses such as I2C and SPI.

Radio interfaces, where relevant, may be both passively and actively tested and evaluated for security using propriety DA testing tools coupled with advanced SDR (Software Defined Radio) units. We are able to intercept and inject into most radio links and where this is not possible due to complex, proprietry modulation techniques or very high symbol rates we can generally assess the link at the PCB/IC layer by tapping and injecting into processor or inter-IC busses directly.

In some cases the testing is focused on far more specific scenarios such as ensuring that a hardware product can only run an authorised OS/programs, or that the radio link between device A and device B is protected from eavesdropping.

Software Products

Our software product assurance services closely follow our standard penetration testing methodologies with the major difference being that the software product will generally be deployed directly onto our virtualised infrastructure which enables us to aggressively and thoroughly test the product without any risk of disruption. We can work closely with suppliers of software products to ensure that any installation onto our test-bed systems accurately reflects the intended deployment model. Testing software in this way generally permits far more comprehensive assessments than can be undertaken in customer production or pre-production environments.

Features and Benefits

Expertise - Digital Assurance possess the skills, expertise and advanced hardware hacking equipment to completely deconstruct electronic and radio systems and expose vulnerabilities before the attackers, hackers and crackers do.

Tailored - Each DPA assessment is tailored to the product, the technology and the expected deployment environment. Typical assessments will take a few days however this is dependent on the complexity of the product and the nature and extent of the risks the product may present.

Adaptability - DPA can be applied to almost any type of hardware or software product, furthermore products can be assessed as stand-alone components or once integrated into a wider system. Some examples of products assessed include:

  • Access control systems and components
  • IP cameras and CCTV systems
  • Mobile phones and cordless phones
  • Set-top digital TV units and smart TV’s
  • Games consoles
  • Intruder and fire alarm systems
  • SaaS offerings
  • Radio communications systems (voice & data)
  • Cashless vending systems
  • MFD printers
  • ANPR and traffic management equipment
  • Process control field equipment (buildings automation and SCADA equipment)

Relevance - We work with your organisation to understand the business impact of product compromise and which security aspects are the most critical. For example a radio modem deployed with a track-side railway signalling unit presents significant risk if integrity or availability is compromised whereas with a cordless phone, confidentiality and integrity are likely to be the key aspects to consider.

Independence - We have no partnerships or allegiances with any manufacturers or suppliers and will assess products in a completely impartial and independent manner. We can work with OEMs and manufacturers in undertaking assessments or can work without their assistance using advanced reverse engineering techniques.

Ease - We can conduct assessments either off-site at our facilities, with suppliers/manufacturers or on-site at your organisation depending on your requirements. Simply ensure we have access to one or more samples of the product and leave the complicated part to us.

Comprehensive risks - You receive a detailed set of findings describing the nature of identified weaknesses and vulnerabilities alongside recommendations for mitigating the risks either through product enhancements, the utilisation of particular configurations or by using external controls such as secure containment depending on the environment.