circle-check
MFC releases update of Didge android app. Get your update on
Google Playarrow-up-right
search
Book a meetingGo to websiteLogin to Didge

Internal Pentest

hashtag
Penetration Testing Report – MultiTech Conduit AP Gateway (MTCAP)

Device Tested: MultiTech Conduit AP LoRaWAN Gateway – SIM-Enabled Model (MTCDT Series)

Test Date: 22/10/2024

Tested By: MFC Safe

hashtag
Executive Summary

This report summarizes the results of penetration testing performed on the MultiTech MTCAP gateway. The evaluation focused on physical security, network access control, firmware protection, authentication, and LoRaWAN data handling. The device was found to exhibit a strong security posture with minor medium-risk concerns around physical port access and password policy enforcement.

Test Category
Result Summary
Risk Level

Physical Port Access

USB/serial interfaces exposed

Low

Firmware Protection

Verified firmware signing/encryption

Low

Web Interface Security

Login required, CSRF patches applied

Low

Network Exposure

Port filtering and firewall effective

Low

Authentication & Access

Credentials enforced, weak policy

Low

OTA Updates

Encrypted OTA supported

Low

LoRaWAN Packet Handling

AES-128 encryption, packet integrity OK

Low

CVE Assessment

No exploitable known CVEs found

Low

hashtag
Test Details & Findings

hashtag
1. Physical Port Security

  • Finding: Serial and USB debug ports exposed.

  • Impact: Allows local tampering or data interception.

  • Recommendation: Restricted physical access, Disable or seal ports in production.

  • Risk: Low

hashtag
2. Firmware Security

  • Finding: Firmware requires signature validation to install.

  • Result: No bypass vulnerabilities discovered.

  • Risk: Low

hashtag
3. Web Admin Panel

  • Finding: Login page protected with HTTPS; CSRF mitigated.

  • Result: Login brute-force protection limited.

  • Recommendation: Enforce stronger password policies.

  • Risk: Low–Medium

hashtag
4. Network Exposure & Firewall

  • Finding: Default services limited to SSH and HTTPS.

  • Result: Open port scan revealed no exposed insecure services.

  • Risk: Low

hashtag
5. Authentication and Credential Storage

  • Finding: Restricted physical access, password hashing in place, but minimum complexity requirements not enforced by default.

  • Risk: Low

hashtag
6. OTA Update Mechanism

  • Finding: OTA updates over HTTPS with signature validation.

  • Risk: Low

hashtag
7. LoRaWAN Data Handling

  • Finding: End-to-end AES-128 encryption supported and validated.

  • Risk: Low

hashtag
8. Vulnerability Assessment

  • Finding: Checked against recent CVEs; no known issues affecting this model.

  • Risk: Low

hashtag
Recommendations

  • Harden physical device access in deployment locations.

  • Enforce password rotation and complexity standards.

  • Update firmware regularly in line with MultiTech advisories.

hashtag
Conclusion

The MultiTech Conduit AP Gateway demonstrates solid performance in all assessed security domains. The primary concerns are physical and password-related, which are manageable with appropriate deployment controls. This device is fit for use in regulated and secure environments.

This document is prepared for internal security review and/or client assurance reporting.

PreviousCertificationsNextDragino Sensors

Last updated

Was this helpful?