The Internet of Things (IoT) is a network of objects (electronic or not) that are not traditional computers, but are connected to the wider Internet using embedded electronic components. IoT devices can be everything from networked home automation systems to ICSs that have external connectivity to the wider world, and many more "things" in between.
IoT devices are notorious for their poor security, and several major exploits have been seen in the wild. For example, the Mirai bot malware spread to thousands of IoT devices like IP cameras and baby monitors that still had their default credentials set. These infected devices formed a large botnet that triggered several high-profile DoS attacks, including taking down name servers operated by Dyn, a DNS provider for Amazon, Twitter, GitHub, and many more domains.
While a botnet might be beyond your pen test scope and abilities, there are many vulnerabilities in IoT products that you can leverage in exploitation. Many of these involve taking control of the device by inputting default credentials. In many cases, the manufacturer has hard-coded these credentials and made them very difficult or impossible to remove. You should research the default credentials for each IoT product you target during the pen test.
Some example vulnerabilities that don't involve default credentials include:
- Buffer overflow against Snapdragon Automobile and IoT devices (CVE-2017-14910).
- SQL injection against Faleemi FSC-880 wireless IP cameras (CVE-2017-14743).
- SYN flood against iSmartAlarm home security devices, enabling DoS (CVE-2017-7730).
- Privilege escalation against Summer Baby Zoom Wifi Monitor & Internet Viewing System (CVE-2015-2889).