
Every penetration testing engagement starts with a scope document. Network ranges, application URLs, cloud accounts, these get listed, agreed upon, and tested. What rarely appears on that list are the devices mounted inside a mining shaft control room in Limpopo, installed behind a retail counter in a Johannesburg branch, or sitting in a government field office in the Eastern Cape. Those devices run firmware that can be extracted, carry BIOS configurations that can be compromised, and expose physical ports that grant direct hardware access in minutes. South African organisations operating distributed infrastructure face a hardware attack surface that standard pentesting has never examined.
Most penetration testing services engagements begin with a scoping conversation: IP ranges, URLs, cloud environments. Physical devices at site or branch level are rarely included because clients assume network-layer testing covers them, or because no one in the room has raised hardware as a threat vector. A device not listed in the scope document will not be tested. If that device handles personal data, stores credentials, or connects to a regulated network segment, that omission is material. Vulnerability assessment and penetration testing programmes that exclude physical hardware carry compliance exposure they may not recognise until after an incident.
The tools required to extract a firmware image or read an SPI flash chip were once specialist equipment found in research labs. That barrier has largely gone. Bus Pirate devices, JTAG debuggers, and SPI flash programmers are commercially available, inexpensive, and well-documented in attacker communities. An attacker with brief, unsupervised access to a device can extract its firmware, analyse it offline, and identify hardcoded credentials, encryption keys, or known-vulnerable software versions embedded in the chip.
BIOS-level rootkits present a more persistent threat. They survive operating system reinstalls and evade most endpoint security controls, leaving a compromised device functionally compromised indefinitely without any network-layer signal to alert a SOC team.
Mining operations, retail chains, and government departments share a structural problem: devices deployed in locations where consistent physical supervision is not practical. Mining sites run industrial control systems and monitoring hardware in remote shaft environments, where an attacker with legitimate site access faces limited resistance at device level.
Retail branches leave point-of-sale terminals, kiosks, and payment devices unmonitored after hours across hundreds of locations. Government field offices maintain workstations and biometric enrollment devices across wide geographic estates, often with physical access controls that go no further than a door lock. Each of these environments presents an attacker with time and opportunity that no network perimeter prevents.
"Clients who request pentesting in South Africa almost always define scope as the network and the applications. The devices running in the branch or on the mine floor simply aren't in the conversation. When we do get access to those environments, the findings at hardware level are consistently significant, hardcoded credentials, unsigned firmware, and physical ports with no authentication requirement. The attack surface was always there; it just hadn't been looked at."
Tim Butler, COO, Magix Security
Physical penetration testing at the hardware level is distinct from standard network pentesting and from physical security assessments that test doors, access cards, and tailgating vulnerabilities. It bridges physical access with offensive cyber technique. A structured hardware assessment examines firmware integrity, confirming that BIOS and UEFI images carry valid cryptographic signatures and show no signs of modification; physical port exposure, testing whether USB, JTAG, or serial interfaces allow direct device access without authentication; and full-disk encryption validation, confirming that data cannot be recovered from an extracted storage drive.
Boot order hardening, BIOS password controls, and device tamper detection indicators complete the scope. For retail environments, PCI DSS physical security requirements for cardholder data environments come directly into play. Each finding maps to a specific control gap that a standard network pen test would never surface. The penetration test report for a hardware assessment documents exact access paths and remediation steps, the same format and standard as any other assessment output.
Physical device testing should extend your existing penetration testing programme, not sit outside it. Start with a hardware asset review across distributed locations: identify which devices handle regulated data or connect to sensitive network segments, then map those against your current scope declarations. What isn't on the list is your blind spot. POPIA Section 19 requires organisations to implement appropriate physical security measures for personal information, a firmware compromise on a device processing that data is a direct Section 19 exposure with notification obligations under Section 22.
Findings from a hardware assessment feed directly into your vulnerability management programme, prioritised and tracked alongside network and application findings. The methodology is the same; the attack surface is one most organisations haven't looked at yet.
If your current pentesting scope has never included device firmware, BIOS integrity, or physical port exposure at distributed sites, those gaps exist whether or not they're on your radar. Contact the Magix team to discuss adding physical device assessment to your next engagement.


