The software running on a device is no different than one running on a web server or a local PC.
You can look at all the individual components in your setup that might expose a vulnerability.
- The device (often running C or C++ code)
- The connection to the cloud (like, https or a messaging service)
- The API to the cloud (often a RESTful API)
- The software on the cloud itself
You can go through these ones by one and identify what might be wrong. As a rule of thumb, you can always try to find the spot where an outside connection is made.
Following those four steps
- Check if the code can be tempered with before an outside connection is made. If your code is compiled and makes an outside connection, try to find an alternative that you can validate.
- Check certificates, messaging protocols etc. Makes sure all connections are following safety standards.
- Make sure your API follows proper RESTful security measures.
- Validate the software in the cloud, check certificates and use something like OATH.
Last, check services like https://www.checkmarx.com/