Introduction:

The great power of the Internet of Things comes with the great responsibility of security. Being the hottest technology, the developments and innovations are happening at a stellar speed, but the security of IoT is yet to catch up. Since the safety and security repercussions are serious and at times life-threatening, there is no way you can afford to neglect the security of IoT products. "Hack the IoT" is a unique course that offers security professionals a comprehensive understanding of the IoT Technology including firmware and hardware, and their underlying weaknesses. The extensive hands-on labs enable attendees to identify, exploit, or fix vulnerabilities in IoT, not just on emulators but also on real smart devices. The course focuses on the attack surface on current and evolving IoT technologies in various domains such as home, enterprise Automation, etc. It covers the ground-up on various embedded hardware protocols including internals, specific attack scenarios for individual protocols, and open-source software/hardware tools one needs to have in their IoT penetration testing arsenal. It also covers hardware attack vectors and approaches to identify respective vulnerabilities. Throughout the course, we will use Raspberry Pi which was created by us specifically for IoT penetration testing. We will also distribute DIVA – IoT made in-house for hands-on exercises. The "Hack the IoT" course is aimed at security professionals who want to enhance their skills and move to/specialize in IoT security. Godspeed!

Table of Content

  1. Hardware
    • Introduction to IoT - IoT Architecture and IoT Attack Surfaces
    • IoT Hardware Overview
    • Identifying the Attack Surfaces
    • Attacking UART - Introduction, Identifying UART, Accessing UART Lab
    • Attacking JTAG Debug port - Introduction to JTAG, Identifying the JATG port, Firmware Extraction from the Microcontroller, Run-time patching the firmware
    • Attacking I2C Protocol - Introduction to I2C Protocol, Interfacing with I2C-based flash chips, Data extraction and patching from/to the I2C Flash chips, Sniffing the I2C communication
    • Attacking SPI Protocol - Introduction to SPI protocol, Interfacing with SPI protocol Lab, Firmware/Data extraction and patching from/to the SPI flash chips, Sniffing the SPI communication
  2. Firmware
    • Firmware module
    • Types of Firmware
    • Firmware updates
    • Firmware modification
    • Firmware encryption
    • Firmware reverse engineering
    • Static analysis
    • Emulation
    • Dynamic analysis
    • Firmware exploitation

Pre-Requisites :

  • Basic knowledge of Hardware
  • Basic Linux commands
  • Patience to learn at a snail's pace

Participants Requirements:

  • Laptop with at least 50 GB of free space (Windows or Linux)
  • 8+ GB minimum RAM (4+GB for the VM)
  • External USB access (min. 2 USB ports)
  • Administrative privileges on the system
  • Remote access and control software- Latest VNC Viewer
  • Virtualization software – Latest VirtualBox

Duration

2 days

Who should attend:

  • Penetration testers tasked with auditing IoT Hardware or Analyzing Firmware
  • Bug hunters who want to find new bugs in IoT products
  • Government officials from defensive or offensive units
  • Red team members tasked with compromising the IoT devices
  • Embedded security enthusiasts
  • IoT Developers and testers
  • Anyone interested in IoT security

What to expect:

  • An IoT learning kit during the training for each group of 2 or 3 participants.
  • This course will give you a direction to start testing the hardware security of embedded devices
  • Analyzing the firmware
  • Getting familiar with IoT Security

What not to expect:

Becoming a hardware/IoT hacker overnight. Use the knowledge gained in the training to start pen-testing IoT devices and sharpen your skill