๐ Awesome Connected Things Security Resources
A curated repository of IoT, Embedded, Industrial & Automotive, Core Tech security knowledge.
๐ ๏ธ Approach Methodology
| # | Focus Area | Emoji | |โ|โโโโโโโโโโโโโโโ-|โโ-| | 1 | Network Security | ๐ | | 2 | Web Protocols & APIs | ๐ | | 3 | Mobile App Security | ๐ฑ | | 4 | Wireless Protocols | ๐ก | | 5 | Firmware Security | ๐ฝ | | 6 | Hardware Attacks | ๐ ๏ธ | | 7 | Storage Security | ๐พ | | 8 | I/O Ports | ๐ |
๐งญ Table of Contents
- Approach Methodology
- Resource Index
- General Information & Community
- Learning & Training
- Technical Research, Labs & CTFs
- Books, Blogs, Cheatsheets
- Search Engines & Device Discovery
-
Exploitation Tools & Pentesting OS
๐๏ธ Resource Index
๐ Network Security
- Segmentation, Device Discovery, Sniffing, MITM
- Network Attack Tools
- IoT Network Protocols (MQTT, CoAP, etc)
๐ Web Protocols & APIs
๐ฑ Mobile Application Security
๐ก Wireless Protocols
๐ฝ Firmware Security & Reverse Engineering
- Reverse Engineering Tools
- Online Assemblers
- ARM
- Firmware Emulation & Analysis
- Firmware Samples
- Secure Boot
- Binary Analysis
๐ ๏ธ Hardware & Physical Attacks
- IoT Hardware Overview & Hacking
- Essential Hardware for IoT Pentest
- Hardware Interfaces: SPI, UART, JTAG, TPM
- Side Channel & Glitching Attacks
๐พ Storage & Data Security
๐ณ Payment/Transaction Security
๐ก๏ธ General Information & Community
- ๐ฅ Community and Discussion Platforms
- ๐ IoT and Hardware Security Trainings
- ๐ Technical Research and Hacking
- ๐ป Proof of Concepts: Known Device Vulnerabilities
- ๐ Books for IoT Penetration Testing
- ๐๏ธ Blogs for IoT Pentest
- ๐ Awesome Cheatsheets
- ๐ Search Engines for Exposed IoT Devices Worldwide
- ๐ฉ CTF: Vulnerable IoT and Hardware Applications
- ๐บ YouTube Channels for IoT Pentesting
- โ๏ธ Exploitation Tools
- ๐ฅ๏ธ IoT Pentesting OSes
- ๐ IoT Vulnerabilities Checking Guides
- ๐ฌ IoT Labs
- ๐ Awesome IoT Pentesting Guides
- ๐ Fuzzing Things
- ๐ข IoT Lab Setup Guide for Corporate/Individual
- ๐ง FlipperZero
- ๐ Villages
๐ Learning & Training
- ๐ IoT & Hardware Security Trainings
- ๐ Books for IoT Penetration Testing
- ๐๏ธ Blogs for IoT Pentest
- ๐ Awesome Cheatsheets
- ๐ Awesome IoT Pentesting Guides
- ๐บ YouTube Channels for IoT Pentesting
๐งช Technical Research, Labs & CTFs
- ๐ Technical Research and Hacking
- ๐ป Proof of Concepts: Known Device Vulnerabilities
- ๐ฉ CTF: Vulnerable IoT and Hardware Applications
- ๐ฌ IoT Labs
- ๐ข IoT Lab Setup Guide for Corporate/Individual
๐ Books, Blogs, Cheatsheets
- ๐ Books for IoT Penetration Testing
- ๐๏ธ Blogs for IoT Pentest
- ๐ Awesome Cheatsheets
- ๐ IoT Vulnerabilities Checking Guides
- ๐ Awesome IoT Pentesting Guides
๐ Search Engines & Device Discovery
โ๏ธ Exploitation Tools & Pentesting OS
Technical Research and Hacking
- Subaru Head Unit Jailbreak
- Jeep Hack
- Dropcam Hacking
- Printer Hacking Live Sessions - Gamozo Labs
- LED Light Hacking
- PS4 Jailbreak โ the current status
- Your Lenovo Watch X Is Watching You & Sharing What It Learns
- Your Smart Scale is Leaking More than Your Weight: Privacy Issues in IoT
- Besder 6024PB-XMA501 IP camera security analysis
- Smart Lock Vulnerabilities
Proof of Concepts known Device Vulnerabilities
Community and Discussion Platforms
- IoTSecurity101 Telegram
- IoTSecurity101 Reddit
- IoTSecurity101 Discord
- Hardware Hacking Telegram
- RFID Discord Group
- ICS Discord Group
IoT and Hardware Security Trainings
Books for IoT Penetration Testing
2004
- The Firmware Handbook (Embedded Technology) by Jack Ganssle
- Hardware Hacking: Have Fun while Voiding your Warranty by Joe Grand
2007
2012
2013
- Hacking the Xbox: An Introduction to Reverse Engineering by Andrew โbunnieโ Huang
- Applied Cyber Security and the Smart Grid by Eric D. Knapp & Raj Samani
2014
2015
2016
# 2017
2018
- Inside Radio: An Attack and Defense Guide by Qing Yang, Lin Huang (SDR, RF, wireless)
- Pentest Hardware (online handbook, GitHub)
- Gray Hat Hacking: The Ethical Hackerโs Handbook, 5th Edition
- Intro to Bluetooth Low Energy (Afaneh, PDF)
2019
- Binary Analysis Cookbook (see Practical Binary Analysis for a modern alternative)
- Bluetoothยฎ LE Security Study Guide*
2021
- Practical Hardware Pentesting by Jean-Georges Valle
- The Hardware Hacking Handbook by Jasper van Woudenberg & Colin OโFlynn
- Practical IoT Hacking: The Definitive Guide
- Manual PCB-RE: The Essentials by Keng Tiong
- Black Hat Python, 2nd Edition (for scripting, IoT automation)
2022
2023
- Practical Hardware Pentesting โ Second Edition
- Fuzzing Against the Machine: Automate vulnerability research with emulated IoT devices on QEMU
- Hardware Security Training, Hands-on!
- Embedded Systems Security and TrustZone
- SDR for a Secure and Prosperous Wireless Network (specialist, check publisher)
- Practical Binary Analysis by Dennis Andriesse
- Hack the Airwaves: Advanced BLE Exploitation Techniques
2024
- Microcontroller Exploits
- The Ultimate Hardware Hacking Gear Guide (GitHub)
- Security Issues in Mobile NFC Devices (Michael Roland)
2025
- Mastering Hardware Hacking: Breaking and Securing Embedded Systems
- Practical Hardware Pentesting (2nd Edition) โ Amazon.in
- Hardware Security: Challenges and Solutions
- The Definitive Handbook on Reverse Engineering Tools
- Ghidra Software Reverse-Engineering for Beginners (2nd Edition)
- IOActive E-Book: The State of Silicon Chip Hacking in 2025
Awesome CheatSheets
Search Engines for Internet-Connected Devices
YouTube Channels for IoT Pentesting
- Joe Grand
- Liveoverflow
- Binary Adventure
- EEVBlog
- Craig Smith
- iotsecurity101
- Besim ALTINOK - IoT - Hardware - Wireless
- Ghidra Ninja
- Cyber Gibbons
- Scanline
- Aaron Christophel
- Valerio Di Giampietro
Vehicle Security Resources
- https://github.com/jaredthecoder/awesome-vehicle-security
IoT Vulnerabilites Checking Guides
- Reflecting upon OWASP TOP-10 IoT Vulnerabilities
- OWASP IoT Top 10 2018 Mapping Project
- Hardware toolkits for IoT security analysis
IoT Gateway Software
IoT Pentesting OSes
- Sigint OS- LTE IMSI Catcher
- Instatn-gnuradio OS - For Radio Signals Testing
- Ubutnu Best Host Linux for IoTโs - Use LTS
- Internet of Things - Penetration Testing OS v1
- Dragon OS - DEBIAN LINUX WITH PREINSTALLED OPEN SOURCE SDR SOFTWARE
- EmbedOS - Embedded security testing virtual machine
- Skywave Linux- Software Defined Radio for Global Online Listening
- A Small, Scalable Open Source RTOS for IoT Embedded Devices
- ICS - Controlthings.io
- AttifyOS - IoT Pentest OS - by Aditya Gupta
Exploitation Tools
- Expliot - IoT Exploitation framework - by Aseemjakhar
- Routersploit (Exploitation Framework for Embedded Devices)
- IoTSecFuzz (comprehensive testing for IoT device)
- HomePwn - Swiss Army Knife for Pentesting of IoT Devices
- killerbee - Zigbee exploitation
- PRET - Printer Exploitation Toolkit
- HAL โ The Hardware Analyzer
- FwAnalyzer (Firmware Analyzer)
- ISF(Industrial Security Exploitation Framework
- PENIOT: Penetration Testing Tool for IoT
- MQTT-PWN
Reverse Engineering Tools
- IDA Pro: An interactive disassembler that provides extensive information about binary code and is widely used for static analysis.
- GDB: The GNU Project Debugger allows you to see what is going on โinsideโ another program while it executes or what another program was doing at the moment it crashed.
- Radare2: An open-source framework for reverse engineering and analyzing binaries; includes a disassembler for multiple architectures.
- Cutter: A Qt and C++ GUI for Radare2, aiming to provide a more user-friendly interface as well as additional features.
- Ghidra: A software reverse engineering suite of tools developed by NSA that includes a decompiler, assembler, disassembler, and other tools to analyze binaries.
- Binary Ninja: A reverse engineering platform that is an alternative to IDA Pro, with a focus on binary analysis for security research and reverse engineering.
- OllyDbg: An x86 debugger that emphasizes binary code analysis, which is useful for reverse engineering and finding security vulnerabilities.
- x64dbg: An open-source x64/x32 debugger for windows with a focus on plugin support and scriptability.
- Hopper: A reverse engineering tool for macOS and Linux that lets you disassemble, decompile and debug your applications.
- Immunity Debugger: A powerful debugger for analyzing malware and reverse engineering with an integrated Python scripting interface for automation.
- PEiD: A tool that detects most common packers, cryptors, and compilers for PE files and is useful for reverse engineering of malware.
Introduction
IoT Web and Message Services
MQTT
Introduction to MQTT
Security and Hacking with MQTT
- MQTT Broker Security - 101
- Hacking the IoT with MQTT
- Are Smart Homes Vulnerable to Hacking?
- Servisnet Tessa - MQTT Credentials Dump (Unauthenticated) (Metasploit)
- Eclipse Mosquitto MQTT broker 2.0.9 - โmosquittoโ Unquoted Service Path
- IoT Security: RCE in MQTT Protocol
- Penetration testing of Sesame Smart door lock
Known Vulnerabilities and CVE IDs of MQTT Protocol
- CVE-2020-13849: A vulnerability in MQTT protocol 3.1.1, allowing remote attackers to cause a denial of service. CVSS score: 7.5 (High).
- CVE-2023-3028: Involves insufficient authentication in MQTT backend, leading to potential data access and manipulation. CVSS score: 9.8 (Critical).
- CVE-2021-0229: Pertains to uncontrolled resource consumption in Juniper Networks Junos OS MQTT server. CVSS score: 5.3 (Medium).
- CVE-2019-5432: A malformed MQTT Subscribe packet can crash MQTT Brokers. CVSS score: 7.5 (High).
IoT and MQTT
- Using IoT MQTT for V2V and Connected Car
- MQTT with Hardware Development Information
- IoT Live Demo: 100,000 Connected Cars with Kubernetes, Kafka, MQTT, TensorFlow
Tools and Client Information
Tutorials and Guides
- A Guide to MQTT by Hacking a Doorbell to Send Push Notifications (Video)
- Understanding the MQTT Protocol Packet Structure
- Authenticating & Authorizing Devices Using MQTT with Auth0
Advanced Topics and Applications
MQTT Softwares
- IoXY - MQTT Intercepting Proxy
- Mosquitto - An Open Source MQTT Broker
- HiveMQ
- MQTT Explorer
- Welcome to MQTT-PWN!
Additional Resources
- WailingCrab Malware Evolves Using MQTT for Stealthier C2 Communication
- Alert: New WailingCrab Malware Loader
- MQTT on Snapcraft
CoAP
-
IETF Security Protocol Comparison (2023)
๐ Read the Draft -
EMQX on CoAP & IoT Security (2024)
๐ Read the Blog
Software Tools
- CoAP NSE (Nmap) โ CoAP discovery via Nmap
- Copper (Firefox plugin) โ Lightweight CoAP client for testing
- libcoap (CLI Tools) โ C-based CoAP library with CLI
- Scapy CoAP Plugin โ CoAP packet crafting and fuzzing
- Eclipse Californium (Java) โ Full-featured CoAP stack
- Peach Fuzzer (Commercial) โ Commercial protocol fuzzer
Hardware Tools
- Raspberry Pi / Arduino + 6LoWPAN โ Embedded lab environments
- Zolertia, OpenMote, Nordic Boards โ CoAP stacks with Contiki/RIOT OS
- RTL-SDR, Wi-Fi Sniffers โ For CoAP/UDP traffic analysis
Blogs, Research & Tutorials
- SpectralOps โ Top Protocol Security Issues
- Radware โ CoAP Protocol Overview
- Webasha โ IoT Pentest Lab Setup Guide (2025)
- Recorded Future โ CoAP Exposure Study (2024)
Books & Guides
- Practical CoAP (Apress, 2024) โ Updated with DTLS and OSCORE usage
- RFC 8613 โ OSCORE
- RFC 8323 โ CoAP over TCP
- RFC 8824 โ SCHC Header Compression
RADIO HACKER QUICK START GUIDE
- Complete course in Software Defined Radio (SDR) by Michael Ossmann
- SDR Notes - Radio IoT Protocols Overview
- Understanding Radio
- Introduction to Software Defined Radio
- Introduction Gnuradio companion
- Creating a flow graph in gunradiocompanion
- Analysing radio signals 433Mhz
- Recording specific radio signal
- Replay Attacks with raspberrypi -rpitx
Cellular Hacking GSM BTS
BTS
GSM SS7 Pentesting
- 5Ghoul - 5G NR Attacks & 5G OTA Fuzzing
- Introduction to GSM Security
- GSM Security 2
- vulnerabilities in GSM security with USRP B200
- Security Testing 4G (LTE) Networks
- Case Study of SS7/SIGTRAN Assessment
- Telecom Signaling Exploitation Framework - SS7, GTP, Diameter & SIP
- ss7MAPer โ A SS7 pen testing toolkit
- Introduction to SIGTRAN and SIGTRAN Licensing
- SS7 Network Architecture
- Introduction to SS7 Signaling
- Breaking LTE on Layer Two
- LTE Sniffer
Hardware Tools
NFC-RFID
Zigbee ALL Stuff
- Introduction and protocol Overview
- Hacking Zigbee Devices with Attify Zigbee Framework
- Hands-on with RZUSBstick
- ZigBee & Z-Wave Security Brief
- Hacking ZigBee Networks
- Zigator: Analyzing the Security of Zigbee-Enabled Smart Homes
- Security Analysis of Zigbee Networks with Zigator and GNU Radio
- Low-Cost ZigBee Selective Jamming
SW Tools
Hardware Tools for Zigbee
- APIMOTE IEEE 802.15.4/ZIGBEE SNIFFING HARDWARE
- RaspBee-The Raspberry Pi Zigbee gateway
- USRP SDR 2
- ATUSB IEEE 802.15.4 USB Adapter
- nRF52840-Dongle
BLE Intro and SW-HW Tools to pentest
StepByStepGuideToBLEUnderstandingAndExploiting
TrafficEngineeringInABluetoothPiconet
BLECharacteristics
Bluetooth And BLE PentestTools
-
- Bluing - An intelligence gathering tool for hacking Bluetooth
- BlueToolkit is an extensible Bluetooth Classic vulnerability testing framework
- btproxy
- hcitool & bluez
- Testing With GATT Tool
- crackle - Cracking encryption
- bettercap
- BtleJuice Bluetooth Smart Man-in-the-Middle framework
- gattacker
- BTLEjack Bluetooth Low Energy Swiss army knife
- DEDSEC-Bluetooth-exploit
- BrakTooth Proof of Concept-Blutooth Classic Attacks
- sweyntooth_bluetooth_low_energy_attacks Public
- esp32_bluetooth_classic_sniffer Public
HardwareForBluetoothHacking
- NRFCONNECT - 52840
- EDIMAX
- CSR 4.0
- ESP32 - Development and learning Bluetooth
- Ubertooth
- Sena 100
- ESP-WROVER-KIT-VB
Bluetooth Hacks
- Blue2thprinting: Answering the Question of โWTF am I even looking at?!โ
- Open Wounds: The Last 5 Years Have Left Bluetooth to Bleed
- It Was Harder to Sniff Bluetooth Through My Mask During the Pandemicโฆ
- Bluetooth vs BLE Basics
- Examining the August Smart Lock
- Finding Bugs in Bluetooth
- Intel Edison as Bluetooth LE โ Exploit Box
- How I Reverse Engineered and Exploited a Smart Massager
- My Journey Towards Reverse Engineering a Smart Band โ Bluetooth-LE RE
- Bluetooth Smartlocks
- I Hacked MiBand 3
- GATTacking Bluetooth Smart Devices
- Bluetooth Beacon Vulnerability
- Sweyntooth Vulnerabilities
- AIRDROP_LEAK - Sniffs BLE Traffic and Displays Status Messages from Apple Devices
- BRAKTOOTH: Causing Havoc on Bluetooth Link Manager
- Practical Introduction to BLE GATT Reverse Engineering: Hacking the Domyos EL500
- MojoBox - Yet Another Not So Smartlock
- Bluetooth-Hacking
- Bluetooth Forward and Future Secrecy Attacks and Defenses (BLUFFS) [CVE 2023-24023]
DECT (Digital Enhanced Cordless Telecommunications)
- Real Time Interception And Monitoring Of A DECT Cordless Telephone
- Eavesdropping On Unencrypted DECT Voice Traffic
- Decoding DECT Voice Traffic: In-depth Explanation
Software Tools && Hardware Tools
##### Software
##### Hardware
Mobile security (Android & iOS)
Android
- Android App Reverse Engineering 101 - A comprehensive guide to reverse engineering Android applications.
- Android Application Pentesting Book - A detailed book on penetration testing techniques for Android devices.
- Android Pentest Video Course - TutorialsPoint - A series of video tutorials on Android penetration testing.
- Android Tamer - A Virtual/Live Platform for Android Security professionals, offering tools and environment for Android security.
iOS
- iOS Pentesting - A guide to penetration testing in iOS environments.
- OWASP Mobile Security Testing Guide - The Open Web Application Security Projectโs guide for mobile security testing, applicable to iOS.
Villages
Online Assemblers
- AZM Online Arm Assembler by Azeria
- Online Disassembler
- Compiler Explorer is an interactive online compiler which shows the assembly output of compiled C++, Rust, Go
ARM
Pentesting Firmwares and emulating and analyzing
๐น Static Firmware Analysis Tools
- EMBA โ Analyzer for embedded Linux firmware (static scanning, reporting)
- FACT โ Firmware Analysis and Comparison Tool
- Binwalk v3 โ Extraction and static filesystem analysis for firmware images
- Firmwalker โ Greps for credentials/secrets in extracted firmware
- fwanalyzer โ Policy-based static analysis of firmware files
- fwhunt-scan โ Analyze UEFI firmware, check modules with FwHunt rules
- ByteSweep โ Modern, multi-arch firmware vulnerability scanner
- QueryX โ Static taint-tracking and binary analysis for firmware
- FirmGraph โ Builds control/call graphs from firmware binary code
- BINSEC โ Symbolic/taint-based static analysis of binaries
- Ghidra โ Advanced static disassembly and decompilation
- Radare2 โ Static/dynamic reverse engineering, disassembly
- Cutter โ GUI for Radare2 with static/dynamic features
- RetDec โ Machine-code decompiler
- Diaphora โ Binary diffing for firmware/patch analysis
- Firmware Modification Kit โ Toolkit for extracting/repacking firmware
- unblob โ Extraction framework for embedded filesystems/blobs
- fchk โ Security checks for firmware images
- Checksec.sh โ Checks binary hardening (for firmware ELF files)
๐ธ Dynamic Analysis & Emulation Tools
- Firmadyne โ Automated Linux firmware emulation and analysis
- QEMU โ System emulator for firmware images
- PANDA โ Platform for architecture-neutral dynamic analysis (record/replay, taint, fuzz)
- Avatar2 โ Dynamic firmware analysis/instrumentation
- Renode โ Emulates embedded systems, SoCs, peripherals
- Unicorn Engine โ Multi-architecture CPU emulator
- Bochs โ IA-32 (x86) PC emulator
- SymQEMU โ Symbolic execution for Linux binaries
- HALucinator โ HAL reconstruction for emulated firmware
- FirmAE โ Automated emulation/analysis of firmware
- Boofuzz โ Network/protocol fuzzing for firmware targets
- Syzkaller โ Kernel fuzzer for Linux/firmware
- Dr. Memory โ Dynamic memory analysis (adaptable for firmware)
- S2E โ Selective symbolic execution for binary software
- FirmWire โ Baseband firmware emulation (cellular/IoT)
๐ช Hybrid (Static + Dynamic) & Instrumentation Frameworks
- Firmware Analysis Toolkit (FAT) โ Hybrid static/dynamic workflow for firmware
- Angr โ Symbolic execution and hybrid static/dynamic binary analysis
- Frida โ Dynamic instrumentation toolkit
- Qiling โ Emulator supporting static/dynamic analysis of binaries/firmware
- Radare2/Cutter โ Both support static and dynamic analysis
- Ret-sync โ Sync reverse engineering across Ghidra/IDA/R2
Resources
- Firmware analysis and reversing
- Reversing 101
- IoT Security Verification Standard (ISVS)
- OWASP Firmware Security Testing Methodology
- Firmware emulation with QEMU
- Reversing ESP8266 Firmware
- Emulating ARM Router Firmware
- Reversing Firmware With Radare
- Samsung Firmware Magic - Unpacking and Decrypting
- Qiling & Binary Emulation for automatic unpacking
- Reverse engineering with #Ghidra: Breaking an embedded firmware encryption scheme
- Simulating and hunting firmware vulnerabilities with Qiling
- Using Symbolic Execution to Detect UEFI Firmware Vulnerabilities
- Binarly Finds Six High Severity Firmware Vulnerabilities in HP Enterprise Devices
- Emulating and Exploiting UEFI Firmware
Firmware Dev && Firmware Emulation
- IoT binary analysis & emulation part -1
- ross debugging for ARM / MIPS ELF with QEMU/toolchain
- Qemu + buildroot 101
- Emulating IoT Firmware Made Easy: Start Hacking Without the Physical Device
- Adaptive Emulation Framework for Multi-Architecture IoT Firmware Testing
- Automatic Firmware Emulation through Invalidity-guided Knowledge Inference
- Debugging D-Link: Emulating firmware and hacking hardware
Firmware samples to pentest
Binary Analysis
- Reverse Engineering For Everyone!
- https://www.coalfire.com/the-coalfire-blog/reverse-engineering-and-patching-with-ghidra
- Part two: Reverse engineering and patching with Ghidra
- Automating binary vulnerability discovery with Ghidra and Semgrep
Symlinks Attacks
Secureboot
Dev
Hacking
- Pwn the ESP32 Secure Boot
- Pwn the ESP32 Forever: Flash Encryption and Sec. Boot Keys Extraction
- Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM / Alternative Link
- Defeating Secure Boot with Symlink Attacks
- PS4 Aux Hax 5 & PSVR Secure Boot Hacking with Keys by Fail0verflow!
- Eclypsium Discovers Multiple Vulnerabilities Affecting 129 Dell Models Via Dell Remote OS Recovery And Firmware Update Capabilities
- Technical Advisory โ U-Boot โ Unchecked Download Size and Direction in USB DFU (CVE-2022-2347)
- Breaking Secure Boot on the Silicon Labs Gecko platform
Storage Medium
EMMC Protocol and Techniques
Explore the world of EMMC hacking with these curated resources. Whether youโre new to hardware hacking or an experienced practitioner, these links provide valuable insights into EMMC protocol, data recovery, and practical hacking techniques.
- EMMC Protocol
- RPMB, a secret place inside the eMMC
- Hardware Hacking 101: Identifying And Dumping EMMC Flash
- EMMC Data Recovery From Damaged Smartphone
- Another Bunch Of Articles For EMMC
- Unleash Your Smart-Home Devices: Vacuum Cleaning Robot Hacking
- Hands-On IoT Hacking: Rapid7 At DEF CON 30 IoT Village, Part 1
Payment Device Security
ATM Hacking
- Introduction to ATM Penetration Testing
- Pwning ATMs For Fun and Profit
- Jackpotting Automated Teller Machines Redux By Barnaby Jack
IoT hardware Overview and Hacking
Hardware Gadgets to pentest
- Bus Pirate
- EEPROM reader/SOIC Cable
- Jtagulator/Jtagenum
- Logic Analyzer
- The Shikra
- FaceDancer21 (USB Emulator/USB Fuzzer)
- RfCat
- Hak5Gear- Hak5FieldKits
- Ultra-Mini Bluetooth CSR 4.0 USB Dongle Adapter
- Attify Badge - UART, JTAG, SPI, I2C (w/ headers)
Attacking Hardware Interfaces
- An Introduction to Hardware Hacking
- Serial Terminal Basics
- Reverse Engineering Serial Ports
- REVERSE ENGINEERING ARCHITECTURE AND PINOUT OF CUSTOM ASICS
- ChipWhisperer - Hardware attacks
- Hardware hacking tutorial: Dumping and reversing firmware
SPI
- Dumping the firmware From Router using BUSPIRATE - SPI Dump
- TPM 2.0: Extracting Bitlocker keys through SPI
- How to Flash Chip of a Router With a Programmer
- Extracting Flash Memory over SPI
- Extracting Firmware from Embedded Devices (SPI NOR Flash)
- SPI-Blogs
- Reading FlashROMS - Youtube
UART
- Intro to Embedded RE: UART Discovery and Firmware Extraction via UBoot
- Router Analysis Part 1: UART Discovery and SPI Flash Extraction
- Identifying UART interface
- onewire-over-uart
- Accessing sensor via UART
- Using UART to connect to a chinese IP cam
- A journey into IoT โ Hardware hacking: UART
- UARTBruteForcer
- UART Connections and Dynamic analysis on Linksys e1000
- Accessing and Dumping Firmware Through UART
- UART Exploiter
JTAG
- HARDWARE HACKING 101: INTRODUCTION TO JTAG
- How To Find The JTAG Interface - Hardware Hacking Tutorial
- Buspirate JTAG Connections - Openocd
- Extracting Firmware from External Memory via JTAG
- Analyzing JTAG
- The hitchhackerโs guide to iPhone Lightning & JTAG hacking
- Debugging 8-bit AVRยฎ microcontrollers trhough JTAG and AVR-gdb
TPM
- Introduction to TPM (Trusted Platform Module)
- Trusted platform module security defeated in 30 minutes, no soldering required
-
SideChannel Attacks
- Side channel attacks
- Attacks on Implementations of Secure Systems
- fuzzing, binary analysis, IoT security, and general exploitation
- Espressif ESP32: Bypassing Encrypted Secure Boot(CVE-2020-13629)
- Breaking AES with ChipWhisperer - Piece of scake (Side Channel Analysis 100)
- Researchers use Rowhammer bit flips to steal 2048-bit crypto key
Glitching and Fault Injection Resources
##### Tutorials and Case Studies
- NAND Glitching Attack - Gaining root access to a Wink Hub through NAND glitching.
- Tutorial CW305-4 Voltage Glitching with Crowbars - Detailed tutorial on voltage glitching using crowbars.
- Voltage Glitching Attack using SySS iCEstick Glitcher - A demonstration of a voltage glitching attack by SySS PentestTV.
- Samy Kamkar - FPGA Glitching & Side Channel Attacks - Insights on FPGA glitching and side channel attacks from Samy Kamkar.
-
Hardware Power Glitch Attack - rhme2 Fiesta (FI 100) - A hardware power glitch attack demonstration by LiveOverflow.
Specific Techniques and Experiments
- Keys in flash - Glitching AES keys from an Arduino / ATmega - Extracting AES keys from an Arduino using glitching.
- Implementing Practical Electrical Glitching Attacks - A guide on implementing electrical glitching attacks, presented at Black Hat Europe 2015.
- How To Voltage Fault Injection - A comprehensive guide on voltage fault injection techniques.
Awesome IoT Pentesting Guides
- Shodan Pentesting Guide
- Car Hacking Practical Guide 101
- OWASP Firmware Security Testing Methodology
- Awesome-bluetooth-security
- awesome-embedded-fuzzing
Fuzzing Things
- OWASP Fuzzing Info
- Fuzzing_ICS_protocols
- Fuzzowski - the Network Protocol Fuzzer that we will want to use
- Fuzz Testing of Application Reliability
- FIRM-AFL : High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation
- Snipuzz : Black-box Fuzzing of IoT Firmware via Message Snippet Inference
- [fuzzing-iot-binaries] - part1 / part2
- Modern Vulnerability Research Techniques on Embedded Systems
- FuzzingPaper
- Exercises to learn how to fuzz with American Fuzzy Lop
- Broadcom and Cypress firmware emulation for fuzzing and further full-stack debugging
- Bluetooth experimentation framework for Broadcom and Cypress chips.
- Fuzzing Forum
Vulnerable IoT and Hardware Applications
- IoT: DVID -
Deliberately vulnerable IoT device firmware for training and educational purposes. - Safe: Damn Vulnerable Safe -
A physical safe designed to be vulnerable, intended for security training. - IoT-vulhub: IoT-vulhub -
Collection of Dockerized vulnerable IoT applications for learning about IoT security. - Router: DVRF -
Damn Vulnerable Router Firmware project for understanding router vulnerabilities. - SCADA: Damn Vulnerable Chemical Process -
A presentation on a vulnerable SCADA system for learning purposes. - PI: Sticky Fingers DV-Pi -
A vulnerable Raspberry Pi project for educational use. - SS7 Network: Damn Vulnerable SS7 Network -
Demonstrates vulnerabilities in SS7 networks. - VoIP: Hacklab VulnVoIP -
A vulnerable VoIP application for learning and training. - Hardware Hacking 101: Hardware Hacking 101 -
A repository for learning the basics of hardware hacking. - RHME-2015: RHme-2015 -
Archive of the RHme-2015 hardware hacking competition. - RHME-2016: Rhme-2016 -
Archive of the RHme-2016 hardware hacking competition. - RHME-2017: Rhme-2017 -
Archive of the RHme-2017 hardware hacking competition.
CTF For IoT And Embeddded
Hardware CTFs
- BLE CTF - A framework focused on Bluetooth Low Energy security.
- Rhme-2016 - Riscureโs hardware security competition for 2016.
- Rhme-2017 - Riscureโs hardware security competition for 2017.
IoT CTFs
- IoTGoat - Deliberately insecure firmware based on OpenWrt for IoT security training.
- IoT Village CTF - A Capture The Flag event specifically focused on IoT security.
- IoTSec CTF - Offers IoT related challenges for continuous learning.
Firmware CTFs
- Emulate to Exploitate
- Damn Vulnerable ARM Router - A deliberately vulnerable ARM router for exploitation practice.
- Firmware Security Training & CTF - Firmware analysis tools and challenges by Router Analysis Toolkit.
ARM CTFs
- ARM-X CTF - A set of challenges focused on ARM exploitation.
- Azeria Labs ARM Challenges - Offers ARM assembly challenges and tutorials.
Reverse Engineering CTFs
- Microcorruption - Embedded security CTF focusing on lock systems.
- Pwnable.kr - Offers various reverse engineering challenges.
Platforms for Continuous Learning
- Hack The Box - Platform offering a range of challenges, including hardware and reverse engineering.
- Root Me - Platform with various types of challenges including hardware and reverse engineering.
- CTFtime - Lists various CTFs, including those in hardware, IoT, and firmware.
follow the people
- Jilles
- Joe Fitz
- Aseem Jakhar
- Cybergibbons
- Jasper
- Dave Jones
- bunnie
- Ilya Shaposhnikov
- Mark C.
- A-a-ron Guzman
- Yashin Mehaboobe
- Arun Magesh
- Mr-IoT
- QKaiser
- 9lyph
Blogs for IoT Pentest
๐ IoT Security Blogs
- Team82 Research
- wrongbaud
- Firmware Analysis
- voidstarsec
- Exploitee.rs Website
- Jilles.com
- Syss Tech Blog
- Payatu Blog
- Raelize Blog
- JCJC Dev Blog
- W00tsec Blog
- Devttys0 Blog (Use Wayback Machine for old blogs)
- Wrongbaud Blog
- Embedded Bits Blog
- RTL-SDR Blog
- Keenlab Blog
- Courk.cc
- IoT Security Wiki
- Cybergibbons Blog
- Firmware.RE
- K3170makan Blog
- Tclaverie Blog
- Besimaltinok Blog
- Ctrlu Blog
- IoT Pentest Blog
- Duo Decipher Blog
- Sp3ctr3 Blog
- 0x42424242.in Blog
- Dantheiotman Blog
- Danman Blog
- Quentinkaiser Blog
- Quarkslab Blog
- Ice9 Blog
- F-Secure Labs Blog
- MG.lol Blog
- CJHackerz Blog
- Bunnieโs Blog
- Synacktiv Publications
- Cr4.sh Blog
- Ktln2 Blog
- Naehrdine Blog
- Limited Results Blog
- Fail0verflow Blog
- Exploit Security Blog
- Attify Blog