š Awesome Connected Things Security Resources
A curated repository of IoT, Embedded, Industrial & Automotive, Core Tech security knowledge.
Table of Contents
- Hardware Attacks
- Wireless Protocols
- Firmware Security
- Network and Web Protocols
- Cloud and Backend Security
- Mobile Application Security
- Industrial and Automotive
- Payment Systems
- Tools
- Defensive Security
- Learning Resources
- Labs and CTFs
- Research and Community
- Contributing
- License
Hardware Attacks
Fundamentals
- IoT Hardware Guide
- Intro to Hardware Hacking - Dumping Your First Firmware
- An Introduction to Hardware Hacking
- Hardware Toolkits for IoT Security Analysis
- Hardware Hacking for IoT Devices - Offensive IoT Exploitation
Interface Attacks
UART
- Identifying UART Interface
- Serial Terminal Basics
- Reverse Engineering Serial Ports
- Intro to Embedded RE: UART Discovery and Firmware Extraction via UBoot
- Using UART to Connect to a Chinese IP Cam
- A Journey into IoT Hardware Hacking: UART
- Accessing and Dumping Firmware Through UART
- UART Connections and Dynamic Analysis on Linksys e1000
- UARTBruteForcer
- UART Exploiter
JTAG
- Hardware Hacking 101: Introduction to JTAG
- How to Find the JTAG Interface
- Analyzing JTAG
- Bus Pirate JTAG Connections with OpenOCD
- Extracting Firmware from External Memory via JTAG
- The Hitchhackerās Guide to iPhone Lightning and JTAG Hacking
- Debugging AVR Microcontrollers Through JTAG
SWD (Serial Wire Debug)
- SWD Protocol Overview - HardBreak Wiki
- Unveiling Vulnerabilities: Exploring SWD Attack Surface in Hardware
- Introduction to ARM Serial Wire Debug Protocol
- Serial Wire Debug and CoreSight Architecture
- LibSWD - Serial Wire Debug Open Library
- Hardware Hacking and Exploitation Bootcamp - SWD
SPI
- Hardware Hacking 101: Identifying and Dumping eMMC Flash
- Dumping Firmware from Router Using Bus Pirate - SPI
- Extracting Flash Memory over SPI
- Extracting Firmware from Embedded Devices (SPI NOR Flash)
- How to Flash Chip of a Router with a Programmer
- TPM 2.0: Extracting Bitlocker Keys Through SPI
I2C
- IoT Security Part 16: Hardware Attack Surface I2C
- I2C Exploitation - HackTricks
- Non-invasive I2C Hardware Trojan Attack Vector (PDF)
- Hardware Hacking: I2C Injection with Bus Pirate
- Safeguarding SPI, I2C, and I3C Protocols
TPM
- Introduction to TPM (Trusted Platform Module)
- Trusted Platform Module Security Defeated in 30 Minutes
Memory Extraction
eMMC
- eMMC Protocol
- RPMB: A Secret Place Inside the eMMC
- eMMC Data Recovery from Damaged Smartphone
- Unleash Your Smart-Home Devices: Vacuum Cleaning Robot Hacking
- Hands-On IoT Hacking: Rapid7 at DEF CON 30
Side-Channel and Fault Injection
Fundamentals
- Side Channel Attacks - Yifan Lu
- Attacks on Implementations of Secure Systems
- Fuzzing, Binary Analysis, IoT Security Collection
Glitching Attacks
- NAND Glitching Attack on Wink Hub
- Voltage Glitching with Crowbars Tutorial
- Voltage Glitching Attack using iCEstick Glitcher
- FPGA Glitching and Side Channel Attacks - Samy Kamkar
- Hardware Power Glitch Attack - rhme2
- Keys in Flash - Glitching AES Keys from Arduino
- Implementing Practical Electrical Glitching Attacks
- How to Voltage Fault Injection
- Glitcher Part 1 - Reproducible Voltage Glitching on STM32 Microcontrollers
- STM32L05 Voltage Glitching
Power Analysis
Other Microcontrollers
- Dumping the Amlogic A113X Bootrom
- Retreading The AMLogic A113X TrustZone Exploit Process
- Reverse Engineering an Unknown Microcontroller
- Hacking Microcontroller Firmware Through a USB
- Thereās A Hole In Your SoC: Glitching The MediaTek BootROM
PCIe and DMA Attacks
- A Practical Tutorial on PCIe for Total Beginners on Windows - Part 1
- A Practical Tutorial on PCIe for Total Beginners on Windows - Part 2
- PCIe DMA Attack against a Secured Jetson Nano (CVE-2022-21819)
Wireless Protocols
RF Fundamentals
- Complete Course in Software Defined Radio - Michael Ossmann
- SDR Notes - Radio IoT Protocols Overview
- Understanding Radio
- Introduction to Software Defined Radio
- Introduction to GNU Radio Companion
- Creating a Flow Graph in GNU Radio Companion
- Analyzing Radio Signals 433MHz
- Recording Specific Radio Signals
- Replay Attacks with Raspberry Pi and rpitx
- Reverse Engineering a Car Key Fob Signal
- GRCON 2021 - Capture the Signal
Bluetooth / BLE
Fundamentals
- Awesome Bluetooth Security
- BLE-NullBlr: Step by Step Guide to BLE Understanding and Exploiting
- Traffic Engineering in a Bluetooth Piconet
- BLE Characteristics: A Beginnerās Tutorial
- Intro to Bluetooth Low Energy (PDF)
- Bluetooth LE Security Study Guide
- Reverse Engineering BLE Devices
- My Journey Towards Reverse Engineering a Smart Band ā Bluetooth-LE RE
Exploitation Techniques
- Intel Edison as Bluetooth LE Exploit Box
- Reverse Engineering and Exploiting a Smart Massager
- I Hacked MiBand 3
- GATTacking Bluetooth Smart Devices
- Examining the August Smart Lock
- Practical Introduction to BLE GATT Reverse Engineering
- MojoBox - Yet Another Not So Smartlock
- Bluetooth Smartlocks
- Bluetooth Beacon Vulnerability
- Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero
- Grand Theft Auto: A peek of BLE relay attack
- How I Hacked Smart Lights: CVE-2022-47758
- NFC Relay Attack on Tesla Model Y
Vulnerability Research
- Finding Bugs in Bluetooth
- Sweyntooth Vulnerabilities
- BrakTooth: Causing Havoc on Bluetooth Link Manager
- BLUFFS: Bluetooth Forward and Future Secrecy Attacks (CVE-2023-24023)
- AirDrop Leak - Sniffing BLE Traffic from Apple Devices
- BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution
- BRAKTOOTH: Causing Havoc on Bluetooth Link Manager (PDF)
- Norec Attack: Stripping BLE encryption from Nordicās Library (CVE-2020-15509)
Conference Talks
- Blue2thprinting: WTF Am I Even Looking At?
- Open Wounds: Last 5 Years Have Left Bluetooth to Bleed
- Sniffing Bluetooth Through My Mask During the Pandemic
Tools - Software
- Bluing - Intelligence Gathering for Bluetooth
- BlueToolkit - Bluetooth Classic Vulnerability Testing
- btproxy
- hcitool and bluez
- Testing with GATT Tool
- crackle - Cracking BLE Encryption
- bettercap
- BtleJuice - Bluetooth Smart MITM Framework
- GATTacker
- BTLEjack - BLE Swiss Army Knife
- DEDSEC Bluetooth Exploit
- BrakTooth ESP32 PoC
- SweynTooth BLE Attacks
- ESP32 Bluetooth Classic Sniffer
- Bluetooth Hacking Collection
Tools - Hardware
Tools
Hacking Bluetooth Coffee Machines
- Hacking Bluetooth to Brew Coffee from Github Actions - Part 1
- Hacking Bluetooth to Brew Coffee from Github Actions - Part 2
- Hacking Bluetooth to Brew Coffee from Github Actions - Part 3
Zigbee / Z-Wave
Fundamentals
Exploitation
- Hacking IoT Devices with Attify Zigbee Framework
- Zigator: Analyzing Security of Zigbee-Enabled Smart Homes
- Security Analysis of Zigbee with Zigator and GNU Radio
- Low-Cost ZigBee Selective Jamming
Tools - Software
Tools - Hardware
LoRa / LoRaWAN
- LoRaWAN Security Overview - Tektelic
- Security Vulnerabilities in LoRaWAN
- Low Powered and High Risk: Attacks on LoRaWAN Devices
- LAF - LoRaWAN Auditing Framework
- ChirpOTLE - LoRaWAN Security Framework
Fundamentals
- LoRaWAN Security Survey - ScienceDirect
- LoRaWAN - Wikipedia
Exploitation
- Millions of Devices Using LoRaWAN Exposed - SecurityWeek
- Do You Blindly Trust LoRaWAN Networks? - IOActive
- LoRaWAN Encryption Keys Easy to Crack - Threatpost
- LoPT: LoRa Penetration Testing Tool (PDF)
Tools
Matter / Thread
Fundamentals
- Matter Standard - CSA-IoT
- Matter Protocol Wikipedia
- Matter Protocol Complete Guide 2025
- How to Secure Smart Home Devices with Matter
- Smart Home Device Solutions for Matter - DigiCert
Security Research
- Security Vulnerabilities and Attack Scenarios in Smart Home with Matter
- Trust Matters: Uncovering Vulnerabilities in Matter Protocol - Nozomi
- Matter over Thread Security
- State-of-the-Art Review on IoT Wireless PAN Protocol Security
- Matter Smart Home - Krasamo
Cellular (GSM/LTE/5G)
- Awesome Cellular Hacking
- Introduction to GSM Security
- Breaking LTE on Layer Two
- 5Ghoul - 5G NR Attacks and Fuzzing
- Exploiting CSN.1 Bugs in MediaTek Basebands
- SIM Hijacking
- SigPloit - Telecom Signaling Exploitation Framework
- LTE Sniffer
Fundamentals
- GSM Security Part 2
- What is Base Transceiver Station
- Introduction to SS7 Signaling
- SS7 Network Architecture
- Introduction to SIGTRAN
Exploitation
- How to Build Your Own Rogue GSM BTS
- GSM Vulnerabilities with USRP B200
- Security Testing 4G (LTE) Networks
- Case Study of SS7/SIGTRAN Assessment
Tools
NFC/RFID
- Awesome RFID/NFC Security Talks
- RFID Discord Group
- SoK: Security of EMV Contactless Payment Systems
DECT (Digital Enhanced Cordless Telecommunications)
- Real Time Interception of DECT Cordless Telephone
- Eavesdropping on Unencrypted DECT Voice Traffic
- Decoding DECT Voice Traffic: In-depth Explanation
Wi-Fi
Protocol Vulnerabilities
- Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues
- Man-in-the-Middle Attacks without Rogue AP: When WPAs Meet ICMP Redirects
- WPAxFuzz: Sniffing Out Vulnerabilities in Wi-Fi Implementations
- Untangling the Knot: Breaking Access Control in Home Wireless Mesh Networks
Exploitation
- Over The Air: Exploiting Broadcomās Wi-Fi Stack (Part 1)
- Over The Air: Exploiting Broadcomās Wi-Fi Stack (Part 2)
- Over The Air: Exploiting The Wi-Fi Stack on Apple Devices
- Reverse-engineering Broadcom wireless chipsets
- Exploiting Qualcomm WLAN and Modem Over the Air
- Windows Wi-Fi Driver RCE Vulnerability ā CVE-2024-30078
- When a Wi-Fi SSID Gives You Root on an MT02 Repeater - Part 1
- When a Wi-Fi SSID Gives You Root on an MT02 Repeater - Part 2
Reverse Engineering WiFi
- Reverse Engineering WiFi on RISC-V BL602
- Unveiling secrets of the ESP32: creating an open-source MAC Layer
- Unveiling secrets of the ESP32: reverse engineering RX
USB
- ALL ABOUT USB-C: INTRODUCTION FOR HACKERS
- Hi, My Name is Keyboard
- How to Weaponize the Yubikey
UWB (Ultra-Wideband)
TETRA
Firmware Security
Fundamentals
- Introduction to Firmware Analysis - OWASP
- OWASP Firmware Security Testing Methodology
- IoT Security Verification Standard (ISVS)
- Reversing 101
- Hands-on Firmware Extraction, Exploration, and Emulation
Extraction
- Router Analysis Part 1: UART Discovery and SPI Flash Extraction
- Hardware Hacking Tutorial: Dumping and Reversing Firmware
- Firmware Samples - firmware.center
- BasicFUN Series: Hardware Analysis / SPI Flash Extraction
- BasicFUN Series: Reverse Engineering Firmware / Reflashing SPI Flash
- Retrofitting encrypted firmware is a Bad Idea
Static Analysis Tools
- EMBA - Embedded Linux Firmware Analyzer
- FACT - Firmware Analysis and Comparison Tool
- Binwalk v3
- Firmwalker
- fwanalyzer
- fwhunt-scan - UEFI Firmware Analysis
- ByteSweep
- QueryX - Static Taint Tracking
- FirmGraph
- BINSEC
- unblob - Extraction Framework
- fchk - Security Checks for Firmware
- Checksec.sh
- Firmware Modification Kit
Dynamic Analysis and Emulation
- Firmadyne - Automated Firmware Emulation
- FirmAE - Firmware Analysis and Emulation
- QEMU
- PANDA - Architecture-Neutral Dynamic Analysis
- Avatar2 - Dynamic Firmware Analysis
- Renode - Embedded Systems Emulator
- Unicorn Engine - CPU Emulator
- Qiling Framework
- HALucinator
- FirmWire - Baseband Firmware Emulation
- SymQEMU
- S2E - Selective Symbolic Execution
- Bochs - x86 Emulator
- SAME70 Emulator
- Emulate Until You Make it
Emulation Tutorials
- Firmware Emulation with QEMU
- Emulating ARM Router Firmware - Azeria Labs
- Emulating IoT Firmware Made Easy
- IoT Binary Analysis and Emulation Part 1
- Cross Debugging for ARM/MIPS with QEMU
- QEMU + Buildroot 101
- Simulating and Hunting Firmware Vulnerabilities with Qiling
- Qiling and Binary Emulation for Automatic Unpacking
- Debugging D-Link: Emulating Firmware and Hacking Hardware
- Adaptive Emulation Framework for Multi-Architecture IoT
- Automatic Firmware Emulation through Invalidity-guided Knowledge Inference
- Emulating RH850 architecture with Unicorn Engine
- Icicle: A Re-designed Emulator for Grey-Box Firmware Fuzzing
- Challenges and Pitfalls while Emulating Six Current Icelandic Household Routers
- My Emulation Goes to the Moonā¦ Until False Flag
- How to Emulate Android Native Libraries Using Qiling
OTA Update Security
Fundamentals
- IoT Firmware Security and Update Mechanisms
- Implementing OTA Updates for IoT Devices
- Secure OTA Boot Chains and Firmware Verification
- The Key to Firmware Security in Connected IoT Devices
- Security Considerations for OTA Updates - Stack Overflow
Attack Vectors
- Top 10 IoT Vulnerabilities - OTA Update Attacks
- Updating IoT Devices 2025: Best Practices
- Review of IoT Firmware Vulnerabilities and Auditing Techniques
- Secure OTA Firmware Update Mechanism (PDF)
RTOS Security
Zephyr RTOS
- Zephyr RTOS GitHub
- Zephyr Vulnerabilities List
- NCC Group Zephyr and MCUboot Security Assessment
- 26 Flaws in Zephyr and MCUboot
- Tackling Security in Zephyr RTOS
- Enhancing Security with Zephyr RTOS
FreeRTOS
- FreeRTOS 13 Vulnerabilities in TCP/IP Stack
- Exploiting Memory Corruption in FreeRTOS - ShmooCon
- RTOS Security Analysis - USENIX
- Dynamic Vulnerability Patching for RTOS
- AWS FreeRTOS Vulnerabilities
Reverse Engineering Tools
- Ghidra
- IDA Pro
- Radare2
- Cutter - GUI for Radare2
- Binary Ninja
- GDB
- RetDec - Decompiler
- Diaphora - Binary Diffing
- Angr - Binary Analysis
- Frida - Dynamic Instrumentation
- Ret-sync
- OllyDbg
- x64dbg
- Hopper
- Immunity Debugger
- PEiD
- Ghidriff - Ghidra Binary Diffing Engine
- The rev.ng decompiler goes open source
- Intro to Cutter
- pyghidra-mcp: Headless Ghidra MCP Server
- Mindshare: Using Binary Ninja API to Detect Potential Use-after-free Vulnerabilities
Reverse Engineering Tutorials
- Reverse Engineering and Patching with Ghidra
- Reverse Engineering with Ghidra: Breaking Firmware Encryption
- Reversing Firmware with Radare
- Reversing ESP8266 Firmware
- Automating Binary Vulnerability Discovery with Ghidra and Semgrep
- Finding Bugs in Netgear Router
Ghidra Tutorials
- Debugger Ghidra Class
- Ghidra 101: Cursor Text Highlighting
- Ghidra 101: Decoding Stack Strings
- Extending Ghidra Part 1: Setting up a Development Environment
- Expanding the Dragon: Adding an ISA to Ghidra
- Ghidra nanoMIPS ISA module
- Binary type inference in Ghidra
- Writing a Ghidra processor module
Online Assemblers
ARM Exploitation
- Azeria Labs ARM Tutorials
- ARM Exploitation for IoT
- Damn Vulnerable ARM Router (DVAR)
- Exploit Education
- A Guide to ARM64 / AArch64 Assembly on Linux
- ARMv8 AArch64/ARM64 Full Beginnerās Assembly Tutorial
- A Noobs Guide to ARM Exploitation
- ARM64 Reversing And Exploitation Series (8ksec) - Parts 1-10
- AArch64 memory and paging
- We are ARMed no more ROPpery Here
Binary Analysis
- Practical Binary Analysis
Secure Boot
Development
Bypasses
- Pwn the ESP32 Secure Boot
- Pwn ESP32 Forever: Flash Encryption and Secure Boot Keys Extraction
- ESP32 Secure Boot Bypass (CVE-2020-13629)
- Amlogic S905 SoC: Bypassing Secure Boot
- Defeating Secure Boot with Symlink Attacks
- PS4 Secure Boot Hacking - Fail0verflow
- Dell BIOS Vulnerabilities - BIOSDisconnect
- U-Boot USB DFU Vulnerability (CVE-2022-2347)
- Breaking Secure Boot on Silicon Labs Gecko
UEFI Security
- Using Symbolic Execution to Detect UEFI Vulnerabilities
- HP Enterprise UEFI Vulnerabilities
- Emulating and Exploiting UEFI Firmware
- The Dark Side of UEFI: A technical Deep-Dive into Cross-Silicon Exploitation
- Inside the LogoFAIL PoC: From Integer Overflow to Arbitrary Code Execution
- PixieFail: Nine vulnerabilities in Tianocoreās EDK II IPv6 network stack
- For Science! - Using an Unimpressive Bug in EDK II
-
Hydroph0bia: SecureBoot bypass for Insyde H2O
Symlink Attacks
- Zip Slip Vulnerability
Router Firmware Analysis
- A Journey into IoT: Discover Components and Ports
- A Journey into IoT: Firmware Dump and Analysis
- A Journey into IoT: Radio Communications
- A Journey into IoT: Internal Communications
- Dynamic Analysis of Firmware Components in IoT Devices
- RV130X Firmware Analysis
- TP-Link Firmware Decryption C210 V2 cloud camera bootloaders
Router Exploitation
- Hunting for Unauthenticated n-days in Asus Routers
- Pulling MikroTik into the Limelight
- Exploiting MikroTik RouterOS Hardware with CVE-2023-30799
- Rooting Xiaomi WiFi Routers
- Route to Safety: Navigating Router Pitfalls
- ROPing our way to RCE
- ROPing Routers from scratch: Tenda Ac8v4
- PwnAgent: A One-Click WAN-side RCE in Netgear RAX Routers
- Puckungfu 2: Another NETGEAR WAN Command Injection
- Reversing, Discovering, And Exploiting A TP-Link Router Vulnerability ā CVE-2024ā54887
- Exploiting Zero-Day (CVE-2025ā9961) Vulnerability in the TP-Link AX10 Router
- FiberGateway GR241AG - Full Exploit Chain
- Blackbox-Fuzzing of IoT Devices Using the Router TL-WR902AC
- Rooting the TP-Link Tapo C200 Rev.5
Netgear Series
- Netgear Orbi: Introduction, UART Access, Recon
- Netgear Orbi: Crashes in SOAP-API
- Netgear Orbi: NDay Exploit CVE-2020-27861
- The Last Breath of Our Netgear RAX30 Bugs
TP-Link Series
- TP-Link TDDP Buffer Overflow Vulnerability
- Pwn2Own Tokyo 2020: Defeating the TP-Link AC1750
- TP-Link Tapo c200 Camera Unauthenticated RCE (CVE-2021-4045)
Cisco Series
- Patch Diffing a Cisco RV110W Firmware Update - Part 1
- CVE-2024-20356: Jailbreaking a Cisco appliance to run DOOM
- Flashback Connects - Cisco RV340 SSL VPN RCE
Secure Boot Bypasses
- Bypassing Secure Boot using Fault Injection
- Breaking Secure Boot on Google Nest Hub (2nd Gen)
- Booting into Breaches: Hunting Windows SecureBootās Remote Attack Surfaces
Network and Web Protocols
MQTT
- Introduction to MQTT
- MQTT Broker Security 101
- Hacking the IoT with MQTT
- IoT Security: RCE in MQTT Protocol
- IoXY - MQTT Intercepting Proxy
- MQTT-PWN
Fundamentals
- Understanding the MQTT Protocol Packet Structure
Security and Exploitation
- Are Smart Homes Vulnerable to Hacking?
- Penetration Testing Sesame Smart Door Lock
- Servisnet Tessa - MQTT Credentials Dump (Metasploit)
- Eclipse Mosquitto Unquoted Service Path
Known CVEs
- CVE-2020-13849 - DoS vulnerability (CVSS 7.5)
- CVE-2023-3028 - Insufficient authentication (CVSS 9.8)
- CVE-2021-0229 - Resource consumption (CVSS 5.3)
- CVE-2019-5432 - Malformed packet crash (CVSS 7.5)
Tools
- Mosquitto - Open Source MQTT Broker
- HiveMQ
- MQTT Explorer
- Nmap MQTT Library
- Seven Best MQTT Client Tools
Applications
- Using IoT MQTT for V2V and Connected Cars
- MQTT Hardware Development Projects
- 100,000 Connected Cars with Kubernetes, Kafka, MQTT, TensorFlow
- Authenticating Devices Using MQTT with Auth0
- Deep Learning UDF for MQTT IoT Anomaly Detection
- Guide to MQTT: Hacking a Doorbell
Malware Research
CoAP
- IETF Security Protocol Comparison
- RFC 8613 - OSCORE
- Radware - CoAP Protocol Overview
Specifications and Security
- EMQX on CoAP and IoT Security (2024)
- RFC 8323 - CoAP over TCP
- RFC 8824 - SCHC Header Compression
Tools - Software
- CoAP NSE (Nmap)
- Copper - Firefox CoAP Plugin
- libcoap CLI Tools
- Scapy CoAP Plugin
- Eclipse Californium (Java)
- Peach Fuzzer
Tools - Hardware
Research and Tutorials
- SpectralOps - Top IoT Protocol Security Issues
- IoT Pentest Lab Setup Guide (2025)
- CoAP Exposure Study (2024)
mTLS
ļø Tools
| Tool | Use | Link |
|---|---|---|
| mtls-intercept | Reverse proxy that dynamically signs client certs to MITM full mTLS sessions | github.com/fungaren/mtls-intercept |
| mitmproxy | Configure client_certs with extracted IoT device cert to impersonate device in mTLS handshake | mitmproxy.org |
| SSLsplit | Transparent mTLS proxy - forward extracted device cert to complete mutual handshake with cloud | github.com/droe/sslsplit |
| eCapture (eBPF) | Hook OpenSSL/BoringSSL on Linux IoT gateways pre-encrypt - decrypts mTLS + TLS 1.3 + PFS | ecapture.cc |
| Wireshark + SSLKEYLOGFILE | Decrypt captured mTLS sessions from IoT gateways using NSS pre-master secret logs | wiki.wireshark.org/TLS |
| Frida | Runtime hook SSLContext, TrustManager, KeyManager in Android IoT companion apps | frida.re |
| Objection | android sslpinning disable - strips mTLS pinning in companion apps | github.com/sensepost/objection |
| apk-mitm | Statically patches IoT companion APK to disable mTLS cert pinning | github.com/shroudedcode/apk-mitm |
| MagiskTrustUserCerts | Moves custom CA to system store on rooted Android POS/kiosk to complete mTLS MITM | github.com/NVISOsecurity/MagiskTrustUserCerts |
| frida-multiple-unpinning | Universal Frida script targeting 20+ mTLS/pinning patterns in hardened IoT apps | github.com/httptoolkit/frida-android-unpinning |
| NEU-SNS/IoTLS | IMCā21 research repo - SSLKEYLOGFILE files to decrypt MITMād mTLS connections across 32 devices | github.com/NEU-SNS/IoTLS |
| mitmrouter | Linux-based IoT traffic interception router - intercepts device TLS at network level | github.com/nmatt0/mitmrouter |
Blogs & Articles
- mTLS: When Certificate Authentication is Done Wrong
- mTLS Authentication in IoT: Enhancing Security for Connected Devices
- Hands On IoT MitM Part 1 ā AWS IoT MQTT + mTLS Interception
- OWASP MASTG-TECH-0012: Bypassing Certificate Pinning in Android IoT Companion Apps
- Theory to Practice: mTLS in Action Part 1
- Firmware Analysis for IoT Penetration Testing
- Configuring mTLS on Mosquitto MQTT Broker
- AWS IoT Docs: X.509 Client Certificates and Fleet Provisioning
- Azure IoT Hub: mTLS X.509 CA Authentication Concept
Research Papers
- Evaluation of TLS and mTLS in Internet of Things Systems - MIUN DiVA, 2024
- Atlas: Enabling Cross-Vendor mTLS Authentication for IoT - arXiv 2025
- TLS in the IoT Ecosystem - IEEE IMC 2021, NEU-SNS
- Lightweight mTLS Authentication for Industrial IoT - PMC/NIH 2023
- Quantum-Enhanced mTLS for IoT Battlefield Networks - IJPSAT
- AI vs. IoT Security: Fingerprinting and Defenses Against TLS Attacks - IEEE Xplore 2025
YouTube
- Intercepting IoT Device Traffic with ARP Poisoning + mitmproxy TLS Intercept
- Using Linux to Intercept IoT Device Traffic with mitmrouter
- Mutual TLS - The Backend Engineering Show Deep Dive
- Intercepting SSL/TLS - Fiddler and MITMProxy Decrypt Walkthrough
- Decrypting Kubernetes mTLS Traffic - eCapture, Custom CA, eBPF Methods
- Mastering mTLS: Stop MITM Attacks and Boost API/IoT Security
- Introduction to IoT Penetration Testing Webinar - CyberWarFare Labs
IoT Protocols Overview
- IoT Protocols Overview
- IoT Attack Surface - OWASP
-
IoT Architecture
- Attacking IoT Devices from Web Perspective
- Awesome Industrial Protocols
Cloud and Backend Security
AWS IoT Security
- AWS Penetration Testing Policy
- AWS Pentesting Guide - HackerOne
- A few notes on AWS Nitro Enclaves
- Pacu - AWS Exploitation Framework
- ScoutSuite - Multi-cloud Security Auditing
-
Prowler - Cloud Security Assessment
Fundamentals
- Comprehensive AWS Pentesting Guide - BreachLock
- AWS Pentest Methodology - MorattiSec
- AWS Penetration Testing Methodology - Rootshell
- AWS Penetration Testing Techniques 2025
Tools
- CloudFox - Cloud Attack Paths
- S3Scanner - Leaky Bucket Discovery
- Cloudfoxable Labs
- AWS Security Pentesting Resources
Vulnerabilities
Firebase / Cloud Misconfigurations
Mobile Application Security
Android
- Android App Reverse Engineering 101
- Android Application Pentesting Book
- Android Pentest Video Course - TutorialsPoint
- Android Tamer
- Android Hackerās Handbook
- A first look at Android 14 forensics
- Deobfuscating Android ARM64 strings with Ghidra
- Introduction to Fuzzing Android Native Components
- Hacking Android Games
- Intercepting HTTPS Communication in Flutter
Android Kernel Exploitation
- Android Kernel Exploitation
- Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938
- Attacking the Android kernel using the Qualcomm TrustZone
- Driving forward in Android drivers
- Analyzing a Modern In-the-wild Android Exploit
- Exploiting Androidās Hardened Memory Allocator
- GPUAF - Two ways of Rooting All Qualcomm based Android phones
- The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit
- Qualcomm DSP Kernel Internals
- Binder Fuzzing
Android Scudo Allocator
- Android: Scudo
- Behind the Shield: Unmasking Scudoās Defenses
- scudo Hardened Allocator ā Unofficial Internals Documentation
iOS
- iOS Pentesting Guide
-
OWASP Mobile Security Testing Guide
- An iOS hacker tries Android
- Analyzing IOS Kernel Panic Logs
- Blasting Past iOS 18
- Emulating an iPhone in QEMU
- First analysis of Appleās USB Restricted Mode bypass (CVE-2025-24200)
- Exploring UNIX pipes for iOS kernel exploit primitives
Industrial and Automotive
ICS/SCADA
- ICS Village
- ICS Discord Group
- Controlthings.io Platform
- Applied Cyber Security and the Smart Grid
- Deep Lateral Movement in OT Networks
- Hacking ICS Historians: The Pivot Point from IT to OT
- OPC UA Deep Dive Series - Parts 1-5
- Inside a New OT/IoT Cyberweapon: IOCONTROL
- Attention, High Voltage: Exploring the Attack Surface of the Rockwell Automation PowerMonitor 1000
Automotive Security
- Awesome Vehicle Security
- Car Hacking Village
- Jeep Hack
- Subaru Head Unit Jailbreak
-
Car Hacking Practical Guide 101
- CAN Injection: keyless car theft
- How I Hacked my Car Series - Parts 1-6
- How I Also Hacked my Car
- Extracting Secure Onboard Communication (SecOC) keys from a 2021 Toyota RAV4 Prime
- Recovering an ECU firmware using disassembler and branches
- Automotive Memory Protection Units: Uncovering Hidden Vulnerabilities
EV Chargers
- A Detailed Look at Pwn2own Automotive EV Charger Hardware
- Pwn2Own Automotive 2024: Hacking the ChargePoint Home Flex
- Reverse engineering an EV charger
Payment Systems
ATM Hacking
- Introduction to ATM Penetration Testing
- Pwning ATMs for Fun and Profit
- Jackpotting ATMs Redux - Barnaby Jack
-
Root Shell on Credit Card Terminal
Payment Village
- Payment Village
Tools
Hardware Tools
- Bus Pirate
- Bus Pirate 5: The Swiss ARRRmy Knife of Hardware Hacking
- The Shikra
- Attify Badge
- Flipper Zero
- HackRF
- RTL-SDR
- An In-Depth Look at the ICE-V Wireless FPGA Development Board
Multi-Purpose
- Logic Analyzer - Saleae
- JTAGulator
- EEPROM Reader/SOIC Cable
Debug Adapters
RF/SDR
USB
- FaceDancer21
- RfCat
- NullSec Ducky Payloads - Rubber Ducky BadUSB payloads for WiFi credential extraction, reverse shells, and automated recon on Windows, macOS & Linux.
Flipper Zero
- NullSec Flipper Suite - Comprehensive Flipper Zero payload collection for RF analysis, RFID/NFC cloning, BadUSB attacks, infrared, and wireless pentesting.
- PineFlip - Professional Flipper Zero companion app for Linux with GTK4/libadwaita UI, screen mirroring, file manager, and firmware management.
Hak5
- Hak5 Field Kits
- NullSec Pineapple Suite - 60+ WiFi Pineapple payloads for wireless pentesting including deauth, evil twin, handshake capture, PMKID extraction, and network reconnaissance.
Exploitation Frameworks
- BlueSploit
- IoTSecFuzz
- PENIOT
- ISF - Industrial Security Framework
- HAL - Hardware Analyzer
- PRET - Printer Exploitation Toolkit
- Expliot Framework
- RouterSploit
- HomePwn
- Firmware Analysis Toolkit (FAT)
- Shambles: The Next-Generation IoT Reverse Engineering Tool
Firmware Analysis
Fuzzing Tools
- The art of Fuzzing: Introduction
- A LibAFL Introductory Workshop
- The Blitz Tutorial Lab on Fuzzing with AFL++
- State of Linux Snapshot Fuzzing
- Fuzzing between the lines in popular barcode software
- Boofuzz
- Syzkaller - Kernel Fuzzer
- parking-game-fuzzer
Fundamentals
- OWASP Fuzzing Info
- Fuzz Testing of Application Reliability
- FuzzingPaper Collection
- Google Fuzzing Forum
IoT-Specific Fuzzing
- Fuzzing ICS Protocols
- Fuzzowski - Network Protocol Fuzzer
- FIRM-AFL: High-Throughput IoT Firmware Fuzzing
- Snipuzz: Black-box Fuzzing of IoT Firmware
- Fuzzing IoT Binaries Part 1
- Fuzzing IoT Binaries Part 2
- Awesome Embedded Fuzzing
Tools
Pentesting Operating Systems
- AttifyOS
- IoT Penetration Testing OS v1
- EmbedOS
- Sigint OS - LTE IMSI Catcher
- Instant GNU Radio OS
- Dragon OS - SDR Software
- Skywave Linux - SDR
- Zephyr RTOS
- Ubuntu LTS
Search Engines
- Shodan
- Censys
- ZoomEye
- BinaryEdge
- Thingful
- Wigle
- Hunter.io
- BuiltWith
- NetDB
- Recon-ng
- PublicWWW
-
FCC ID Database
Defensive Security
Threat Modeling
- STRIDE Threat Model Guide - Practical DevSecOps
- OWASP Threat Modeling Process
- STRIDE-based Threat Modeling for IoT Precision Agriculture
STRIDE Framework
- What is STRIDE in Threat Modeling - Security Compass
- Threat Modeling with ATT&CK - MITRE
- What is Threat Modeling - Fortinet
IoT-Specific Threat Modeling
- STRIDE Threat Modeling for IoT Smart Home
- STRIDE Threat Modeling for Smart Solar Energy Systems
- STRIDE Threat Modeling for IoT Healthcare Systems
- STRIDE for IoT Agriculture - IEEE
Secure Development
- OWASP IoT Top 10
- ETSI EN 303 645 - IoT Security Standard
- Compiler Options Hardening Guide for C and C++
- Linux Hardening Guide
- Docker Security ā Step-by-Step Hardening
-
How To Secure A Linux Server
Guidelines and Standards
- NIST IoT Cybersecurity Framework
Hardening Guides
Incident Response
Learning Resources
Training Platforms
- OpenSecurityTraining2
- cryptopals
Cheatsheets
- Hardware Hacking Cheatsheet
- Nmap Tutorial
- Pentest Hardware Handbook
- THCās favourite Tips, Tricks & Hacks
- Cross Cache Attack CheetSheet
Vulnerability Guides
- OWASP IoT Top 10 2018 Mapping
- Reflecting on OWASP IoT Top 10
- CVE North Stars
- IoT Vulnerabilities with CVE and PoC
- Linux Privilege Escalation
Pentesting Guides
- Shodan Pentesting Guide
- Modern Vulnerability Research on Embedded Systems
- Awesome Embedded Systems Vulnerability Research
YouTube Channels
- Joe Grand
- LiveOverflow
- Binary Adventure
- EEVBlog
- Craig Smith
- IoTSecurity101
- Besim ALTINOK
- Ghidra Ninja
- Cyber Gibbons
- Scanline
- Aaron Christophel
- Valerio Di Giampietro
- Gamozo Labs - Printer Hacking
Books
Hardware Hacking
- The Hardware Hacking Handbook - Jasper van Woudenberg & Colin OāFlynn (2021)
- Practical Hardware Pentesting - Jean-Georges Valle (2021)
- Practical Hardware Pentesting 2nd Edition (2023)
- Hardware Hacking: Have Fun While Voiding Your Warranty - Joe Grand (2004)
- Hacking the Xbox - Andrew ābunnieā Huang (2013)
- The Art of PCB Reverse Engineering - Keng Tiong (2015)
- Manual PCB-RE: The Essentials - Keng Tiong (2021)
- Hardware Security Training, Hands-on! (2023)
- Hardware Security: Challenges and Solutions (2025)
- Mastering Hardware Hacking (2025)
- Ultimate Hardware Hacking Gear Guide
- Microcontroller Exploits (2024)
Firmware and Reverse Engineering
- The Firmware Handbook - Jack Ganssle (2004)
- Learning Linux Binary Analysis - Ryan OāNeill (2016)
- Fuzzing Against the Machine (2023)
- Ghidra Software Reverse Engineering 2nd Edition (2025)
- The Definitive Handbook on Reverse Engineering Tools (2025)
IoT Security
- Abusing the Internet of Things - Nitesh Dhanjani (2015)
- IoT Penetration Testing Cookbook - Aaron Guzman & Aditya Gupta (2017)
- Practical IoT Hacking: The Definitive Guide (2021)
-
PatrIoT: Practical and Agile Threat Research for IoT (2022)
Wireless and RF
- Inside Radio: An Attack and Defense Guide - Qing Yang, Lin Huang (2018)
- Hack the Airwaves: Advanced BLE Exploitation (2023)
Embedded and Mobile
NFC/RFID
- Near Field Communication (NFC): From Theory to Practice (2012)
- Security Issues in Mobile NFC Devices - Michael Roland (2024)
Industrial and General Security
White Papers and Reports
IoT Series
Labs and CTFs
Vulnerable Applications
- DVID - Damn Vulnerable IoT Device
- IoTGoat - Vulnerable OpenWrt Firmware
- IoT-vulhub
- DVRF - Damn Vulnerable Router Firmware
- BLE CTF
- Microcorruption
- ARM-X CTF
IoT
Router/Firmware
Hardware
Wireless
Industrial
VoIP
CTF Competitions
Hardware CTFs
IoT CTFs
Embedded/Firmware CTFs
ARM CTFs
Continuous Learning Platforms
Lab Setup
Research and Community
Technical Research
- Dropcam Hacking
- LED Light Hacking
- PS4 Jailbreak Status
- Lenovo Watch X Privacy Issues
- Smart Scale Privacy Issues
- Besder IP Camera Security Analysis
- Smart Lock Vulnerabilities
Blogs
- Team82 Research
- Voidstarsec
- wrongbaud
- Firmware Analysis
- Exploitee.rs
- Payatu Blog
- Raelize Blog
- JCJC Dev
- W00tsec
- Devttys0
- Embedded Bits
- Keenlab
- Courk.cc
- IoT Security Wiki
- Cybergibbons
- Firmware.RE
- K3170makan
- Tclaverie
- Besimaltinok
- Ctrlu
- IoT Pentest
- Duo Decipher
- Sp3ctr3
- 0x42424242
- Dantheiotman
- Danman
- Quentinkaiser
- Quarkslab
- Ice9
- F-Secure Labs
- MG.lol
- CJHackerz
- Bunnieās Blog
- Synacktiv Publications
- Cr4.sh
- Ktln2
- Naehrdine
- Limited Results
- Fail0verflow
- Exploit Security
- Attify Blog
- Jilles.com
- Syss Tech Blog
- HardBreak Wiki
- 8ksec
- Starlabs
- boschko.ca
- 0xtriboulet
- Nozomi Networks
Community Platforms
- IoTSecurity101 Telegram
- IoTSecurity101 Reddit
- IoTSecurity101 Discord
- Hardware Hacking Telegram
Villages
- IoT Village
-
RF Hackers
Researchers to Follow
- Jilles
- Joe Fitz
- Aseem Jakhar
- Cybergibbons
- Jasper
- Dave Jones
- bunnie
- Ilya Shaposhnikov
- Mark C.
- Aaron Guzman
- Yashin Mehaboobe
- Arun Magesh
- Mr-IoT
- QKaiser
- 9lyph
Device-Specific Research
Cameras
- ARLO: IāM WATCHING YOU
- Hacking a Tapo TC60 Camera
- Rooting a Hive Camera
- Pwn2Own: Synology BC500 IP Camera
- Turning Camera Surveillance on its Axis
- Pwn2Own Ireland 2024 ā Ubiquiti AI Bullet
Smart Home Devices
- Hacking a Smart Home Device
- The Silent Spy Among Us: Smart Intercom Attacks
- Pwnassistant - Home Assistant RCE
- Hacking Sonoff Smart Home IoT Device
Smart Speakers
- Turning Google smart speakers into wiretaps for $100k
- Smart Speaker Shenanigans: Making the Sonos ONE Sing its Secrets
- Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap
- Streaming Zero-Fi Shells to Your Smart Speaker
Printers
- Pwning a Brother labelmaker, for fun and interop!
- lexmark printer haxx
- Pwn2Own Ireland 2024: Canon imageCLASS MF656Cdw
- Print Scan Hacks: Brother devices
Drones
- DJI Mavic 3 Drone Research: Firmware Analysis
- DJI Mavic 3 Drone Research: Vulnerability Analysis
- DJI - The ART of obfuscation
- Local Privilege Escalation on the DJI RM500 Smart Controller
Kitchen Appliances
NAS Devices
- A Pain in the NAS: Synology DS920+ Edition
- Weekend Destroyer - RCE in Western Digital PR4100 NAS
- Exploiting the Synology TC500 at Pwn2Own Ireland 2024
Game Consoles
- Hacking the Nintendo DSi Browser
- mast1c0re: Exploiting the PS4 and PS5 through a game save
- Being Overlord on the Steam Deck with 1 Byte
- Hacking the XBox 360 Hypervisor
Phones/Tablets
- Pixel 6 Bootloader Series
- Solo: A Pixel 6 Pro Story
- Gaining kernel code execution on an MTE-enabled Pixel 8
- Bypassing MTE with CVE-2025-0072
- Debugging the Pixel 8 kernel via KGDB
- A First Glimpse of the Starlink User Terminal
- Diving into Starlinkās User Terminal Firmware
TrustZone and TEE Research
- ARM TrustZone: pivoting to the secure world
- TEE Reversing
- A Deep Dive into Samsungās TrustZone - Parts 1-3
- Researching Xiaomiās TEE
- Kinibi TEE: Trusted Application Exploitation
- Reversing Samsungās H-Arx Hypervisor Framework
- EL3vated Privileges: Glitching Google WiFi Pro from Root to EL3
Pwn2Own Research
- Your not so āHome Officeā - SOHO Hacking at Pwn2Own
- Pwn2Own Toronto 2023 Series - Parts 1-5
-
Pwn2Own: WAN-to-LAN Exploit Showcase
Contributing
Contributions welcome. Submit a PR with new resources following the existing structure.
License
This collection is provided for educational and research purposes.