{"id":1881,"date":"2019-06-11T16:31:25","date_gmt":"2019-06-11T14:31:25","guid":{"rendered":"https:\/\/archive.brucon.org\/2019\/?page_id=1881"},"modified":"2019-07-17T09:34:19","modified_gmt":"2019-07-17T07:34:19","slug":"practical-iot-hacking","status":"publish","type":"page","link":"https:\/\/archive.brucon.org\/2019\/brucon-2019-training\/practical-iot-hacking\/","title":{"rendered":"Practical IoT hacking"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row][vc_column][vc_column_text]<\/p>\n<h2><span id=\"Course_Description\" class=\"mw-headline\">Course Description<\/span><\/h2>\n<div class=\"thumb tright\">\n<div class=\"thumbinner\">\n<div class=\"thumbcaption\">\n<div class=\"magnify\">\n<p>&#8220;The great power of Internet Of Things comes with the great responsibility of security&#8221;. Being the\u00a0hottest technology, the developments and innovations are happening at a stellar speed, but the\u00a0security of IoT is yet to catch up. Since the safety and security repercussions are serious and at\u00a0times life threatening, there is no way you can afford to neglect the security of IoT products.<\/p>\n<p>&#8220;Practical Internet of Things (IoT) Hacking\u201d is a unique course which offers security professionals,\u00a0a comprehensive understanding of the complete IoT Technology suite including, IoT protocols,\u00a0sensors, client side, mobile, cloud and their underlying weaknesses. The extensive hands-on labs\u00a0enable attendees to identify, exploit or fix vulnerabilities in IoT, not just on emulators but on real\u00a0\u00a0smart devices as well.<\/p>\n<p>The course focuses on the attack surface on current and evolving IoT technologies in various\u00a0domains such as home, enterprise Automation etc. It covers grounds-up on various IoT protocols\u00a0including internals, specific attack scenarios for individual protocols and open source\u00a0software\/hardware tools one needs to have in their IoT penetration testing arsenal. It also covers\u00a0hardware attack vectors and approaches to identify respective vulnerabilities . In addition to the\u00a0protocols and hardware it also focuses on reverse engineering mobile apps and native code to find\u00a0weaknesses.<\/p>\n<p>Throughout the course, We will use eXos, an VM and a Raspberry pi which was created by us\u00a0specifically for IoT penetration testing. eXos is the result of our R&amp;D and has most of the required\u00a0tools for IoT security analysis. We will also distribute DIVA \u2013 IoT, a vulnerable IoT sensor made\u00a0in-house for hands-on exercises.\u00a0 The \u201cPractical Internet of Things (IoT) Hacking\u201d course is aimed at security professionals who\u00a0want to enhance their skills and move to\/specialise in IoT security. The course is structured for\u00a0beginner to intermediate level attendees who do not have any experience in IoT, reversing or\u00a0hardware.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2><span id=\"Course_contents\" class=\"mw-headline\">Course contents<\/span><\/h2>\n<ul>\n<li>Course contents<\/li>\n<li>Introduction to IoT<\/li>\n<li>IoT Architecture<\/li>\n<li>IoT attack surface<\/li>\n<li>Expliot \u2013 IoT exploitation framework\n<ul>\n<li>Introduction<\/li>\n<li>Architecture<\/li>\n<li>Test Cases<\/li>\n<\/ul>\n<\/li>\n<li>IoT Protocols Overview<\/li>\n<li>MQTT\n<ul>\n<li>Introduction<\/li>\n<li>Protocol Internal<\/li>\n<li>Reconnaisance<\/li>\n<li>Information leakage<\/li>\n<li>DoS attacks<\/li>\n<li>Hands-on with open source tools<\/li>\n<\/ul>\n<\/li>\n<li>CoAP\n<ul>\n<li>Introduction<\/li>\n<li>Protocol Internals<\/li>\n<li>Reconnaissance<\/li>\n<li>Hands-on with open source tools<\/li>\n<\/ul>\n<\/li>\n<li>Radio IoT Protocols Overview<\/li>\n<li>Zigbee\n<ul>\n<li>Introduction and protocol Overview<\/li>\n<li>Reconnaissance (Active and Passive)<\/li>\n<li>Sniffing and Eavesdropping<\/li>\n<li>Decrypting communication<\/li>\n<li>Replay attacks<\/li>\n<li>Hands-on with RZUSBstick and open source tool<\/li>\n<\/ul>\n<\/li>\n<li>BLE\n<ul>\n<li>Introduction and protocol Overview<\/li>\n<li>Reconnaissance (Active and Passive) with HCI tools<\/li>\n<li>GATT service Enumeration<\/li>\n<li>Sniffing GATT protocol communication<\/li>\n<li>Reversing GATT protocol communication<\/li>\n<li>Read and writing on GATT protocol<\/li>\n<li>Fuzzing Characteristic values<\/li>\n<\/ul>\n<\/li>\n<li>Mobile security (Android)\n<ul>\n<li>Introduction to Android<\/li>\n<li>App architecture<\/li>\n<li>Security architecture<\/li>\n<li>App reversing and Analysis<\/li>\n<\/ul>\n<\/li>\n<li>ARM\n<ul>\n<li>Architecture<\/li>\n<li>Instruction Set<\/li>\n<li>Procedure call convention<\/li>\n<li>System call convention<\/li>\n<li>Reversing<\/li>\n<li>Hands-on Labs<\/li>\n<\/ul>\n<\/li>\n<li>Device Reconnaissance<\/li>\n<li>Firmware\n<ul>\n<li>Types<\/li>\n<li>Firmware updates<\/li>\n<li>Firmware analysis and reversing<\/li>\n<li>Firmware modification<\/li>\n<li>Firmware encryption<\/li>\n<li>Simulating device environment<\/li>\n<\/ul>\n<\/li>\n<li>IoT hardware Overview<\/li>\n<li>Introduction to hardware\n<ul>\n<li>Components<\/li>\n<li>Memory<\/li>\n<li>Packages<\/li>\n<\/ul>\n<\/li>\n<li>Hardware Tools\n<ul>\n<li>Expliot Nano<\/li>\n<li>EEPROM readers<\/li>\n<li>Jtagulator\/Jtagenum<\/li>\n<li>Logic Analyzer<\/li>\n<\/ul>\n<\/li>\n<li>Attacking Hardware Interfaces<\/li>\n<li>Hardware recon\n<ul>\n<li>Hardware Reconnaissance\n<ul>\n<li>Analyzing the board<\/li>\n<li>Datasheets<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Attacking Debug ports\n<ul>\n<li>What are debug ports<\/li>\n<li>Importance<\/li>\n<li>UART\n<ul>\n<li>Introduction<\/li>\n<li>Identifying UART interface\n<ul>\n<li>Method 1<\/li>\n<li>Method 2<\/li>\n<\/ul>\n<\/li>\n<li>Accessing sensor via UART<\/li>\n<li>Brute-forcing Custom consoles<\/li>\n<\/ul>\n<\/li>\n<li>JTAG\n<ul>\n<li>Introduction<\/li>\n<li>Identifying JTAG interface\n<ul>\n<li>Method 1<\/li>\n<li>Method 2<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Extracting firmware from the microcontroller<\/li>\n<li>Run-time patching the firmware code<\/li>\n<\/ul>\n<\/li>\n<li>Attacking the Memory\n<ul>\n<li>Where and What data is stored?<\/li>\n<li>Common memory chips and protocols<\/li>\n<li>I2C\n<ul>\n<li>Introduction<\/li>\n<li>Interfacing with I2C<\/li>\n<li>Manipulating Data via I2C<\/li>\n<li>Sniffing run-time I2C communication<\/li>\n<\/ul>\n<\/li>\n<li>SPI\n<ul>\n<li>Introduction<\/li>\n<li>Interfacing with SPI<\/li>\n<li>Manipulating data via SPI<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2><span id=\"Target_audience\" class=\"mw-headline\">Target audience<\/span><\/h2>\n<ul>\n<li style=\"font-weight: 400\">Penetration testers tasked with auditing IoT<\/li>\n<li style=\"font-weight: 400\">Bug hunters who want to find new bugs in IoT products<\/li>\n<li style=\"font-weight: 400\">Government officials from defensive or offensive units<\/li>\n<li style=\"font-weight: 400\">Red team members tasked with compromising the IoT infrastructure<\/li>\n<li style=\"font-weight: 400\">Security professionals who want to build IoT security skills<\/li>\n<li style=\"font-weight: 400\">Embedded security enthusiasts<\/li>\n<li style=\"font-weight: 400\">IoT Developers and testers<\/li>\n<li style=\"font-weight: 400\">Anyone interested in IoT security<\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2><span id=\"Requirements\" class=\"mw-headline\">Requirements<\/span><\/h2>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Basic knowledge of web and mobile security<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Knowledge of Linux OS<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Basic knowledge of programming &#8211; python<\/span><\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2><span id=\"Hardware.2Fsoftware_Requirements\" class=\"mw-headline\">Hardware\/Software Requirements<\/span><\/h2>\n<ul>\n<li style=\"font-weight: 400\">Laptop with at least 50 GB free space<\/li>\n<li style=\"font-weight: 400\">8+ GB minimum RAM (4+GB for the VM)<\/li>\n<li style=\"font-weight: 400\">External USB access (min. 2 USB ports)<\/li>\n<li style=\"font-weight: 400\">Administrative privileges on the system<\/li>\n<li style=\"font-weight: 400\">Virtualization software \u2013 Latest VirtualBox (5.2.X) (including Virtualbox extension pack)<\/li>\n<li style=\"font-weight: 400\">Linux host machines should have exfat-utils and exfat-fuse installed (ex: sudo apt-get install\u00a0exfat-utils exfat-fuse).<\/li>\n<li style=\"font-weight: 400\">Virtualization (Vx-t) option enabled in the BIOS settings for virtualbox to work<\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2>What attendees will be provided With<\/h2>\n<ul>\n<li style=\"font-weight: 400\">Commercial IoT Devices for hands-on (only during the class)<\/li>\n<li style=\"font-weight: 400\">DIVA &#8211; IoT: custom vulnerable IoT sensor Testbed for hands-on (only during the class)<\/li>\n<li style=\"font-weight: 400\">Hardware tools for hands-on (only during the class)<\/li>\n<li style=\"font-weight: 400\">eXos VM &#8211; Platform for IoT Penetration testing<\/li>\n<li style=\"font-weight: 400\">Training material\/slides<\/li>\n<li style=\"font-weight: 400\">Practical IoT hacking Lab manual PDF<\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2>What to expect<\/h2>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Hands-on Labs<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Reversing fun<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Getting familiar with the IoT security<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">This course will give you a direction to start performing pentests on IoT products<\/span><\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2>What not to expect<\/h2>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Becoming a hardware\/IoT hacker overnight. Use the knowledge gained in the training to start pentesting IoT devices and sharpen your skills.<\/span><\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2><span id=\"Trainer_Biography\" class=\"mw-headline\">Trainer Biography<\/span><\/h2>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column width=&#8221;5\/6&#8243;][vc_column_text]Payatu trainers are highly specialized security professionals in the respective field and deliver hitech trainings around the world for private customers as well as global cyber security conferences.<\/p>\n<p><strong>Aseem Jakhar<\/strong> is the Director, research at Payatu <a href=\"http:\/\/payatu.com\" target=\"_blank\" rel=\"noopener\">payatu.com<\/a> a boutique security testing company\u00a0specializing in IoT, embedded, mobile and cloud security assessments. He is well known in the\u00a0hacking and security community as the founder of null &#8211; The open security community, registered\u00a0not-for-profit organization http:\/\/null.co.in and also the founder of nullcon security conference\u00a0<a href=\"http:\/\/nullcon.net\" target=\"_blank\" rel=\"noopener\">nullcon.net<\/a> and hardwear.io security conference <a href=\"http:\/\/hardwear.io\" target=\"_blank\" rel=\"noopener\">http:\/\/hardwear.io <\/a><\/p>\n<p>He has worked on various\u00a0security software including UTM appliances, messaging\/security appliances, anti-spam engine, antivirus software, Transparent HTTPS proxy with captive portal, bayesian spam filter to name a few.\u00a0He currently spends his time researching on IoT security and hacking things. He is an active<br \/>\nspeaker and trainer at security conferences like AusCERT, BlackHat, Brucon, Defcon, Hack In The\u00a0Box, Hack.lu, Hack in Paris, PHDays and many more. He is the author of various open source\u00a0security tools including:<\/p>\n<ul>\n<li>ExplIoT \u2013 An open source Internet Of Things Security Testing and Exploitation framework &#8211; <a href=\"https:\/\/bitbucket.org\/aseemjakhar\/expliot_framework\" target=\"_blank\" rel=\"noopener\">https:\/\/bitbucket.org\/aseemjakhar\/expliot_framework<\/a><\/li>\n<li>Linux thread injection kit &#8211; Jugaad and Indroid which demonstrate a stealthy in- memory\u00a0malware infection technique. Indroid &#8211;\n<ul>\n<li><a href=\"https:\/\/bitbucket.org\/aseemjakhar\/indroid\" target=\"_blank\" rel=\"noopener\">https:\/\/bitbucket.org\/aseemjakhar\/indroid<\/a><\/li>\n<li><a href=\"https:\/\/bitbucket.org\/aseemjakhar\/jugaad\" target=\"_blank\" rel=\"noopener\">https:\/\/bitbucket.org\/aseemjakhar\/jugaad<\/a><\/li>\n<\/ul>\n<\/li>\n<li>DIVA (Damn Insecure and Vulnerable App) for Android which gamifies Android App\u00a0vulnerabilities and is used for learning Android Security issues.<br \/>\n<a href=\"https:\/\/github.com\/payatu\/diva-android\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/payatu\/diva-android\u00a0<\/a><\/li>\n<li>Dexfuzzer \u2013 Dex file format Fuzzer. <a href=\"https:\/\/bitbucket.org\/aseemjakhar\/dexfuzzer\/src\" target=\"_blank\" rel=\"noopener\">https:\/\/bitbucket.org\/aseemjakhar\/dexfuzzer\/src <\/a><\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][vc_column width=&#8221;1\/6&#8243;][vc_single_image image=&#8221;1909&#8243; css=&#8221;.vc_custom_1560333167334{margin-top: 50% !important;}&#8221;][\/vc_column][\/vc_row][vc_row][vc_column width=&#8221;5\/6&#8243;][vc_column_text]<strong>Arun Magesh<\/strong> works as IoT Security Researcher at Payatu and has worked on numerous smart\u00a0devices pentest in the past couple of years. With an electrical engineering academic background, he\u00a0serves as a core committee member for several IoT local chapters and hackerspaces in India, where\u00a0he regularly delivers talks and hands-on workshops. He has 5+ years hands-on experience in both\u00a0building and breaking IoT devices and has been previously awarded for India\u2019s Top 25 under 25\u00a0technologist and Intel Software Innovator. He has delivered training to numerous governmental and\u00a0private organizations around the world. He is also a speaker and trainer at several conference like\u00a0BlackHat, DEFCON, HackInParis, NullCon, zer0con, RISC, Intel Devfest, EFY IoT Conference\u00a0and brucon. His main focus area in IoT is embedded device and SDR security. He has also build\u00a0and contributed to a number of projects such as Brain-Computer interfacing and Augment Reality<br \/>\nsolutions.[\/vc_column_text][\/vc_column][vc_column width=&#8221;1\/6&#8243;][vc_single_image image=&#8221;1912&#8243;][\/vc_column][\/vc_row][vc_row][vc_column][vc_empty_space][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>[vc_row][vc_column][vc_column_text] Course Description &#8220;The great power of Internet Of Things comes with the great responsibility of security&#8221;. Being the\u00a0hottest technology, the developments and innovations are happening at a stellar speed, but the\u00a0security of IoT is yet to catch up. Since the safety and security repercussions are serious and at\u00a0times life threatening, there is no way you can afford to neglect the security of IoT products. &#8220;Practical Internet of Things (IoT) Hacking\u201d is a unique course&#8230;<\/p>\n","protected":false},"author":8,"featured_media":0,"parent":75,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-1881","page","type-page","status-publish"],"_links":{"self":[{"href":"https:\/\/archive.brucon.org\/2019\/wp-json\/wp\/v2\/pages\/1881","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.brucon.org\/2019\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/archive.brucon.org\/2019\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2019\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2019\/wp-json\/wp\/v2\/comments?post=1881"}],"version-history":[{"count":8,"href":"https:\/\/archive.brucon.org\/2019\/wp-json\/wp\/v2\/pages\/1881\/revisions"}],"predecessor-version":[{"id":1900,"href":"https:\/\/archive.brucon.org\/2019\/wp-json\/wp\/v2\/pages\/1881\/revisions\/1900"}],"up":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2019\/wp-json\/wp\/v2\/pages\/75"}],"wp:attachment":[{"href":"https:\/\/archive.brucon.org\/2019\/wp-json\/wp\/v2\/media?parent=1881"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}