DIVA – IoT: custom vulnerable IoT board
Bug hunters who want to find new bugs in IoT products
Drona VM – Platform for IoT Penetration testing
Hardware protocol understanding – UART, I2C, SPI, JTAG…
Aseem Jakharis the Director, research at Payatu Software Labs a boutique security testing company specializing in IoT, Embedded, cloud, mobile security testing. He is the founder of null-The open security community, registered not-for-profit organization and also the founder of nullcon security conference and hardwear.io security conference. He has worked on various security software including UTM appliances, messaging/security appliances, anti-spam engine, anti-virus software, bayesian engine to name a few. He currently spends his time researching on IoT security and hacking things. He is an active speaker and trainer at security conferences like AusCERT, Black Hat, Brucon, Defcon, Hack.lu, Hack in Paris, Hack In The Box, PHDays and many more. He has authored various open source security software including – ExplIoT – IoT Exploitation Framework – DIVA (Damn Insecure and Vulnerable App) for Android – Jugaad/Indroid – Linux Thread injection kit for x86 and ARM – Dexfuzzer – Dex file format fuzzer
The course is aimed at security professionals who want to enhance their skills and move to/specialize in IoT security. The course is structured for beginner level attendees who do not have any experience in IoT, reversing or hardware.
Hardware components and Reconnaissance
The great power of Internet Of Things comes with the great responsibility of security. Being the hottest technology, the developments and innovations are happening at a stellar speed, but the security of IoT is yet to catch up. Since the safety and security repercussions are serious and at times life threatening, there is no way you can afford to neglect the security of IoT products.
1. Drona – an attack VM that has most of the required tools and features for IoT security analysis.
Hardware tools for sensor analysis (only during the training)
Firmware analysis and Reverse engineering
3. DIVAIoT – a vulnerable IoT sensor made in-house for hands-on exercises.
The course specifically focuses on the security issues and attacks on evolving IoT technologies including widely used IoT protocols and platforms in various domains such as home, enterprise etc. It covers grounds-up on various IoT protocols including internals, specific attack scenarios for individual protocols and open source software/hardware tools one needs to have in their IoT penetration testing arsenal. We also discuss in detail how to attack the underlying hardware of the sensors using various practical techniques.
What Students Will Be Provided With
Analyzing and extracting data from memory chips
Red team members tasked with compromising the IoT infrastructure
Commercial IoT Devices for hands-on (only during the training)
8+ GB minimum RAM (4+GB for the VM)
Virtualization (Vx-t) option enabled in the BIOS settings for virtualbox to work
Practical IoT Hacking Lab Manual (100+ Pages)
Virtualization software VirtualBox 5.X
Laptop with at least 40 GB free space
Radio IoT Protocol attacks – ZigBee, BLE
4. Practical IoT Hacking Lab Manual – with detailed and step by step information on each lab.
Basic knowledge of programming (C, python) would be a plus
Penetration testers who want to get into IoT security
2. ExplIoT – Open Source IoT exploitation framework created by us specifically for IoT penetration testing.
Basic knowledge of Penetration testing (web or network or mobile)
Security professionals who want to build IoT security skills
Practical IoT Hacking: Basic Edition is a research backed and unique course which offers security professionals, a good understanding of the core of IoT Technology i.e. IoT protocols, sensor tech and their underlying weaknesses. The extensive hands-on labs enable attendees to master the art, tools and techniques to find-n-exploit or find-n-fix the vulnerabilities in IoT, not just on emulators but on real smart devices as well.
Administrative privileges on the system
Linux machines should have exfat-utils and exfat-fuse installed (ex: sudo apt-get install exfat-utils exfat-fuse)
Government officials from defensive or offensive units