Practical IoT Exploitation is a unique course being launched at OWASP AppSec by Attify. The previous version of the course titled “Offensive IoT Exploitation” has been run in various conferences such as BlackHat (US, EU, Asia), Brucon, HIP and many other places.
IoT or the Internet of Things is one of the most upcoming trends in technology as of now. A lot many new devices are coming up every single month. However, not much attention has been paid to the device's security till now. "Practical IoT Exploitation" is a brand new and unique course which offers pentesters the ability to assess and exploit the security of these smart devices - by looking deep depth into the devices, their radio communications and interactions with the real world, and then exploiting them.
The training will cover different varieties of IoT devices, assessing their attack surfaces, reversing their communication protocols and writing exploits for them. This is a 2-day action packed class covering topics like firmware analysis, identifying attack surface, analyzing Zigbee communication, finding vulnerabilities and then finally exploiting the vulnerabilities.
The course labs include both emulated environments as well as real live devices which will be provided to the attendees during the training. Practical IoT Exploitation training is designed for pentesters who want to kickstart their career in IoT Pentesting and the training does not expect the attendees to have a prior knowledge of assembly, mobile security or reversing. The attendees will be provided with VM image for IoT security testing platform called IoTa created by the trainers themselves.
After the 2-days class, the attendees will be able to:
Extract and analyze device firmwares
Analysing firmware and binaires using IDA pro
Hands-on Labs with UART, SPI
JTAG interaction and debugging
Identify attack surfaces and write fuzzers
Device Scanning and reversing communication APIs
USB Attacks
Familiarity with NFC, Bluetooth, RFID
BLE Analysis and packet analysis
Attacks on Zigbee - Hands-on labs
Practical IoT Exploitation is the course for you if you want to try exploitation on new hardwares and find security vulnerabilities and 0-days in IoT devices. At the end of the class, there will be a final CTF challenge where the attendees will have to identify security vulnerabilities and exploit them, in a completely unknown device - created exclusively for the OWASP AppSec training.
Requiremnets: Hardware:
- At least 25 GB of free space
- Laptop having a minimum of 4 GB RAM
- USB access allowed
Software:
- Virtualization software installed
- Administrative privileges on the system
At the start of the class, we will share the devices and AttifyOS VM which will have all the tools preconfigured for the training.
During the Radio section of the class, we have seen some students encounter issues with the hardware not being detected in the VM while they are running on one Virtualisation software, but working with the same VM on another virtualisation software.
Though we don't often run into these issues, it's recommended to have both virtualisation tools - VirtualBox and VMWare to save time troubleshooting. In case of VMWare if you don't have the paid edition, the free VMWare Workstation Player will also work.
