AppSec USA 2016 has ended
Back To Schedule
Wednesday, October 12 • 9:00am - 5:00pm
Training Session - Practical IoT Exploitation Day 2 (2 Day)

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Practical IoT Exploitation is a unique course being launched at OWASP AppSec by Attify. The previous version of the course titled “Offensive IoT Exploitation” has been run in various conferences such as BlackHat (US, EU, Asia), Brucon, HIP and many other places. 

IoT or the Internet of Things is one of the most upcoming trends in technology as of now. A lot many new devices are coming up every single month. However, not much attention has been paid to the device's security till now. "Practical IoT Exploitation" is a brand new and unique course which offers pentesters the ability to assess and exploit the security of these smart devices - by looking deep depth into the devices, their radio communications and interactions with the real world, and then exploiting them.

The training will cover different varieties of IoT devices, assessing their attack surfaces, reversing their communication protocols and writing exploits for them. This is a 2-day action packed class covering topics like firmware analysis, identifying attack surface, analyzing Zigbee communication, finding vulnerabilities and then finally exploiting the vulnerabilities.

The course labs include both emulated environments as well as real live devices which will be provided to the attendees during the training. Practical IoT Exploitation training is designed for pentesters who want to kickstart their career in IoT Pentesting and the training does not expect the attendees to have a prior knowledge of assembly, mobile security or reversing. The attendees will be provided with VM image for IoT security testing platform called IoTa created by the trainers themselves. 

After the 2-days class, the attendees will be able to:

Extract and analyze device firmwares 
Analysing firmware and binaires using IDA pro 
Hands-on Labs with UART, SPI
JTAG interaction and debugging 
Identify attack surfaces and write fuzzers
Device Scanning and reversing communication APIs
USB Attacks
Familiarity with NFC, Bluetooth, RFID 
BLE Analysis and packet analysis 
Attacks on Zigbee - Hands-on labs 

Practical IoT Exploitation is the course for you if you want to try exploitation on new hardwares and find security vulnerabilities and 0-days in IoT devices. At the end of the class, there will be a final CTF challenge where the attendees will have to identify security vulnerabilities and exploit them, in a completely unknown device - created exclusively for the OWASP AppSec training.


  • At least 25 GB of free space 
  • Laptop having a minimum of 4 GB RAM 
  • USB access allowed 
  • Virtualization software installed 
  • Administrative privileges on the system 
At the start of the class, we will share the devices and AttifyOS VM which will have all the tools preconfigured for the training. 
During the Radio section of the class, we have seen some students encounter issues with the hardware not being detected in the VM while they are running on one Virtualisation software, but working with the same VM on another virtualisation software. 
Though we don't often run into these issues, it's recommended to have both virtualisation tools - VirtualBox and VMWare to save time troubleshooting. In case of VMWare if you don't have the paid edition, the free VMWare Workstation Player will also work. 

avatar for Aditya Gupta

Aditya Gupta

Founder and CEO, Attify
Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile penetration testing and training firm, and a leading IoT security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation... Read More →
avatar for Norman Shamas

Norman Shamas

Attify Inc
Norman Shamas is a IoT Pentester and trainer at Attify (attify.com ) , an IoT and Mobile security firm. Attify has done a lot of in-depth research on Mobile application security and IoT device Exploitation and is the creator of AppWatch (https://appwatch.io) - an automated platform... Read More →

Wednesday October 12, 2016 9:00am - 5:00pm EDT
Meeting Room 13