On This Page

Practical IoT Hacking: Basic Edition

Payatu | March 20 - 21


"The great power of Internet Of Things comes with the great responsibility of security". Being the hottest technology, the developments and innovations are happening at a stellar speed, but the security of IoT is yet to catch up. Since the safety and security repercussions are serious and at times life threatening, there is no way you can afford to neglect the security of IoT products.

"Practical IoT Hacking: Basic Edition" is a research backed and unique course which offers security professionals, a good understanding of the core of IoT Technology i.e. IoT protocols, sensor tech and their underlying weaknesses. The extensive hands-on labs enable attendees to master the art, tools and techniques to find-n-exploit or find-n-fix the vulnerabilities in IoT, not just on emulators but on real smart devices as well.

The course is aimed at security professionals who want to enhance their skills and move to/specialize in IoT security. The course is structured for beginner level attendees who do not have any experience in IoT, reversing or hardware.

The course specifically focuses on the security issues and attacks on evolving IoT technologies including widely used IoT protocols and platforms in various domains such as home, enterprise etc. It covers grounds-up on various IoT protocols including internals, specific attack scenarios for individual protocols and open source software/hardware tools one needs to have in their IoT penetration testing arsenal. We also discuss in detail how to attack the underlying hardware of the sensors using various practical techniques.

Attendees will be provided with:
  • Drona - an attack VM that has most of the required tools and features for IoT security analysis.
  • ExplIoT - Open Source IoT exploitation framework created by us specifically for IoT penetration testing.
  • DIVA–IoT - a vulnerable IoT sensor made in-house for hands-on exercises.
  • Practical IoT Hacking Lab Manual - with detailed and step by step information on each lab.

Course Layout

  • IoT Architecture
  • IoT Attack Surface
  • IoT Security Testing process
  • ExplIot Framework architecture
  • Writing your own exploits/test cases using ExplIoT
  • IoT Protocol attacks - MQTT, CoAP...

  • Radio IoT Protocol attacks - ZigBee, BLE
  • Conventional attacks on Sensors
  • Firmware analysis and Reverse engineering
  • External Storage Attacks
  • Hardware components and Reconnaissance
  • Identifying Debug ports
  • Interfacing with debug ports
  • Analyzing and extracting data from memory chips
  • Sniffing bus communication
  • Hardware protocol understanding - UART, I2C, SPI, JTAG...

Who Should Take this Course

  • Penetration testers who want to get into IoT security
  • Bug hunters who want to find new bugs in IoT products
  • Government officials from defensive or offensive units
  • Red team members tasked with compromising the IoT infrastructure
  • Security professionals who want to build IoT security skills
  • Embedded security enthusiasts
  • IoT Developers and testers
  • Anyone interested in IoT security

Student Requirements

  • Basic knowledge of Penetration testing (web or network or mobile)
  • Basic knowledge of Linux OS
  • Basic knowledge of programming (C, python) would be a plus

What Students Should Bring

  • Laptop with at least 40 GB free space
  • 8+ GB minimum RAM (4+GB for the VM)
  • External USB access (minimum 2)
  • Administrative privileges on the system
  • Virtualization software – VirtualBox 5.X
  • Linux machines should have exfat-utils and exfat-fuse installed (ex: sudo apt-get install exfat-utils exfat-fuse)
  • Virtualization (Vx-t) option enabled in the BIOS settings for virtualbox to work

What Students Will Be Provided With

  • Commercial IoT Devices for hands-on during the class
  • DIVA - IoT: custom vulnerable IoT board
  • Hardware tools for sensor analysis (only during the training)
  • Drona VM - Platform for IoT Penetration testing
  • Training material/slides
  • Practical IoT Hacking Lab Manual (100+ Pages)


Aseem Jakhar is the Director, research at Payatu Software Labs http://payatu.com a boutique security testing company specializing in IoT, Embedded, cloud, mobile security testing. He is the founder of null-The open security community, registered not-for-profit organization http://null.co.in and also the founder of nullcon security conference http://nullcon.net and hardwear.io security conference. He has worked on various security software including UTM appliances, messaging/security appliances, anti-spam engine, anti-virus software, bayesian engine to name a few. He currently spends his time researching on IoT security and hacking things. He is an active speaker and trainer at security conferences like AusCERT, Black Hat, Brucon, Defcon, Hack.lu, Hack in Paris, Hack In The Box, PHDays and many more. He has authored various open source security software including - ExplIoT - IoT Exploitation Framework - DIVA (Damn Insecure and Vulnerable App) for Android - Jugaad/Indroid - Linux Thread injection kit for x86 and ARM - Dexfuzzer - Dex file format fuzzer