On This Page

Offensive Internet of Things (IoT) Exploitation

Attify - IoT & Mobile Security | November 1 - 2


IoT or the Internet of Things is a big upcoming trend in technology. A lot of new IoT devices are coming to the market every single month with little or no importance given to how safe or secure these devices really are. "Offensive IoT Exploitation" is a unique course which offers security enthusiasts and penetration testers alike, the ability to understand how to assess and exploit the security of these smart devices.

Offensive Internet of Things (IoT) Exploitation will get you started with pentesting IoT devices in real world scenarios. During the 2-day class, you will get to experiment with various IoT devices, analyzing, debugging and exploiting firmware, attacking radio communication protocols and performing hardware exploitation.

The training will cover different types of IoT devices, assessing their attack surfaces and writing exploits for them. Assuming basic pentesting experience, the class will provide a solid understanding of the architecture of IoT devices, firmware extraction, serial-based exploitation and radio reverse engineering.

The course labs include both emulated environments as well as physical devices which will be provided to the attendees during the training. The attendees will be provided with AttifyOS. The operating system is an open source custom Linux distribution equipped with all the tools needed for IoT exploitation.

After the 2-days class, the attendees will be able to:

  • Mapping IoT device architecture
  • Identifying attack surfaces
  • Writing exploits to compromise devices
  • Exploiting connected apps
  • Firmware reversing and analysis
  • Firmware dumping UART, JTAG and SPI
  • Hardware & embedded exploitation
  • SDR and wireless protocol analysis
  • BLE, Zigbee, ZWave

Offensive IoT Exploitation is the course for you if you want to try exploitation on new hardware and find security vulnerabilities and 0-days. At the end of the class, there will be a final CTF challenge where the attendees will have to identify security vulnerabilities and exploit them, in a completely unknown device.

Who Should Take this Course

  • Pentesters and security professionals
  • IoT developers
  • IoT enthusiasts
  • Anyone interested in learning about IoT security

Student Requirements

  • Interest in IoT exploitation
  • Basic programming experience, Python scripting is an additional bonus.
  • Basic Assembly knowledge for MIPS

What Students Should Bring

  • Laptop with at least 25 GB of free space
  • Minimum 4 GB RAM
  • Administrative privileges on the system
  • Virtualisation software

What Students Will Be Provided With

  • AttifyOS – Custom distro for pentesting IoT devices and environments
  • Printed lab reference material and handouts
  • 400+ slides (PDF Copy)


Aditya Gupta (@adi1391) is the founder and principal consultant of Attify, an IoT and mobile security firm, and a leading mobile security expert and evangelist. He has done a lot of in-depth research on mobile application security and IoT device exploitation. He is also the author of the popular Android security book "Learning Pentesting for Android Devices" that sold over 15,000 copies, since it was published in March 2014. He has also discovered serious web application security flaws in websites such as Google, Facebook, PayPal, Apple, Microsoft, Adobe and many more. He has also published a research paper on ARM Exploitation titled "A Short Guide on ARM Exploitation." In his previous roles, he has worked on mobile security, application security, network penetration testing, developing automated internal tools to prevent fraud, finding and exploiting vulnerabilities and so on. He is also a frequent speaker and trainer at numerous international security conferences including Black Hat, Syscan, OWASP AppSec, PhDays, Brucon, Toorcon, Clubhack amongst others, and also provides private and customized training programmes for organizations.

Norman Shamas is a IoT Pentester and trainer at Attify (attify.com ) , an IoT and Mobile security firm. Attify has done a lot of in-depth research on Mobile application security and IoT device Exploitation. Norman has previously worked on numerous smart home pentests, ICS exploitation, Radio protocol analysis, Reversing custom protocols, and finding out unique attack vectors for exploiting the Internet of Things during penetration testing engagements. He has previously also developed information security protocols for applications and information systems deployed in repressive contexts, such as Syria.