On This Page

Offensive Hands-on Internet of Things (IoT) Exploitation

Attify - IoT & Mobile Security | July 30-31 & August 1-2


IoT or the Internet of Things is one of the most upcoming trends in technology as of now. A lot many new devices are coming up every single month. However, not much attention has been paid to the device's security till now. "Offensive IoT Exploitation" is a brand new and unique course which offers pentesters the ability to assess and exploit the security of these smart devices.

The training will cover different varieties of IoT devices, assessing their attack surfaces and writing exploits for them. The 2-day class will be hands-on giving attendees the ability to try things themselves rather than just watching the slides. We will start from the very beginning discussing about the architecture of IoT devices, and then slowly moving to firmware analysis, identifying attack surface, finding vulnerabilities and then finally exploiting the vulnerabilities.

The course labs include both emulated environments as well as real live devices which will be provided to the attendees during the training. Custom VMs provided by the trainer will be used for the entire class. After the 2-days class, the attendees will be able to:

  • Extract and analyze device firmwares
  • Debugging and Disassembling binaries
  • Exploitation with UART, SPI and JTAGs
  • Firmware Dumping
  • Hardware and Software Debugging
  • Identify attack surfaces
  • Specific Web and Mobile based vulnerabilities
  • Familiarity with Zigbee and other communication channels
  • Device Scanning
  • ARM and MIPS Reversing
  • Write exploits for the platforms
  • Bypass security mitigations

Offensive IoT Exploitation is the course for you if you want to try exploitation on new hardwares and find security vulnerabilities and 0-days in IoT devices. At the end of the class, there will be a final CTF challenge (Vulnerable IoT device and a connected mobile app prepared specifically for BH US) where the attendees will have to identify security vulnerabilities and exploit them, in a completely unknown device.

Who Should Take this Course

  • IoT Security Enthusiasts
  • Web/Mobile Pentesters
  • Embedded Developers

Student Requirements

  • Linux Familiarity
  • Interest to break devices

What Students Should Bring

  • Laptop with at least 25 GB free space
  • 4 GB minimum RAM (Anything less won't be able to run the IoT pentesting VM)
  • External USB access
  • Administrative privileges on the system
  • Virtualization software

What Students Will Be Provided With

  • IoT devices
  • Attify's IoT pentesting VM
  • Printed Lab reference material and handouts
  • 400+ slides (PDF Copy)
  • Hardware Hacking Kit to take home


Aditya Gupta (@adi1391) is the founder and principal consultant of Attify ( attify.com ) , an IoT and Mobile security firm, and leading mobile security expert and evangelist. He has done a lot of in-depth research on Mobile application security and IoT device Exploitation. He is also the author of the popular Android security book "Learning Pentesting for Android Devices" selling over 10000+ copies, since the time of launch in March 2014. He has also discovered serious web application security flaws in websites such as Google, Facebook, PayPal, Apple, Microsoft, Adobe, Skype, and many more. He has also published a research paper on ARM Exploitation titled "A Short Guide on ARM Exploitation." In his previous roles, he has worked on security of mobile devices, apps, networks, developing automated internal tools to prevent fraud, finding and exploiting vulnerabilities and so on. He is also a frequent speaker and trainer at numerous international security conferences including Black Hat, Syscan, OWASP AppSec, PhDays, Brucon, Toorcon, Clubhack etc, and also provides private training for organisations for developers and red teams all over the world.