IoT Penetration Testing

IoT Penetration Testing Essentials

The rapid expansion of the Internet of Things (IoT) has introduced unprecedented convenience and efficiency across various industries. From smart home devices and industrial sensors to medical equipment and connected vehicles, IoT technology is deeply embedded in modern life. Technological developments in IoT have not stood still either. The adoption of AI, blockchain, mesh networking and lower power networks has only increased the possibilities and applications of IoT. However, this rapid integration also brings significant security challenges. Many IoT devices lack robust security measures, making them vulnerable to cyber threats that can compromise user data, disrupt services, and even pose physical risks.

The versatility of IoT devices also poses several security risks as vulnerabilities can occur in all parts of an IoT device or system. Think for example of vulnerabilities in firmware, web applications, network services, mobile apps, hardware, cloud service or in the implementation of communication protocols. In this course we will analyze various IoT devices for risks, vulnerabilities and misconfigurations that impact the security of IoT devices. We will use a variety of IoT test devices, such as routers, IP cameras, sensors and other devices.

IoT devices
Figure: Various IoT devices.

The Penetration Testing Essentials course is developed from the perspective of the penetration tester and is aimed at expanding the skills set of penetration testers who have to deal with security testing IoT devices. The course’s target audience includes penetration testers, security analysts, (IoT) system engineers, embedded system developers and anyone with an interest in IT security audits, penetration testing and IoT devices.

IoT Penetration Testing Essentials Syllabus

The VHL IOT-01 Penetration Testing Essentials course focuses on penetration testing of IoT devices. In th IoT Penetration Testing course we focus on hacking hardware, software, network services, communication protocols and IoT firmware. In the following 19 modules consisting of over 700 pages we cover a wide range of topics:

  • IoT introduction
  • Security and Disclaimer
  • Legislation, standards and guidelines
  • Hardware hacking lab tools
  • IoT Reconnaissance 1: Specifications & Information
  • IoT Reconnaissance 2: Network, Configuration & Vulnerabilities
  • IoT Reconnaissance 3: Hardware & Components
  • Serial Communication & Protocols
  • UART communication
  • I2C communication
  • SPI communication
  • JTAG/SWD communication
  • Obtaining IoT firmware
  • Static firmware analysis
  • Ghidra reverse engineering
  • QEMU emulation
  • Debugging with GDB
  • Identifying vulnerabilities (Remote Command Execution & Buffer Overflow)
  • Responsible Disclosure of vulnerabilities
VHL IoT Penetration Testing Essentials – Course modules

The course begins with a theoretical introduction to IoT devices, their risks, and vulnerabilities. We then explore safety-related topics, followed by a brief overview of IoT security laws, standards, and guidelines. For the security testing of physical IoT devices you need various tools and measuring instruments. In module 5 of the course we will cover all the tools you may ever need in your IoT and Hardware Hacking Lab, such as a multimeter, logic analyzer, oscilloscope, various chip programming tools (CH241 and T48), probes, Software Defined Radios (SDR) and various development boards. In the three subsequent modules, we focus on mapping and enumerating the attack surface of the IoT device under test, emphasizing specifications, product information, network, configuration, vulnerabilities and hardware.

Figure: Analyzing serial communication with a Saleae Logic Analyzer.

In the modules that fllow we will delve deeper into the various serial communication protocols used in IoT devices, for example UART, I2C, SPI and JTAG. You will learn how to interface and communicate with various hardware debug interfaces and serial communication protocols. Knowledge of these communication protocols and hardware debug interfaces can give penetration testers access to the internal components of the IoT device, such as the firmware and sensitive information on the device.

Obtaining the firmware of an IoT device can be done in various ways, such as by reading the flash memory chip with a programmer tool, shell access to the bootloader or a system shell via UART. Network connections and over-the-air (OTA) firmware update mechanisms also provide opportunities to obtain the firmware of IoT devices by intercepting the network communications with firmware update servers. When nothing else is working to get the device firmware we will demonstrate how to obtain the firmware by desoldering the flash memory chip of the device and reading it with a chip programmer.

With access to the firmware, you can apply various static and dynamic firmware analysis techniques, for example by analyzing the file system for sensitive information, such as passwords and hardcoded encryption keys. You will also learn how to reverse engineer device functionalities and binaries with Ghidra to understand how the device operates and to identify vulnerabilities.

Figure: Reverse engineering a decryption function in Ghidra.

In the last modules of the course, we focus on emulating firmware and architectures with QEMU and debugging IoT systems with GDB. We will address the most commonly found vulnerabilities in IoT devices: Buffer Overflows and Remote Command Execution vulnerabilities. In these modules you will learn how to identify and exploit these type of vulnerabilities in IoT devices. The final module of the IoT hacking course focuses on the responsible disclosure of discovered vulnerabilities.

After completing this course, you will have:

  • A broad knowledge of the different components of the IoT ecosystem and vulnerabilities occurring in these components.
  • Knowledge of different techniques to map hardware, software and the attack surface of IoT devices in terms of: specifications, network, software and hardware.
  • Knowledge of different devices and tools to use in security testing of IoT devices, such as a multimeter and a logic analyzer.
  • Knowledge of different serial communication protocols, such as UART, I2C, SPI and JTAG.
  • Knowledge of different ways to obtain the firmware of an IoT devices, including intercepting network updates, reading flash memory chips and through different serial communication protocols.
  • Knowledge about different static and dynamic analysis techniques to analyze, test and emulate firmware of IoT devices.

After completing this course, you will be able to:

  • Identify vulnerabilities and risks in hardware, software and configuration.
  • Identify the various hardware elements of IoT devices, such as hardware debug interfaces, flash memory chips and microcontrollers.
  • Apply various techniques to obtain the firmware of an IoT device and determine the best technique to use based on the advantages and disadvantages of each technique.
  • Understand which techniques can be applied to obtain the device firmware from the flash memory chip, including removing memory chips from the PCB with a soldering or hot air station.
  • Apply various tools to analyze the firmware of an IoT device, including file, strings, readelf, Binwalk, Ghidra and GDB.
  • Emulate binaries and firmware with QEMU and debug with GDB.
  • Detecting buffer overflow vulnerabilities in binaries.
  • Discover vulnerabilities, disclose them responsibly and register CVE’s.

Most course modules have one or more practical case studies and assignments that you can perform on your own system to reinforce theory. Each module ends with a knowledge test to test your level of knowledge of the material.

Course content

After registering for the IoT Penetration Testing Essentials course, you will receive access to our LMS system with the following course materials:

  • 700+ pages of course in 19 modules.
  • Practical assignments and case studies in the LMS.
  • Theoretical knowledge tests.
  • Certificate of Course Completion or VHL Certified IOT Penetration Tester certification.
  • Exam voucher in Q2/2025.
LMS course player
Figure: LMS Course Player.

The course does not include online labs or lab environment, all assignments are in the form of case studies and practical assignments that you can perform on your own local system. No hardware hacking tools, or other physical tools are provided with the course or required to complete the course.

Examination & Certification

We are currently developing exams for the VHL IoT Pentesting Essentials course that closely align with the techniques covered throughout the course. The goal is to design an assessment that evaluates the essential skills required to identify and analyze both known and new vulnerabilities in IoT devices. Rather than simply reiterating the techniques covered in the course material, the exam will present a standalone case scenario that mirrors real-world challenges. This approach ensures that candidates demonstrate not only their technical knowledge but also their ability to think critically, apply problem-solving skills, and adapt to novel security testing situations, just as they would in a real penetration testing environment.

Figure: VHL Certified IOT Penetration Testing certification for passing the examination.

An exam voucher is included for free with all purchases until the launch of the exam. The voucher will be delivered as soon as the exam is available for registration. The exam is currently under development and is expected to be available in the second quarter of 2025. A positive passing score on the exam will earn you the VHL Certified IoT Penetration Tester Essentials level certificate.

Case studies & Assignments

Unlike the other VHL courses, the IoT Penetration Testing Essentials training does NOT include online labs. Case studies and practical assignments are provided during the course which you work out on your Kali Linux system on your local device.

Figure: Some of the case studies and practical assignments included with the course.

The practical assignments are mostly facilitated in the form of downloadable files and instructions with measurements, firmware, binaries and command line output.

Reverse engineering I2C communication
Figure: Reverse engineering I2C communication case study.

Hardware Requirements

To successfully follow and complete the IoT Penetration Testing Essentials course, it is not necessary to purchase any tools, components or devices, this is completely optional. The course explains in detail how the target IoT devices are put together and how various hardware hacking tools are applied to these test devices. The output of these tools, usually a measurement, data capture, firmware or other file, will be shared with you during the course for performing the practical assignments and your own research. This way, you don’t need to invest in test tools and targets to complete the course.

If you also want to gain experience with hacking actual hardware devices you will need some tools, components and target devices. The target IoT devices can be the same devices covered in the course but exploring other devices is of course also an option to maximize the learning experience. Keep in mind that the investment in your own hardware hacking lab can add up considerably in cost. Decide in advance what you need and how you want to deploy it for testing IoT devices.

Our advice is to first complete the theoretical part of the course and the software-related practical assignments. Then decide what you want to do with the practical side of hardware hacking and what tools and components you need for that. The minimum required hardware hacking tools, are a multimeter, logic analyzer, CH340 USB to serial adapter, CH341 programmer, opening and hand tools, wires and clips, and IoT targets for testing. Some of these tools, such as the CH340 and CH341 tools, can also be configured on a Raspberry Pi device.

Prerequisites

Participants are expected to have a basic understanding of virtual operating systems, Kali Linux, TCP/IP networking and be able to work with a command line. Limited knowledge of penetration testing and programming languages is also an advantage but is not required to start the course. If you do not have basic knowledge of penetration testing and programming languages, additional research during the course may be necessary to fully understand all concepts and modules.

System requirements

To complete this course, you will need a system with sufficient resources to virtualize Kali Linux. We recommend a system with at least the following specifications:

  • CPU: 64-bit Intel i5/i7 or AMD equivalent of a recent generation.
  • RAM: Minimum 8GB or RAM (of which 4GB is for the VM), 16GB is recommended.
  • Storage: 60GB of free storage space or more.
  • Hardware: Possibly a free USB port and an Ethernet adapter.
  • Software: VMWare Workstation and Kali Linux virtual machine.

The course and assignments are based on a system with a 64-bit Intel processor. If you are using an Apple system with a M1/M2/M3/M4 Silicon processor, you may not be able to complete all the assignments and techniques as described in the course material. If you do wish to use an Apple system with an ARM-based processor for this course, please note that you may need to do additional research on compatible tools and techniques.

The VHL IoT Penetration Testing Essentials course will be available soon! We are currently implementing the new course on the external LMS platform and website, and getting things ready to launch in Q1!

At the Virtual Hacking Labs we are constantly working on current and new training courses, labs, case studies and assignments. The following figure shows the roadmap for the Virtual Hacking Labs IOT01 IoT Penetration Testing Essentials course and subsequent IoT hacking courses.

VHL IoT Penetration testing courses roadmap.
VHL Course comparison overview.