IoT Security - the DVID Challenge [Course + Board] (W46)

$290.00

20 items sold

Out of stock

Category:

IoT is a growing market and will be the future of our daily lives. Because of its emergence, there is no standard to guide the development process, there are many protocols and custom solutions to connect a hardware device to a cloud. Sometimes, middleware (like a smartphone application) could be encountered between the hardware and the cloud.

This IoT course will explain IoT concepts, IoT construction and security holes. Each student will train themself on a dedicated open sourced vulnerable board. They will be able to improve their skill to find vulnerabilities and learn how avoid them during development.


IMPORTANT NOTE

To fully participate in this course you need to have the DVID (Damn Vulnerable IoT Device). It is necessary to participate in the class. You can order one pre-made with this course - shipping fee is included in the price - or manufacture one yourself - see instructions below.


COURSE BENEFITS


After completing the course, each student will be able to identify most famous IoT vulnerabilities, like plug his computer into debug interfaces, analyze outgoing exchange, try to understand used protocol and do some fun tricks with it. They also will be able to write a relevant audit report with vulnerability details and remediation.

From my research, I would like to share my knowledge on IoT Security. This course is designed to help:

  • IoT makers, in order to help them develop with security guidelines and view impact about security absence
  • Security researchers, in order to help them to identify the most famous vulnerabilities and be trained with them
  • IT Decision makers, in order to help them have the correct reflexes when IoT knocks on their IT door

About course tools: each student will have the Damn Vulnerable IoT Device (DVID) with extension board (Bluetooth), a USBasp to flash the device and USBuart to communicate with the board. For each training, the student will flash the device with the corresponding firmware and start to find the solution.

DURATION: 18 hours

CPE POINTS: On completion you get a certificate granting you 18 CPE points. 

Course format: 

  • Self-paced
  • Pre-recorded
  • Accessible even after you finish the course
  • No preset deadlines
  • Materials are video, labs, and text
  • All videos captioned

BEFORE YOU START

This IoT device is designed by the course instructor and published as open source. The main objective is to provide to interested people a vulnerable board to improve their skill in IoT hacking. The board core is composed of an Atmega328p and an OLED screen. For each training, a firmware could be flashed on the Atmega328p in order to offer a specific vulnerable environment. There are also connection ports like UART, Bluetooth, 2,4Ghz and Wifi. 

Training needs some attack tools like USBasp and USBuart.

All content is open sourced and published here: https://github.com/Vulcainreo/DVID

This board is necessary to participate in the "IoT Security - the DVID Challenge" online course. With this order you'll purchase a pre-made, ready to go board. The price includes international shipping. 

To fully participate in this course you need to have the DVID (Damn Vulnerable IoT Device). You have two options: 

  • Schematic and component reference: you must buy a naked board and all components, then solder everything together. All schematics and references are provided free - visit the GitHub repository above to find out the details. The instructor will be able to support you to some extent. 
  • Full package: the student will receive everything needed for this course (soldered board, external board and attack tools). Once you purchase the course with this package, we will contact you with shipping information. 

Premium subscriber? Order board only >>

  • Basic knowledge of web and mobile security
  • Knowledge of Linux OS
  • Basic knowledge of programming - Python
  • The DVID (either ordered pre-made here or made on your own; look below for details)
  • Laptop with at least 50 GB free space
  • 8+ GB minimum RAM (4+GB for the VM)
  • External USB access (min. 2 USB ports)
  • Administrative privileges on the system
  • Virtualization software
  • Android phone

The course will be organized as this table. The estimated duration is 18 hours with 7 hours of Practical Work, 11 hours of lectures. The course will finish with an at-home final exam.


About the author: Arnaud Courty

As an IoT expert, my main mission is to evangelise companies to take care of security from the design step.

I work on internal and external offensive security analysis and assessment of security maturity of embedded systems upstream of their industrialization.

Since the beginning of IoT, I specialize in vulnerabilities research adapted to the embedded systems but also awareness of designers, developers and integrators. I take advantage of security events and working groups to campaign for a less vulnerable IoT world.


Course Syllabus


Module 1: Generalities

This module will cover generalities about IoT. After a few reminders of protocols, we will discuss  IoT architecture and discover the Practical Work board.

  1. A few reminders
  2. Communication protocols
    1. UAT
    2. JTAG
    3. SPI
  3. Generality
    1. Security VS safety
    2. Security objectives and definition
    3. Embedded system life cycle
  4. Architecture
    1. Hardware level
    2. Software level
    3. Communication level
    4. Security level
    5. Focus on SecBus architecture
  5. Discovering an IoT object (TP board)
    1. Discovering methodology
    2. Hardware identification
    3. Gain information on Internet
    4. Making a schema
    5. Identifying available attacks

Practical Work: Discover the Practical Work board DVID

  • Tools installation on student computer
  • Learning how flash the board with a Practical Work firmware

Project: Start to dev an IoT Device

  • Get started with Arduino IDE
  • Try to write a program to print text on the DVID screen
  • Try to write a program able to interact with serial

Module 2: Hardware and firmware attacks

This module will cover hardware and firmware attacks. After discovering all available attacks, we will discuss and train vulnerabilities on the DVID board.

  1. Hardware attacks
    1. Side channel attacks - Timing attacks
    2. Memory spying attacks
    3. On bus attacks
    4. Fault injections
    5. Hardware reverse engineering
  2. Well known vulnerabilities
    1. Sensitive information on debug port
    2. Unencrypted firmware
    3. Weak algorithm
    4. Hardcoded sensitive information
  3. Counter measures

Practical Work - First board interaction

  • First interaction with the board (UART with Tx and RX)
  • Try to discover the password (password displayed on the console - student must write it on the serial TX connection to unlock)
  • Try to identify Tx pin on a signal analysis tool (tools aren’t needed - it’s based on provided picture) and try to get the correct password (two tries before board resetting)

Practical Work - Default password

  • Search on Internet for a default password (Mirai source code could be found on several Github repo)
  • Write a program to enumerate them (program asks the student for the password - there is no protection against brute force)
  • Student must try several passwords in order to find the correct one)

Practical Work - Hard-coded password

  • Try to extract onboard firmware with avrdude tool
  • Explore the firmware to get the hard-coded password
  • Try same with the provided hex file
  • Pass it on TX connexion to unlock

Practical Work - Buffer overflow

  • Write a Python program to explore the memory
  • Try to get the user password (the program said that a five entry table is set. Student could request each case by a number. Program must enumerate each number from 1 to 300 to identify ASCII content and get the password)

Weakness in algorithm

  • Students get a pseudo code of an algorithm. They must identify the weakness and write a program to exploit it
  • The firmware has brute force protection - students must be smart
  • Pass the correct password to unlock

Escape  from to DVID room

  • Stage 1: detect the cypher used to encrypt the firmware
  • Stage 2: try to detect with default password list
  • Stage 3: get the hard-coded credentials in the firmware
  • Stage 4: gain access to the console from the serial port with previous credentials

Module 3: Middleware interactions

This module will cover middleware interactions from hardware to cloud. After discovering a well known protocol, we will discuss and train about IoT usage and available attacks.

Protocol discovering:

MQTT:

  • Presentation
  • Attacks

CoAP:

  • Protocol Presentation
  • Models
  • Message

Bluetooth Low Energy

  • Why such a difference between Bluetooth 2 and Bluetooth 3?
  • Advertising Concept
  • Characteristics & services Concept
  • Communication encryption

Radio Parking remote:

  • Presentation
  • Attack methodology

Practical Work - COaP communication

  • Send a message to a well known server
  • Try to discover some resources

Practical Work - Analysis of parking remote

  • Identifying frequency based on hardware picture
  • Analysis of the recorded stream
  • Protocol Reverse engineering

Practical Work - MQTT sensor

  • Write a productor MQTT sensor that pushes every minute to officially broker the current time
  • Write a customer MQTT that subscribes to the previous MQTT time topic

Practical Work - MQTT Attacks

  • Find well known broker sensitive information published by users
  • Find a Shodan misconfigured MQTT Server

Practical Work: Discover advertising of DVID

  • Try to scan around BLE devices
  • Try to view in Wireshark advertisement packets

Practical Work - Discover characteristics of DVID

  • Gattools
  • Bleah

Practical Work - Reverse engineering an IoT device

  • Get HCI exchange from Android
  • Try to replay characteristics

Practical Work - Decrypt the BLE exchange

  • Analyze the encrypted exchange between DVID and Android app
  • Get the key to decrypt stream
  • Get the code to unlock challenge

Project: Unlock the DVID door

  • Stage 1: analysis of BLE services and characteristics
  • Stage 2: identify opening characteristics
  • Stage 3: get HCI logs to see that it's a rolling code
  • Stage 4: reverse to Android APK to get the rolling code and find vulnerabilities
  • Stage 5: write a program to predict the next rolling code and open the door

Module 4: Cloud interaction

This module will cover cloud interaction from a device or device through a middleware. After discovering well known vulnerabilities, we will discuss and train about IoT specific vulnerabilities.

  1. Vulnerabilities identification
    1. Injection
      1. SQL code injection
      2. NoSQL code injection
    2. Broken authentication
      1. Session management
      2. Backdoor
    3. Sensitive Data Exposure
    4. Broken access control
      1. Vertical moving
      2. Horizontal moving
    5. Security misconfiguration
    6. Cross-site Scripting
    7. Insecure deserialization
    8. Using component well known vulnerabilities
    9. Insufficient logging & monitoring
  2. Rest API Analysis
    1. JWT token
    2. API keys
    3. Method HTTP
    4. Content type validation
    5. Endpoint management
      1. Error handling
      2. Security Headers
      3. Cross origin resource sharing

Practical Work: Vulnerability identification

  • Try to break the authentication
  • Default password
  • Predictable cookie
  • Try to direct access to sensible data
  • Try to exact session cookie from Cross Site Scripting

Module 5: Audit methodology and reporting

This module will cover the audit methodology and reporting. We will discuss making relevant reports and as exhaustive as possible on vulnerabilities identification

  1. General information
    1. Responsible disclosure
    2. Authorization
    3. Requirements
  2. Audit methods
    1. Penetration testing and Audit
    2. Bug bounty
  3. Analysis methodology
    1. Hardware
    2. Middleware
    3. Cloud (Web application analysis, Session management, Data management, Access control, Injections)
    4. Reporting methodology

Practical Work : Make a relevant report

  • From a vulnerability list, try to write associated risks
  • Try to make relevant remediation for given vulnerabilities

Exam: Audit an IoT device

Exam instruction

  • In this exam, students will be in front of an IoT device. This device could be controlled by a Android application. 
  • All learned skills about hardware analysis, middleware reverse or cloud exploration are needed to analyse the security of this IoT Device.
    Students must write a relevant report to show all findings and provide remediations on found vulnerabilities.

Exam general information:

This exam will have a 24 hour time limit. Student have access to all slides and Internet.

Marks:

A list of designed vulnerabilities is set before the exam starts. The final mark is max 20 points:

  • First part for 10: 1 point for each vulnerability identified
    Second part for 5: 0.5 point for each remediation associated of each identified vulnerability
  • Third part for 5: 2.5 on the technical summary and 2.5 for the executive summary
  • 10 bonus points for finding a 0-day  :)


COURSE BROCHURE

Download
FileAction
Hakin9 W46 IoT Security Course Brochure.pdfDownload 

QUESTIONS? 

If you have any questions, please contact our eLearning Manager at [email protected].


FAQ


ABOUT THE DVID: 

The DVID (Damn Vulnerable IoT Device) is an intentionally vulnerable IoT device to help you learn about IoT security.

Yes. Without it you won’t be able to do any practical work throughout the course, a big part of the content will refer directly to it as well.

You can order a premade device with us, or you can make one yourself (buy all components and solder them together). For all instructions see the course description.

The DVID is manufactured by the instructor of the course, Arnaud Courty.

Yes. All boards are thoroughly tested before shipping, as well as all components and attack tools provided with the device.

No, we don’t offer part-only packages for retail customers. It is possible for group orders - see “Special orders” section.


SHIPPING:

Shipping will be done worldwide, but tracking will be available only for specific countries.

The packages will have tracking enabled, if they are shipped to the following countries: Germany, Saudi Arabia, Australia, Austria, Belgium, Brazil, Canada, South Korea, Croatia, Cyprus, Denmark, Spain, Estonia, United States, Finland, Gibraltar, Great Britain, Hong Kong, Hungary, Ireland, Iceland , Israel, Italy, Japan, Latvia, Lebanon, Lithuania, Luxembourg, Malaysia, Malta, Norway, New Zealand, Netherlands, Poland, Portugal, Russia, Singapore, Slovakia, Slovenia, Serbia, Sweden, Switzerland.

All packages going out to countries outside of this group will have tracking up to the point of arrival in the destination country.

We have previously experienced issues with customs and delayed/lost packages when shipping to India. For this reason, if you want to order the board, we will only be sending it through a premium service (like DHL), which will include extra cost for you to cover.

We will be contacting you by email with further instructions.

Since the boards are manufactured just for this course, we will contact you with specific details after you order. You will be notified when the shipment is made.

Please document the package and contact our e-Learning manager at [email protected]@hakin9.org 

Please document the board and contact our e-Learning manager at [email protected]@hakin9.org

If you received a notice from us confirming that we’ve sent the package and the shipment does not arrive after a reasonable amount of time, please contact our e-Learning Manager at h9.courses@hakin9.org


I AM A HAKIN9 PREMIUM SUBSCRIBER / IT PACK PREMIUM SUBSCRIBER / LIFETIME SUBSCRIBER

Yes, the course is included in your subscription, but the board is not. Don’t worry, we have a special product made just for you, where you can purchase the pre-made board independently from the course: https://hakin9.org/product/board-only-dvid-challenge-w46/ You can also manufacture the board yourself, if you’re feeling up to it - see instructions in the course description.

No. The BOARD ONLY product includes only the pre-made board and course access is not included. You have course access through your premium subscription.

No, you should either purchase a seat on the course, or renew your subscription.

Yes, you will be able to view the training materials and see the assignments. However, you won’t be able to perform any practical exercises from the course, unless you make the board yourself (instructions provided in the course description).


SPECIAL ORDERS

Educational institutions receive a discount for course enrollment. The price of the DVIDs (if you choose to order them as well) will not be discounted. Please contact our Product Manager Marta Sienicka at [email protected] for further details.

You can make a bulk order, but the price will not be discounted - the price of the DVID as offered on the website includes bare manufacturing and shipping costs. Please contact our Product Manager Marta Sienicka at [email protected] for further details.

Yes, provided you meet certain criteria in regards to the amount of the packages you want. Please contact our Product Manager Marta Sienicka at [email protected] for further details.

Companies receive a discount for group course enrollment only. The price of the DVID (if you choose to order it as well) will not be discounted. Please contact our Product Manager Marta Sienicka at [email protected] for further details.

You can make a bulk order, but the price will not be discounted - the price of the DVID as offered on the website includes bare manufacturing and shipping costs. Please contact our Product Manager Marta Sienicka at [email protected] for further details.

Yes, provided you meet certain criteria in regards to the amount of complete packages you want. Please contact our Product Manager Marta Sienicka at [email protected] for further details.


RETURNS & REFUNDS

Please document the package and contact our e-Learning manager at h9.courses@hakin9.org. We offer replacements if you meet the criteria for one.

Please document the board and contact our e-Learning manager at h9.courses@hakin9.org. We offer replacements if you meet the criteria for one.

You can only return undamaged boards within 14 days of receiving them. You have to inform us of your intent to return within that time frame, by email at h9.courses@haking.org.  You are responsible for the return shipment and its cost. It should be made to a return address we provide. You must provide us with proof of shipment within 7 days of informing us of intent to return. After we receive your return package, the board will be evaluated for damage, and if everything checks out, we’ll reverse your payment.

Yes. You can only return undamaged boards within 14 days of receiving them. You have to inform us of your intent to return within that time frame, by email at [email protected].  You are responsible for the return shipment and its cost. It should be made to a return address we provide. After we receive your return package, the board will be evaluated for damage, and if everything checks out, we’ll reverse your payment.

Yes, if you meet the criteria. For our return policy for online courses, please refer to our Terms of Service.

Yes, if you meet the criteria. For our return policy for online courses, please refer to our Terms of Service.

Reviews

There are no reviews yet.

Only logged in customers who have purchased this product may leave a review.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.
What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?

Download Free eBook

Step 1 of 4

Name(Required)

We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.