IoT is a growing market and will be the future of our daily lives. Because of its emergence, there is no standard to guide the development process, there are many protocols and custom solutions to connect a hardware device to the cloud. This IoT course will explain IoT concepts, IoT construction, and security holes. Each student will train themselves on a dedicated open sourced vulnerable board. They will be able to improve their skills to find vulnerabilities and learn how to avoid them.
Each student will have the Damn Vulnerable IoT Device (DVID) with extension board (Bluetooth), a USBasp to flash the device, and USBuart to communicate with the board. For each training, the student will have to flash the corresponding firmware on the DVID board, to learn, hack, and find the challenge solution.
After completing the course, each student will be able to identify the most famous IoT vulnerabilities, plug his analysis tools into debug interfaces, analyze outgoing exchanges, understand protocols used, and do some fun tricks with them. They will also be able to write a relevant audit report with vulnerability details and remediation.
This course is based on the instructor's original research and his expertise in IoT Security. This course is designed to help:
- IoT makers, in order to help them develop with security guidelines and view impact about security absence
- Security researchers, in order to help them to identify the most famous vulnerabilities and be trained for them
- IT Decision makers, in order to help them have the correct reflexes when IoT knocks on their IT door
DURATION: 18 hours
CPE POINTS: On completion you get a certificate granting you 18 CPE points.
- Accessible even after you finish the course
- No preset deadlines
- Materials are video, labs, and text
- All videos captioned
To fully participate in this course you need to have the DVID (Damn Vulnerable IoT Device). It is necessary to participate in the class. You can order one pre-made with this course, or manufacture one yourself - see instructions below.
BEFORE YOU START
The board is included in some course purchase options.
This IoT device is designed and manufactured by the course instructor. The main objective is to provide a vulnerable board to improve skills in IoT hacking. The board core is composed of an Atmega328p and an OLED screen. For each course challenge, a firmware is flashed on the Atmega328p in order to offer a specific vulnerable environment. There are also connection ports like UART, Bluetooth, 2,4Ghz and Wifi.
All community content is open sourced and published here: https://github.com/Vulcainreo/DVID
This board is necessary to participate in the "IoT Security - the DVID Challenge" online course. With some purchase options you'll get a pre-made, ready to go board.
The price includes international shipping, but it does not include any customs fees your country's Customs Office might charge. We are not responsible for getting your package through customs, and if your package is stopped at the border, you will be contacted by the Customs Office to make sure it goes through.
If you have the skills, you can purchase the standalone course (no DVID included), and using the open source schematic and component reference solder everything together. You are responsible for sourcing and financing all components and a naked board. The instructor can provide remote support throughout the process.
Note about shipping
COVID-19: We are shipping normally. Due to restrictions, shipping time might be longer than usual, depending on the origin country. Please exercise all necessary caution when handling packages.
The packages will have tracking enabled, if they are shipped to the following countries: Germany, Saudi Arabia, Australia, Austria, Belgium, Brazil, Canada, South Korea, Croatia, Cyprus, Denmark, Spain, Estonia, United States, Finland, Gibraltar, Great Britain, Hong Kong, Hungary, Ireland, Iceland , Israel, Italy, Japan, Latvia, Lebanon, Lithuania, Luxembourg, Malaysia, Malta, Norway, New Zealand, Netherlands, Poland, Portugal, Russia, Singapore, Slovakia, Slovenia, Serbia, Sweden, Switzerland.
All packages going out to countries outside of this group will have tracking up to the point of arrival in the destination country.
As we have previously experienced issues with customs and delayed/lost packages when shipping to India, we will only be sending boards to India through a premium service (like DHL), which will include extra cost for you to cover.
- Basic knowledge of web and mobile security
- Knowledge of Linux OS
- Basic knowledge of programming - Python
- The DVID (either ordered pre-made here or made on your own; look below for details)
- Laptop with at least 50 GB free space
- 8+ GB minimum RAM (4+GB for the VM)
- External USB access (min. 2 USB ports)
- Administrative privileges on the system
- Virtualization software
- Android phone
- Your favorite hacking tools (ex.: logic-analyzer)
The course will be organized as this table. The estimated duration is 18 hours with 7 hours of Practical Work, 11 hours of lectures. The course will finish with an at-home final exam.
Module 1 - Generalities
- Course time: 40 min
- Lab time estimation: 50 min
Module 2 - Hardware and firmware attacks
- Course time: 70 min
- Lab time estimation: 120 min
Module 3 - Middleware
- Course time: 140 min
- Lab time estimation: 280 min
Module 4 - Cloud
- Course time: 160 min
- Lab time estimation: 120 min
Module 5 - Reporting
- Course time: 100min
- Lab time estimation: N/A
Extra time should be alotted for the final exam. Your workload will depend on your skill level, but it will take at least a few hours to complete (no timers included).
About the author: Arnaud Courty
As an IoT expert, my main mission is to evangelise companies to take care of security from the design step.
I work on internal and external offensive security analysis and assessment of security maturity of embedded systems upstream of their industrialization.
Since the beginning of IoT, I specialize in vulnerabilities research adapted to the embedded systems but also awareness of designers, developers and integrators. I take advantage of security events and working groups to campaign for a less vulnerable IoT world.
Module 1: Generalities
This module will cover generalities about IoT. After a few reminders of protocols, we will discuss IoT architecture and discover the Practical Work board.
Understand most common IoT protocols
Discover the IoT Architecture and focus on Secbus architecture
- Security VS Safety
- Security Goals
- IoT product security life cycle
- SecBus architecture
- Discover what is an IoT object
- Discovering methodology
- Hardware identification
- Gain information on the Internet
- Make a schema
- Identify available attack
First steps with the DVID board
- Discover the Board
- Flash the first firmware
Start to dev an IoT Device
- IDE installation and configuration
- Code basics
- Compilation and flash
Module 2: Hardware and firmware attacks
This module will cover hardware and firmware attacks. After discovering all available attacks, we will discuss and train vulnerabilities on the DVID board.
- Discover what is a firmware (Definitions and Filesystem)
- How to extract sensitive information (Methodology and tools)
- Putting in a backdoor
- Analysis (Static and dynamic)
Well known hardware attacks.
- Side channel attacks - Timing attacks
- Memory spying attacks
- On bus attacks
- Fault injections
Hardware reverse engineering.
Discover top 10 vulnerabilities with real-life examples.
Firmware reverse: The root password was not provided in the manual, find it!
Vulnerability exploitation (hardcoded password) : A confidential message is stored on the firmware but protected by a password.
Vulnerability exploitation (default password): A confidential message is stored on the firmware but protected by a password. An informant said that the password was weak.
Module 3: Middleware interactions
This module will cover middleware interactions from hardware to cloud. After discovering a well known protocol, we will discuss and train about IoT usage and available attacks.
Discover middleware protocols
- Protocol explanation
- Play for fun
- PCAP reverse
- Generic Access Profile (GAP)
- Profile, Services and Characteristics
- Protocol explanation
- CoRE link format
- Play for fun
Understand Android platform and security
- Application architecture
- Application components
- Middleware pentesting methodology
- TOP 10 OWASP on mobile devices
- Best practices
Advertising: a password is leaked from bluetooth advertising
Characteristics: interact with the board to exfiltrate flags
Door locker analysis: Submit the correct password over MQTT to unlock it
Meetings: a meeting timetable and location are exchanged with MQTT, sniff the network to find them
Module 4: Cloud interaction
This module will cover cloud interaction from a device or device through a middleware. After discovering well known vulnerabilities, we will discuss and train about IoT specific vulnerabilities.
- Characteristics and model
- Related threats
Most common vulnerabilities
- Weakness in authentication and session management
- Cross Site Scripting
- Weakness in access control
- Sensitive information exposure
- Weak protection against attacks
- Cross-Site Request Forgery (CSRF)
- Denial of service
- JSON Web Token (JWT)
- Pentest Web methodology
- Information gathering
- Infrastructure analysis
- Application analysis
- Pentest API methodology
- CSRF: Find the CSRF vulnerability and force your victim to change their password
- SQLi: Find an SQL injection flaw to extract all stored password in order to crack them
- Cookie stealing: Exploit an XSS vulnerability to steal your victim's session cookies
Module 5: Audit methodology and reporting
This module will cover the audit methodology and reporting. We will discuss making relevant reports and as exhaustive as possible on vulnerabilities identification
Audit methodology overview
- Penetration planning
- Embedded device
- Network communication
- Server operating system
- Server application
Exam: Audit an IoT device
- EXAM INCLUDES CLOUD-HOSTED RESOURCES
- In this exam, students will be in front of an IoT device. This device could be controlled by an Android application.
- All learned skills about hardware analysis, middleware reverse or cloud exploration are needed to analyze the security of this IoT Device.
- Students must write a relevant report to show all findings and provide remediation on found vulnerabilities.
This exam will not have any time limit. Students have access to all slides and the Internet.
- A flag is corresponding to vulnerability exploitation: 2 points per flag
- Making a relevant audit report: 8 points on report
- 10 bonus points for finding a 0-day :)
If you have any questions, please read the FAQ below. If your answer's not there, please contact our eLearning Manager Marta at [email protected]