SlideShare a Scribd company logo
IOT SECURITY
ASSESSMENT:
PENTESTER’S
APPROACH
Jatan Raval
Is Smart Home Safe?
IoT Device Concept
IoT Device Concept
Attack Surfaces on IoT
● Hardware Level
● Software Level
● Communication Protocol Analysis
Hardware Level Attack Vectors
● Hardware Level
○ Gaining shell via debug points
■ Identifying the communication points
(Tx, Rx)
○ Dumping firmware from the memory chip
■ De-soldering the component and read
the content.
○ Fault Injection
■ Voltage/Clock Glitching
■ Optical Fault Injection
■ Electromagnetic Fault Injection
Software Level Attack Vectors
● Software Level
○ Getting sensitive information from the
firmware
○ Modifying the firmware
○ Updating the malicious firmware
○ Gaining shell via default password
○ Emulate the firmware
○ Hook the function and understand the
logic
Communication Attack Surface
● Communication Level
○ Sniffing
○ Injection attack
○ Fuzzing the protocol
○ Replay Attack
○ MiTM
Smart Home Automation
Pentester’s Approach
● Understanding the Architecture
● Identifying the attack vectors on the Smart switch
● Observing Hardware details
● Extracting Firmware from the chip
● Analyzing the firmware for the sensitive information
● Getting into the network
● Understanding the communication
● Duplicating the communication and controlling the switch
Hardware Level - Identifying the Hardware details
● Open the IoT device hardware
● Identify each component
● Identify the ways to communicate with chip
● Identify the model of CPU/SPI
● To communicate with CPU/SPI download the
datasheet and understand the way to
communicate with CPU.
Download the firmware via onboard pins
● Identify the on board pins to communicate with
CPU
Download the firmware via onboard pins
● Solder the headers to connect
Download the firmware via onboard pins
● Download the required tools to dump the firmware
Download the firmware via onboard pins
● Connect the pins to the USB-TTL and connect to the laptop.
Download the firmware via onboard pins
● Download the firmware
Download the Firmware via desoldering SPI
● Identify the SPI which stores the firmware
Download the Firmware via desoldering SPI
● De-solder the SPI from the PCB
Download the Firmware via desoldering SPI
● Put the SPI into the SPI reader
Download the Firmware via desoldering SPI
● Read the entire chip content
Firmware Analysis
● Try to search for the WiFi password to enter into the network.
Password
Password
SSID
SSID
Connecting to the Network
Communication Protocol Analysis
● Identify and understand the protocol being used for the communication
Communication Protocol Analysis
● Sniff the packets between the Mobile Application and Switch
● Create the duplicate request
● Send it to the Switch IP and check the status.
Packet Duplication
● We need to perform MiTM attack to sniff the traffic between the
application and Switch.
Packet Duplication
● Sniff the traffic between application and Switch
Packet Duplication
● Send the duplicate request from our machine and we get a success
response
Alternative Ways
1. Use frida to hook the exact function which creates the request
○ Helps in understanding the encryption logic
○ Control other switches
2. Use scapy to create network packet and send it to switch
○ Understand the packet structure
Q & A

More Related Content

PDF
Information security for dummies
PPT
Building An Information Security Awareness Program
PDF
IoT/M2M Security
PPT
PPTX
Iot(security)
PPTX
Secure boot general
PPTX
Network scanning
PPT
Lecture 3
Information security for dummies
Building An Information Security Awareness Program
IoT/M2M Security
Iot(security)
Secure boot general
Network scanning
Lecture 3

What's hot (20)

PDF
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
PDF
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
PPTX
Security Awareness Training.pptx
PPT
Types of attacks and threads
PPTX
What is Penetration Testing?
PPTX
CCNA 2 Routing and Switching v5.0 Chapter 3
PPTX
IPSec and VPN
PPT
Virtual private network
PPTX
introduction to Embedded System Security
PPTX
IP Multicasting
PDF
Metasploit El Kitabı
PDF
Cyber Forensics & Challenges
PDF
Network Security Fundamentals
PDF
Siber Güvenlik Kış Kampı'18 Soruları
PDF
LCU14 500 ARM Trusted Firmware
PPTX
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
PPTX
ITN_Module_2.pptx
PPTX
Network Forensics Intro
PPTX
Operating system security
PDF
Cisco cybersecurity essentials chapter -5
Secure Boot on ARM systems – Building a complete Chain of Trust upon existing...
GÜVENLİ YAZILIM GELİŞTİRME EĞİTİMİ İÇERİĞİ
Security Awareness Training.pptx
Types of attacks and threads
What is Penetration Testing?
CCNA 2 Routing and Switching v5.0 Chapter 3
IPSec and VPN
Virtual private network
introduction to Embedded System Security
IP Multicasting
Metasploit El Kitabı
Cyber Forensics & Challenges
Network Security Fundamentals
Siber Güvenlik Kış Kampı'18 Soruları
LCU14 500 ARM Trusted Firmware
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
ITN_Module_2.pptx
Network Forensics Intro
Operating system security
Cisco cybersecurity essentials chapter -5
Ad

Similar to IOT SECURITY ASSESSMENT Pentester's Approach (20)

PDF
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
PDF
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
PDF
ErichFicker_FinalDraft_28Mar16_Hardcopy
PDF
Beginners guide on how to start exploring IoT 2nd session
PPTX
Analyzing Vulnerabilities in the Internet of Things
PDF
OWASP Cambridge Chapter Meeting 13/12/2016
PDF
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
PDF
PDF
Defcon 2011 - Penetration Testing Over Powerlines
PPTX
Final Year Project Review dddddddddddddddddddddddddddd
PDF
IoT security zigbee -- Null Meet bangalore
PDF
DEF CON 23: Internet of Things: Hacking 14 Devices
PPTX
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
PPTX
Practical Security Assessments of IoT Devices and Systems
PPTX
Pentesting embedded
PPT
FIWARE IoT Proposal & Community
PDF
Iot development from prototype to production
DOCX
IOT Device.docx gghhhfgfhgfghnmjnhbjhbjhbgvvgggg
PDF
Frony Fronius: Exploring ZigBee signals from Solar City
PDF
IoT Hardware Teardown, Security Testing & Control Design
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
ErichFicker_FinalDraft_28Mar16_Hardcopy
Beginners guide on how to start exploring IoT 2nd session
Analyzing Vulnerabilities in the Internet of Things
OWASP Cambridge Chapter Meeting 13/12/2016
Raúl Siles - IOT: INTERNET OF T... [rooted2018]
Defcon 2011 - Penetration Testing Over Powerlines
Final Year Project Review dddddddddddddddddddddddddddd
IoT security zigbee -- Null Meet bangalore
DEF CON 23: Internet of Things: Hacking 14 Devices
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
Practical Security Assessments of IoT Devices and Systems
Pentesting embedded
FIWARE IoT Proposal & Community
Iot development from prototype to production
IOT Device.docx gghhhfgfhgfghnmjnhbjhbjhbgvvgggg
Frony Fronius: Exploring ZigBee signals from Solar City
IoT Hardware Teardown, Security Testing & Control Design
Ad

More from NSConclave (20)

PDF
RED-TEAM_Conclave
PPTX
Create a Custom Plugin in Burp Suite using the Extension
PPTX
Debugging Android Native Library
PPTX
Burp Suite Extension Development
PDF
Log Analysis
PDF
Regular Expression Injection
PDF
HTML5 Messaging (Post Message)
PDF
Node.js Deserialization
PDF
RIA Cross Domain Policy
PDF
LDAP Injection
PDF
Python Deserialization Attacks
PDF
Sandboxing
PDF
NoSql Injection
PDF
Thick Client Testing Advanced
PDF
Thick Client Testing Basics
PDF
Markdown
PDF
Docker 101
PDF
Security Architecture Consulting - Hiren Shah
PDF
OSINT: Open Source Intelligence - Rohan Braganza
PDF
Lets get started with car hacking - Ankit Joshi
RED-TEAM_Conclave
Create a Custom Plugin in Burp Suite using the Extension
Debugging Android Native Library
Burp Suite Extension Development
Log Analysis
Regular Expression Injection
HTML5 Messaging (Post Message)
Node.js Deserialization
RIA Cross Domain Policy
LDAP Injection
Python Deserialization Attacks
Sandboxing
NoSql Injection
Thick Client Testing Advanced
Thick Client Testing Basics
Markdown
Docker 101
Security Architecture Consulting - Hiren Shah
OSINT: Open Source Intelligence - Rohan Braganza
Lets get started with car hacking - Ankit Joshi

Recently uploaded (20)

PPTX
ART-APP-REPORT-FINctrwxsg f fuy L-na.pptx
DOCX
ENGLISH PROJECT FOR BINOD BIHARI MAHTO KOYLANCHAL UNIVERSITY
PPTX
chapter8-180915055454bycuufucdghrwtrt.pptx
PDF
MODULE 3 BASIC SECURITY DUTIES AND ROLES.pdf
PDF
6.-propertise of noble gases, uses and isolation in noble gases
PPTX
Human Mind & its character Characteristics
PPTX
Lesson-7-Gas. -Exchange_074636.pptx
DOCX
"Project Management: Ultimate Guide to Tools, Techniques, and Strategies (2025)"
PPTX
Research Process - Research Methods course
PDF
PM Narendra Modi's speech from Red Fort on 79th Independence Day.pdf
PPTX
Shizophrnia ppt for clinical psychology students of AS
PPTX
2025-08-17 Joseph 03 (shared slides).pptx
PPTX
Intro to ISO 9001 2015.pptx wareness raising
DOC
LSTM毕业证学历认证,利物浦大学毕业证学历认证怎么认证
PPTX
NORMAN_RESEARCH_PRESENTATION.in education
PPTX
BIOLOGY TISSUE PPT CLASS 9 PROJECT PUBLIC
PDF
Tunisia's Founding Father(s) Pitch-Deck 2022.pdf
PPTX
water for all cao bang - a charity project
PDF
COLEAD A2F approach and Theory of Change
PDF
IKS PPT.....................................
ART-APP-REPORT-FINctrwxsg f fuy L-na.pptx
ENGLISH PROJECT FOR BINOD BIHARI MAHTO KOYLANCHAL UNIVERSITY
chapter8-180915055454bycuufucdghrwtrt.pptx
MODULE 3 BASIC SECURITY DUTIES AND ROLES.pdf
6.-propertise of noble gases, uses and isolation in noble gases
Human Mind & its character Characteristics
Lesson-7-Gas. -Exchange_074636.pptx
"Project Management: Ultimate Guide to Tools, Techniques, and Strategies (2025)"
Research Process - Research Methods course
PM Narendra Modi's speech from Red Fort on 79th Independence Day.pdf
Shizophrnia ppt for clinical psychology students of AS
2025-08-17 Joseph 03 (shared slides).pptx
Intro to ISO 9001 2015.pptx wareness raising
LSTM毕业证学历认证,利物浦大学毕业证学历认证怎么认证
NORMAN_RESEARCH_PRESENTATION.in education
BIOLOGY TISSUE PPT CLASS 9 PROJECT PUBLIC
Tunisia's Founding Father(s) Pitch-Deck 2022.pdf
water for all cao bang - a charity project
COLEAD A2F approach and Theory of Change
IKS PPT.....................................

IOT SECURITY ASSESSMENT Pentester's Approach