IoT Penetesting 101 && IoT security 101

Approach Methodology

  1. Network
  2. Web (Front & Backend and Web services)
  3. Mobile App(Android & iOS)
  4. Wireless Connectivity
  5. Firmware Pentesting(Hardware or IoT device OS)
  6. Hardware Level Approach



Blogs for iotpentest


IoT security vulnerabilites checking guides

Exploitation Tools & OS

Reverse Enginnering Tools


IoT Protocols Pentesting





Radio IoT Protocols Overview

Base transceiver station (BTS)



Mobile security (Android & iOS)


Firmware Pentest

IoT hardware Overview

Hardware Tools

Attacking Hardware Interfaces






Presentation Conference Year Author Link
A Surface Area Approach to Pen-testing the IoT Defcon 23 2015 Daniel Miessler VideoSlide
The Hand that Rocks the Cradle: Hacking IoT Baby Monitors Defcon23 2015 Mark Stanislav Video
Security of Wireless Home Automation Systems – A World Beside TCP/IP Defon23 2015 Tobias Zillner & Sebastian Strobl Slide
Securing the IoT World Defcon 23 2015 Aaron Guzman VideoSlide
Yes, You Can Walk on Water: Application & Product Security on a Startup Budget Defcon23 2015 Brian Knopf Video
Cameras, Thermostats, and Home Automation Controllers – Hacking 14 IoT Devices Defcon23 2015 Wesley Wineberg VideoSlide
Smart Hone Invasion Defcon23 2015 Craig Young VideoSlide
Practical IoT Exploitation Workshop (MIPS/ARM) Defcon23 2015 Lyon Yang VideoSlide
Advanced SOHO Router Exploitation HITBGSEC 2015 Lyon Yang VideoSlide
Pwning IoT with Hardware Attacks Defcon23 2015 Chase Schultz Slide
SWEET SECURITY – Creating a Defensive Raspberry Pi Defcon23 2015 Travis Smith Slide
Securing the Internet of Things: Mapping Attack Surface Areas Using the OWASP IoT Top 10 RSA Conference 2015 Daniel Miessler Link
IoT Security BSides 2015 Justin C. Klein Keane Video
Securing the Internet of Things IoT Conference 2015 Paul Fremantle Video
The Internet of Fails – Where IoT Has Gone Wrong Defcon22 2014 Mark Stanislav & Zach Lanier Video


Research Studies

Title Organization Year Link
The Internet of Things: Security Research Study Veracode 2015 Link
Internet of Things Research Study Hewlett Packard 2015 Link
Insecurity in Internet Of Things Symantec 2015 Link
Securing the “Internet of Things” Survey SANS 2014 Link

Research Papers

Title Year Link
Enhance Embedded System Security With Rust 2016 Link
Requirement of Security for IoT Application based on Gateway System 2015 Link
Threats Analysis, Requirements and Considerationsfor Secure Internet of Things 2015 Link
Hybrid Lightweight and Robust Encryption Design for Security in IoT 2015 Link
A Study on IP Exposure Notification System for IoT Devices Using IP Search Engine Shodan 2015 Link
Security Framework and Jamming Detection for Internet of Things 2015 Link
Personal Information Security and the IoT: The Changing Landscape of Data privacy 2015 Link
Design of the Secure Compiler for the IoT Services 2015 Link
On the design of lightweight link-layersecurity mechanisms in IoT systems 2015 Link
A Digital Door Lock System for the Internet of Things with Improved Security and Usability 2015 Link
Security Threats on National Defense ICT based on IoT 2015 Link
On the Security and Privacy of Internet of Things Architectures and Systems 2015 Link
Cyber Security for Intelligent World with Internet of Things and Machine to Machine Communication 2015 Link
Study on the Vulnerability Level of Physical Security AndApplication of the IP-Based Devices 2015 Link
A Lightweight RFID Security Protocol Based on Elliptic Curve Cryptography 2015 Link
DTLS-HIMMO: Efficiently Securing a Post-Quantum World with a Fully-Collusion Resistant KPS 2015 Link
Study on a Secure Wireless Data Communication in Internet of Things Applications 2015 Link
IoT: The Internet of Threats and Static Program Analysis Defense 2015 Link
Event driven adaptive security in internet of things 2014 Link
Internet of Things: Architectural framework for eHealth security 2014 Link
Privacy and Security Issues for Healthcare System with Embedded RFID System on Internet of Things 2014 Link
An Approach for Cyber SecurityExperimentation Supporting Sensei/IoT forSmart Grid 2014 Link
Toward an Inverse-free Lightweight Encryption Scheme for IoT 2014 Link
Broadcast Based Registration Technique for Heterogeneous Nodes in the IoT 2014 Link
An Evaluation Scenario for Adaptive Security in eHealth 2014 Link
Security requirements of IoT-based smart buildings using RESTful Web Services 2014 Link
A survey on providing security to the wireless sensor networks integrated with IOT 2014 Link
IOT Secure Transmission Based on Integration of IBE and PKI/CA 2013 Link
An Empirical Research on InfoSec RiskManagement in IoT-based eHealth 2013 Link
Security and privacy challenge in data aggregation for the iot in smart cities 2013 Link
Designing a secure service manager for internet of things 2013 Link
Identity Authentication and Capability Based Access Control (IACAC) for the Internetof Things 2013 Link
Security Architecture of the Internet of Things Oriented to PerceptualLayer 2013 Link
Towards a Light Weight Internet of ThingsPlatform Architecture 2013 Link
A bi-direction authentication protocol for RFID based on the variable update in IOT 2013 Link
Novel Threshold Cryptography-based Group Authentication (TCGA)Scheme for the Internet of Things (IoT) 2013 Link
A Survey on Security Issues of M2M Communications in Cyber-Physical Systems. 2012 Link
Making Devices Trustworthy: Security and Trust Feedbackin the Internet of Things 2012 Link
A bi-directional security authentication architecture for the internet of vehicles 2012 Link
Security for Practical CoAP Applications:Issues and Solution Approaches 2011 Link
A Security Protocol Adaptation Layer for theIP-based Internet of Things 2011 Link
Security in the Internet of Things 2011 Link
Assessing the Security of Internet ConnectedCritical Infrastructures 2010 Link

OWASP Resources

Case Studies


Firmware Analysis

IoT Development Tools

  • Arduino – Arduino is an open-source electronics platform based on easy-to-use hardware and software. It’s intended for anyone making interactive projects.
  • Eclipse IoT Project – IoT needs open source to be successful. Eclipse IoT simplifies IoT development.
  • Kinoma – Kinoma’s platform is optimized for connected, high-performance consumer electronics and Internet of Things (IoT) products. Build rich consumer experiences that orchestrate connected devices, their companion apps, and cloud services.
  • M2M Labs MainSpring – M2MLabs Mainspring is an open source application framework for building machine to machine (M2M) applications such as remote monitoring, fleet management or smart grid.
  • Node-RED – Node-RED is a tool for wiring together hardware devices, APIs and online services in new and interesting ways.
  • Particle – Particle is a prototype-to-production platform for developing an Internet of Things product.
  • PlatformIO – PlatformIO IDE is the missing integrated development environment which provides comprehensive facilities for IoT development:
  • ThingBox – The ThingBox is a set of software already installed and configured. The ThingBox allows anyone to graphically create new unlimited applications interacting with connected objects from a simple web-browser.

IoT Hardware Platforms

  • Arduino – Arduino is an open-source electronics platform based on easy-to-use hardware and software. It’s intended for anyone making interactive projects.
    • Arduino Nano]
    • Arduno Pro Mini
    • Arduino Uno
    • Arduino Yún
  • Arietta G25 – Arietta G25 – Low cost Linux embedded module
  • BeagleBoard – Get your hands in technology’s guts and control your development destiny with these credit-card sized, low-power, open-hardware computers. Experiment with Linux, Android and Ubuntu and jump-start development in five minutes with the included USB cable.
  • Flutter – Flutter is a programmable processor core for electronics projects, designed for hobbysits, students, and engineers. Flutter features a fast ARM processor, powerful long-range wireless communication, built-in battery charging, and an onboard security chip, making Flutter an ideal choice for robotics, wireless sensor networks, consumer electronics, and educational platforms.
  • Imuduino – The smallest Arduino Leonardo compatible clone, feature packed with USB keyboard/mouse emulation, on-board Bluetooth LE, real-time orientation and motion sensing IMU, and 10V max voltage regulator. Works with Android and iOS devices
  • Intel Edison – The Intel Edison is a tiny computer offered by Intel as a development system for wearable devices and Internet Of Things.
  • Intel Galileo – The Intel® Galileo Gen 2 development board is a microcontroller board based on the Intel® Quark™ SoC X1000 application processor, a 32-bit Intel® Pentium® brand system on a chip (SoC). It is the first board based on Intel® architecture designed to be hardware and software pin-compatible with shields designed for the Arduino Uno R3.
  • LightBlue Bean – With Bean, you can program wirelessly from any of your devices. No more unscrewing screws and ungluing glue.
  • MicroDuino – Microduino presents the world’s smallest series of Arduino-compatible smart modules that are small, flexible, stackable and powerful, and can be used to create a limitless amount of DIY projects.

Home Automation Software

  • Eclipse SmartHome – The framework is designed to run on embedded devices, such as a Raspberry Pi, a BeagleBone Black or an Intel Edison. It requires a Java 7 compliant JVM and an OSGi (4.2+) framework, such as Eclipse Equinox.
  • Home Gateway Initiative – The HGI Open Platform 2.0 suite captures home gateway software modularity requirements and provides remote test tools that form a cornerstone of many of the operators’ and vendors’ home gateway strategy.
  • Ninja Blocks – Ninja Sphere is both a hardware and software platform designed to seamlessly bridge your smart devices together. By connecting to products from various brands, your home can start using them in new and exciting ways.
  • openHAB – a vendor and technology agnostic open source automation software for your home. Build your smart home in no time!
  • PrivateEyePi – This is a Raspberry Pi projects website aimed at the Raspberry Pi enthusiast wanting to build home security/automation systems and at the same time learn programming and electronics.
  • RaZberry – The Razberry platform adds all the components needed to turn a Raspberry PI board into a fully operational and inexpensive Z-Wave gateway.


  • IoTSyS – IoTSyS is an integration middleware for the Internet of Things. It provides a communication stack for embedded devices based on IPv6, Web services and oBIX to provide interoperable interfaces for smart objects. Using 6LoWPAN for constrained wireless networks and the Constrained Application Protocol together with Efficient XML Interchange an efficient stack is provided allowing using interoperable Web technologies in the field of sensor and actuator networks and systems while remaining nearly as efficient regarding transmission message sizes as existing automation systems.
  • Kaa – Kaa IoT Platform — 100% open-source Internet of Things middleware platform for everyone.
  • OpenIoT – The OpenIoT middleware infrastructure will support flexible configuration and deployment of algorithms for collection, and filtering information streams stemming from the internet-connected objects, while at the same time generating and processing important business/applications events.
  • OpenRemote – OpenRemote is software integration platform for residential and commercial building automation. OpenRemote platform is automation protocol agnostic, operates on off-the-shelf hardware and is freely available under an Open Source license. OpenRemote’s architecture enables fully autonomous and user-independent intelligent buildings. End-user control interfaces are available for iOS and Android devices, and for devices with modern web browsers. User interface design, installation management and configuration can be handled remotely with OpenRemote cloud-based design tools.

Operating Systems

  • AllJoyn – The AllJoyn framework defines a common way for devices and apps to communicate with one another regardless of brands, categories, transports, and OSes. Developers write applications that discover nearby devices, and communicate with each other directly and through the cloud, unleashing new possibilities in the Internet of Things.
  • Brillo – Brillo brings the simplicity and speed of software development to hardware for IoT with an embedded OS, core services, developer kit, and developer console.
  • Contiki – Contiki is an open source operating system for the Internet of Things. Contiki connects tiny low-cost, low-power microcontrollers to the Internet.
  • JaneOS – JanOS is an operating system designed to run on the chipset of mobile phones. It runs without a screen, and allows you to access all phone functionality, from calling to the camera, through JavaScript APIs.
  • OpenWSN – The Internet of Things enables great applications, such as energy-aware homes or real-time asset tracking. With these networks gaining maturity, standardization bodies have started to work on standardizing how these networks of tiny devices communicate.
  • Rasbian – Raspbian is a free operating system based on Debian optimized for the Raspberry Pi hardware. An operating system is the set of basic programs and utilities that make your Raspberry Pi run. However, Raspbian provides more than a pure OS: it comes with over 35,000 packages, pre-compiled software bundled in a nice format for easy installation on your Raspberry Pi.
  • RIOT – The friendly Operating System for the Internet of Things. Make your applications ready for the smaller things in the Internet with common system support.
    • 6LoWPAN, IPv6, RPL, and UDP
    • CoAP and CBOR
    • Static and dynamic memory allocation
    • High resolution and long-term timers
    • Tools and utilities (System shell, SHA-256, Bloom filters, …)
  • TinyOS – TinyOS is an open source, BSD-licensed operating system designed for low-power wireless devices, such as those used in sensor networks, ubiquitous computing, personal area networks, smart buildings, and smart meters.
  • Windows 10 IoT Core OS – Discover the features and functionality that Windows 10 IoT Core provides. It’s ease of Windows combined with the power of IoT.
  • Zephyr – Zephyr Project is a small, scalable real-time operating system for use on resource-constrained systems supporting multiple architectures. Developers are able to tailor their optimal solution. As a true open source project, the community can evolve the Zephyr Project to support new hardware, developer tools, sensor and device drivers. Advancements in security, device management capabilities, connectivity stacks and file systems can be easily implemented.

IoT App Development Protocols

原文链接:    原文作者:exploitprotocol