The Definitive Guide to Attacking the IoT
Before that we reviewed The book Ghidra: The Final Guide because a few of us worked with Ghidra and it was a topic that made sense. In the same way, we spend a lot of time thinking and talking about Internet of Things Security (IoT). Whether it’s Craig Young winning the first-ever SOHOperely Broken competition at DEF CON or the management team IoT hacking lab in SecTor for several years IoT has been a popular topic on the team. So it only made sense to look Practical IoT Hacking: The Ultimate Guide to Attacking the Internet of Things.
One of the aspects of the book that I appreciated was the layout. I am often overwhelmed with a new book, especially if I do not intend to read it from cover to cover. With technical books, I often try to skip topics I know or read sections related to projects I’m currently working on. In this case, the presence of two contents – Short content that comes with the parts of the book and the titles of the chapters, and Content in detail that comes with both, as well as a detailed breakdown – was excellent. The index shares a similar level of breakdown, which at times seemed excessive or perhaps inaccurate. This may make more sense with an example.
Given that this is an IoT hacking book, I decided to look at their references to binwalk. There are a total of five pages listed in the index. Three of these pages are next to “binwalk” and the other two are next to “binwalk Nmap command”. There is no bmwalk Nmap command, so I was curious to know what those two pages are. The pages are part of the Network Assessment chapter in the section entitled “Identifying IoT devices on the network” and the subsection entitled “Detecting passwords through fingerprint services”. This subsection takes you on a journey that feels disconnected. It almost seemed to start with the conclusion, and the authors tried to find a way to tell the story of how they got there. It feels very out of place and there are not many explanations. The other three pages, which refer only to the binwalk, include an entry in the toolkit and two pages in the tool. The first two pages (connecting Nmap and binwalk) looked like an error that wasn’t caught, and the rest like the minimal explanation I’d like to see.
However, I also liked the material he refers to. Let’s see how others feel.
Practical IoT hacking is full of a lot of information. The book covers a very diverse set of technologies and intersects smoothly between the fields of hardware, software, networks and radio frequency technologies. This book has enough guidelines to get someone to start auditing, but it lacks depth and can sometimes lose some beginning students. Although I haven’t done any of the exercises yet, the instructions generally seem clear to anyone with a moderate Linux experience. The book comes with additional resources to complete various exercises throughout the book, including working with external devices such as software-defined radio interfaces (SDRs), Raspberry Pi, ESP32, and Arduino. I personally look forward to working through some of the hacker hacking hands on activities in Part 3 of the book.
I was sometimes surprised which topics were selected (or omitted) and how many pages focused on different tactics or tools. For example, there is an MQTT section that includes a 10-page exercise to recreate an existing password-punching tool, but there is no mention that clients can request all the data at once from a broker using a topic alias. In the WiFi section, I also wondered why there is a section for WPA2-Enterprise that contains only a brief explanation of the surface of the attack, instead of referring to or demonstrating one of the various tools for automating these attacks. Personally, I would prefer to read a little more about WPA3 and the attacks described in Mattie Vanhoff’s study. There is also a noticeable absence of some key categories of vulnerabilities that typically affect HTTP interfaces for IoT devices. Although there is a reference to spoofing requests for various sites, I did not encounter any mention of locating or using DNS rewinding, command injection, directory crawling, or HTTP authentication crawling vulnerabilities. In general, there is relatively little discussion about the prevalence of flaws in local IoT interfaces or how to find them.
The section that really caught my eye as missing content was Chapter 39, entitled “Firmware Hacking.” This chapter describes how to extract file systems and emulate the device after receiving a firmware image. I think this chapter really fails to capture a lot of basic information that researchers should look for when analyzing firmware. The chapter focuses on a rather boring CVE and analysis tool from 5-6 years ago. Unfortunately, this academic tool is very limited in its capabilities and I think readers would be much better served by a few pages discussing the intricacies of use. chroot, nvram counterfeiter, and LD_PRELOAD or side-loading firmware components on developer boards and other devices. The book doesn’t really discuss the enormous value of being able to identify system components, scan server sources, and detect vulnerabilities or even backdoors.
As I said, the book is full of all sorts of interesting information, but there are also some noticeable gaps and room for expansion. I would recommend this book to someone who is interested in learning more about the surface of an IoT attack and learning some tried and tested techniques, but I don’t think it’s ideal for teaching readers the processes of finding vulnerabilities in new devices.
Rating: 3.9 / 5
– Craig Young
Chief Security Researcher
Practical IoT hacking it is definitely a book that I would recommend to anyone involved in IoT, especially to those working in any kind of cybersecurity role, as well as to any type of IoT developer. The book has a good combination of general to specific knowledge in the main areas that include IoT. I really like how they introduced the topic in the first chapter, especially how they introduced and explained the legal issues one might encounter when doing security research. I also like that they initially introduced other high-level aspects, such as threat modeling and security testing methodology. Subsequent parts of the book focused on network, hardware, and radio hacking, and these chapters included almost what I would expect from a book like this. The last two chapters ended the book well with discussions about attacking mobile apps, as well as a full description of smart home hacking. I say that the steps they took to hack a smart treadmill seemed a bit lame (at first) because the hack required physical access to the device, and in our world, if you have physical access, the game is over. However, they illustrated how to get out of the device’s user interface, and from a security standpoint, there is knowledge that others can gain from this illustration. One area of improvement for the book could be the addition of a broader discussion of IoT and its relationship to the provider and / or cloud infrastructure. Overall, I liked the book and will probably review it again in the future.
Rating: 4.5 / 5
– Lane Thames
Chief Security Researcher
Practical IoT hacking is a sharp, well-designed book that first takes readers by the hand through the landscape of the IoT. It reveals why IoT security is important and the many threat models and processes that can be used in a simple but effective way. After a brief introduction to security testing methodologies, the book takes the reader to the IoT network portal, giving examples of common workplace and home settings with detailed attacks that most novice people could replicate. The hacking hardware section of the book is where things get interesting to me as a reader. With limited experience in the knowledge of physical hardware hacking, I felt that the author gave very detailed and easy to understand examples, as well as presented some cool tools such as Ghidra and JTAGulator.
At the end of the book, in the last chapters, the author quickly reviews some examples and tools that can be used to target the IoT ecosystem, which for this part is located mainly in the reader’s house or on their phone. With this in mind, the author gives real-world examples that could happen and offers many tools to test their examples. Overall I liked it Practical IoT hacking. The book provides many real-world examples and many resources that the reader can use to help immerse themselves in the IoT landscape.
Rating: 4.5 / 5
– Matt Jerzewski
Practical IoT hacking provides a wide variety of information from searching for application layer security issues to physical access. The book suggests that you start looking for vulnerabilities using a vulnerability scanner. This is a great suggestion, as many IoT devices suffer from the same, if not similar problems. The book also covers firmware retrieval using binwalk, which can give you access to a wealth of information about the device’s services. At the end of the book, the authors explain how to use JTAG to use IoT devices. Generally, Practical IoT hacking provides a wide range of information and gives the reader an idea of how to start looking for security issues on IoT devices.
Rating: 4.0 / 5
– Andrew Freedom
Senior Security Researcher
At the end of the day, I think I would be inclined to agree with Andrew when I rate this one and I would call it 4.0 / 5.
Overall rating: 4.2 / 5