~/posts/IoT and Hardware Hacking

IoT security work at Talos covers a range of consumer and industrial devices — routers, cameras, NAS boxes — where the attack surface starts at the physical interface and ends at the web management console. I got into the hardware side formally through the TCM Security PJIT course in late 2024, but the resource collection here grew mostly from reading Pwn2Own writeups while preparing for firmware analysis work. These are the references I've actually used: the course modules for foundational technique and the writeup links for real-world exploit chain context.

Overview

IoT security testing covers hardware interfaces (UART, SPI, JTAG), firmware extraction and analysis and wireless protocols (BLE, ZigBee, Z-Wave).

Course: Practical Junior IoT Tester (TCM Security)

PJIT/PIPA certification, enrolled Nov 2024. Modules:

1. Electronics for Hackers 101
2. Multimeter and PCB analysis
3. Electronics 201
4. Logic analyzers and UART
5. Hardware recon and OSINT
6. UART shell and live enumeration
7. SPI and firmware extraction
8. Reverse engineering firmware
9. Wrap-up

Reference books

• Practical IoT Hacking (No Starch Press)
• The IoT Hacker's Handbook

Practice environments

• OWASP IoTGoat — vulnerable IoT firmware for practice
• BLE CTF — Bluetooth Low Energy capture-the-flag
• Mayhem — embedded systems testing platform

Key attack surfaces

• UART — serial console access, often unauthenticated root shell
• SPI — direct firmware read/write from flash chips
• JTAG — debug interface for memory inspection and code stepping
• BLE — sniffing, replay, MitM on Bluetooth Low Energy
• Firmware — binwalk extraction, hardcoded credentials, command injection in web interfaces

Pwn2Own Writeups

Real-world exploit chains on consumer IoT targets. These are useful for understanding how vulnerability classes translate to working exploits on constrained embedded systems. Primary source: Awesome Embedded Systems Vulnerability Research.

Routers

For network-side exploitation and vulnerability chaining on consumer routers.

• Chaining Five Vulnerabilities to Exploit Netgear RAX30 at Pwn2Own Toronto 2022 — Claroty Team82
• PwnAgent: One-Click WAN-side RCE in Netgear RAX Routers (CVE-2023-24749)
• Competing in Pwn2Own 2021 Austin: Icarus at the Zenith
• Cool Vulns Don't Live Long — Netgear and Pwn2Own — Synacktiv
• Pwn2Own Austin 2021: Defeating the Netgear R6700V3 — Synacktiv
• Your Vulnerability Is in Another OEM! — Synacktiv
• Pwn2Own Tokyo 2020: Defeating the TP-Link AC1750 — Synacktiv
• Pwn2Own: A Tale of a Bug Found and Lost Again — CrowdStrike
• The Last Breath of Our Netgear RAX30 Bugs Before Pwn2Own Toronto 2022 — Star Labs
• Analysis & Exploitation of a Recent TP-Link Archer A7 Vulnerability — Star Labs
• Our Pwn2Own Journey Against Time and Randomness (Part 1) — Quarkslab
• Our Pwn2Own Journey Against Time and Randomness (Part 2) — Quarkslab
• Pwn2Own Toronto 2022: A 9-Year-Old Bug in MikroTik RouterOS — DEVCORE
• TeamT5: Pwn2Own Contest Experience Sharing and Vulnerability Demonstration
• Pwn2Own Toronto 2023: Part 1 — How It All Started — Compass Security
• Pwn2Own Toronto 2023: Part 2 — Exploring the Attack Surface
• Pwn2Own Toronto 2023: Part 3 — Exploration
• Pwn2Own Toronto 2023: Part 4 — Memory Corruption Analysis
• Pwn2Own Toronto 2023: Part 5 — The Exploit
• Pwn2Own: WAN-to-LAN Exploit Showcase, Part 1 — Claroty Team82
• Pwn2Own: Pivoting from WAN to LAN to Attack a Synology BC500 IP Camera, Part 2 — Claroty Team82

Printers

For PostScript/PCL parsing bugs and network service exploitation on embedded print controllers.

• Exploiting the HP Printer Without the Printer (Pwn2Own 2022) — Interrupt Labs
• The Printer Goes BRRRRR!!! — Synacktiv
• The Printer Goes BRRRRR, Again! — Synacktiv
• Pwn2Own 2021 Canon ImageCLASS MF644Cdw Writeup
• RCE on the HP M479fdw Printer — Neodyme
• Your Printer Is Not Your Printer! — Hacking Printers at Pwn2Own Part I — DEVCORE
• Your Printer Is Not Your Printer! — Hacking Printers at Pwn2Own Part II — DEVCORE

NAS and IP Cameras

For storage protocol exploitation, authentication bypass and camera firmware analysis.

• Your NAS Is Not Your NAS! — DEVCORE
• Exploiting the Synology DiskStation with Null-Byte Writes — ret2
• Pwn2Own IoT 2024 — Lorex 2K Indoor Wi-Fi Security Camera (PDF) — Rapid7
• Exploiting the Lorex 2K Indoor WiFi at Pwn2Own Ireland

Smart Devices

For speaker and smart TV research where the attack surface includes media parsers and third-party app frameworks.

• Rooting Samsung Q60T Smart TV — Synacktiv (PDF)
• Streaming Zero-Fi Shells to Your Smart Speaker (Sonos) — ret2
• Philips Hue Bridge Investigations: Part I

Automotive

For EV charging infrastructure and CAN-adjacent attack surfaces that are increasingly relevant to embedded automotive work.

• Pwn2Own Automotive: CHARX Vulnerability Discovery — ret2
• Pwn2Own Automotive: Popping the CHARX SEC-3100 — ret2
• Exploiting the Tesla Wall Connector from Its Charge Port Connector — Synacktiv

Methodology

For end-to-end research process: hardware access, firmware extraction and fuzzing setup on real targets.

• Not All Roads Lead to Pwn2Own: Hardware Hacking (Part 1) — HactiveSecurity
• Not All Roads Lead to Pwn2Own: Firmware Reverse Engineering (Part 2) — HactiveSecurity
• Not All Roads Lead to Pwn2Own: CGI Fuzzing, AFL and ASAN (Part 3) — HactiveSecurity (URL same as Part 2 — upstream repo bug)
• Exploiting a Blind Format String Vulnerability in Modern Binaries: Pwn2Own Ireland 2024 — Synacktiv

The methodology series in particular is worth reading in order — it covers the full arc from physical board access through to a working CGI exploit, which is the same sequence the PJIT course covers but with a real competition target as the case study.

See also

• Amateur Radio — RF fundamentals applicable to IoT wireless
• Mesh Networks — LoRa/Meshtastic IoT communication