 Hello and welcome to IoT testing a crash course. I am Tim Jensen also known as the Apple Sniper I will be discussing things with you today So standard def con style disclaimer the presentation is being given by myself on a voluntary basis without any warranty This presentation does not represent any of my past or present employers and all examples given in this presentation Are common IoT issues and do not relate to a single product service or customer tested during my career So a little bit about me Attended my first 2600 meeting in 1999, which is definitely making me feel old the longer this goes I've been an infosec for about nine years professionally mostly in pentest consulting I've done about five years of server admin and software development prior to that I co-owned and operated a hack lab in Fargo, North Dakota for four years where I conducted broad information security training and hardware hacking training and Have a number of popular certifications including CISSP OSCP and Crest CRT for anybody from the UK might know that one And pen testing that I'm good at network IoT and web app are my main bread and butter So what is IoT? You're probably panicking right now because I'm going very overhead, but Think this is important to think of so anything IoT is really a device that is connecting back to the cloud to Process data store data or allow connectivity to your devices internally So things like on the screen here. I have a couple of ring cameras So they do very little processing locally. They send the streams up into the cloud The cloud processes your data you connect to the cloud from your phone or computer You never really connect directly to the devices Same with like the garage door opener That allows you to connect to the cloud and open and close your door and see the status of your door Which is very convenient, but when you have things like access control like You know locks on your doors and garage door openers You start having very real security concerns if you can manipulate this because obviously somebody can break into your house or Business and that is definitely not good So whenever we're talking IoT just keep in mind. We're talking about anything It's really connecting back up to the internet to process data or allow access So the first thing that I really stress with any sort of IoT testing is mapping functionality This is passed over a lot during testing So you want to take a look at the device and see what all it's connecting to what protocols it has enabled So let's take this little camera here So the camera if you scan it so it's going to get an IP if you scan that IP You're going to see multiple parts that are open Being a desk camera is not going to actually have much but a lot of cameras will have Telnet or SSH or something of that nature open and multiple video part protocol ports for streaming video All sorts of fun things can be open So mapping that functionality you'd want to put all that data in you want to know. Yes, it's connecting to Wi-Fi It's not herb wired. So now we have Wi-Fi in scope and the Devices that connect to the Wi-Fi and then back up to the cloud and then back to get that data We have the appy between the cloud servers and the device Things that also get passed over a lot is now all of the third-party components that are being connected to both directly from the device As well as from the cloud servers if you can figure that out It's interesting to look at that for a security perspective of where your data is going and do you really know what's happening to it? sometimes you can tell that because People want to do less and less on their side and they push it down to the client and if your device can handle a third-party connections They will try to have it do so Some things that can get kind of fun here with when you're mapping out functionality so a camera here isn't as complex Today while shooting this presentation. I use asius-rog Republic of gamer routers and the laptop I'm on is a very new asius-rog laptop And I figured out for some reason when I get windows updates applied to my asius-rog laptop My router resets and reboots itself on the next start of the windows machine So now we have a connected device using protocols between the different rock components, which I did know were connected But I did not know that restarting one basically is restarting another so when we get back into IOT testing and looking at IOT devices That can actually be of similar vein where one device might Tell another device something to do and you might need to look at a multiple collection of devices to really understand what functionality is actually there so We're gonna just jump right in here and I'm Stepping back one step here the point of this talk and what I want to do is basically describe if you're already a penetration tester of any discipline kind of Talking about what different disciplines and how they tie together So like you can do web app interfaces. You can do network testing. You can do code review You can do appy testing you can do physical testing on the as in hardware testing So kind of if you've never done the full IOT testing before Kind of just some tips and hints to pull that to all those testing disciplines together And kind of give you a little bit of a jump forward if you're just starting out in IOT testing So First things first you get a device. What are you gonna do with the device? So hey, I'm holding a you know random IOT device. So what can we do with it? Or maybe you don't even have the device and actually I like to test a lot of devices that I don't even have So the first thing that you want to do is see if the firmware is publicly available and If it's encrypted so What you can do is you can go it on to the internet and we are going to use For some examples here this ASUS RT AC66U Router which is my old router that is no longer in use So we can take a look at this router here And if you've ever noticed and you know tried to update firmware on any IOT devices or routers or whatever You could just go out online usually and see that the firmware is available and we see here Hey, we've got a new one from February 5th 2021 and We can even see hey look at all the CV's and stuff those fix that's convenient So what we can do is just download this firmware and that's what we're gonna play with today is just to try to figure out How to really get into the weeds of IOT? One thing to point out though is whenever you're doing pen testing you can look at what's in this version But make sure to hit like to see all and Now you can go between all the different versions if you pull these down as I'll show you in a minute You're gonna get very detailed access into these files and into the source code And you can take the source code between these two and dip that source code out And you're gonna find where these direct or universal vulnerabilities or where these cross-site scriptings were That's gonna be very easy for you to figure out So always make sure to look at the last couple Versions to see kind of what vulnerabilities were there and you might be able to track out track down some new vulnerabilities or see if those are Duplicated in other areas that weren't caught so I've already pre downloaded This firmware here for the for the ASUS router So if we go in To my colleague machine and take a look I have an IOT lab Set up here and we can see here is our ASUS Router firmware It's RT AC66U the version and a TRX file So all that you need to do in theory is do bin walk dash E dash M and then put in your File there and hit enter so this E is extract the dash M means that it's going to keep extracting sub files and What that means is if you go into this directory That I've already extracted And you look here's a seven zip here's a squash FS Here's squash FS root if you did not do that dash M. You're not going to get this squash FS root Because these have not been extracted so the dash M is recursively extracting over and over and over again Which is very important So if we run that here Bin walk is literally walking the bin and dumping out a bunch of them wonderful things So it can see it's a TRX firmware header. It has LZMA compressed. It does a squash FS file system As we had seen before in those directories up here squash FS And then we can see hey, it's doing things Wonderful wonderful things and if we do an LS here we have another Directory that got opened up because I've run it twice now So if we go into this Again, we can see those files that we saw before if we go to the squash FS root We have the entire file system that's on the device now you will notice that some things are missing So slash ETC slash home If you look These are broken links So they're all going to slash temp So if you go to temp You'll notice that's blank so We will get into that in a minute, but just you know from bin walk that could mean that something is not decompressing or it could be in something else that we get into but what you want to make sure on is When you're doing bin walk the number one problem people have with Bendy compressions and walking them is not reading for errors. So let's go back To the document here. So we see bin walk common issues here You'll get an error. No such file or directory LZOP error No such directory is uber read extract files Kali is very bad with bin walk. It's broken out of the box 100% of the time as far as I've been able to tell So always go to the github for the re firm labs the bin walk itself and look at the dependency file I've also not had luck running it. There's a Combined file that you can run to install the dependencies that does not work. I manually install for whichever packages are missing and It is a very important step if you miss things you're not going to get anything and the problem is it's hard to tell sometimes What's an error and what's not if you don't read that? So for example if we go back out here and we do a dash e dash m on this fp So this fpv 300 min This is for a business security camera that I pulled offline and if we run bin walk on that So it says hey, there's LZ for compressed data. There's some my school stuff and when we look There's nothing and the reason for that is all of those files are encrypted So without being able to decrypt this firmware You're not gonna get anything. So if you don't read those errors You might think hey, it's encrypted versus your bin walk just didn't set up properly and that's a major problem you can get this same issue with things like This avert xip camera We've been walk that one So this one really looks like it's doing stuff. So we've got a bunch of different stuff going on here We're not seeing any errors, which is good and we've scanned everything through and if we go to the extracted firmware We see there's a zero dot zip in this PA if we go into the PA Hey, we have a you image Extracted And where I would expect files to be the CP IO root and wrote again There is nothing so Chaining down going extraction extraction extraction as it's recursively digging through There were files to expand but when we actually got to anything that we really wanted It was all encrypted and by the way if you're on the Device manufacturer side. I say encryption is the number one thing you can do to protect your device You should be giving unencrypted to your pen testers and bug bounty people to do testing But for the general public encrypting and signing your Your firmware updates is very important and preferably Not just handing them out on a web page either so make it download through the device or go through a support portal for registered users that are confirmed users of the device All right, so it's kind of our little opener into bin walk here one big important step Binwalk Sasquatch, this is probably the most important package for bin walk walk and it has been broken for years So to get it installed you have to run this app to get installed. This is in that dependency instruction Get clone but to build this is not in that instruction You need to add this before the dot slash build or your build will fail If you don't have that you're not bin walking. So make sure to note that down in your IOT handbook To use that in the future whenever you're setting up an environment. So navigating file systems So just gonna touch a little bit on this. We already touched on successful versus failed bin walks So let's go back to that broken links where I was talking about that So there's two ways you get these broken links One is and this is the most common in my opinion when the device is flashed initially all of these Locations are created and when this is broken these updates. They don't want to overwrite those files such as Your Etsy directory that has all of the main configurations in the lake So it won't upgrade or overwrite all those files with your passwords your configurations things of that nature So leave those out intentionally the other option is it could be an application that runs That will then generate these directories and these files inside Which is actually one of the cases kind of a split with this device some of it I believe is missing intentionally and others get built with a file But once you have this firmware here just so you know we can look at a number of different things even though We don't have everything so what we would like is slash Etsy password and Etsy shadow That would be very convenient to have so we could see what passwords are on here This is before the device is set up. So if a password works here, and then it works after you've configured the device You know that that static as well as if it works here before a setup And it works on a device you have running, you know that that's the same on every device So that would be a very good vulnerability to have from a pentest perspective cash credentials like that is bad But we can also go into www here and we can see all of The files running on the system. This is very useful. So if we want to I mean we can tear apart anything right and look at how it's handling authentication everything of that nature, so It was Qis I believe Let's do Qis admin pass here, and we can see the server side code Let's take a look at some things So we have different username values that are hard-coded Root guests and anonymous If I find it here or not, I also found some passwords that it does not accept Or at least does not let you set new. I'm not sure if I'm going to find that while we're in Demo God mode here, and I don't want to waste too much time But you can go through this code and you can go through all of it and take a look One important thing is you can actually pull this all off and move it to your own server as well And actually run run the code off device So just set up another web server and you can be running the device code and take a look at and play Without working on a device itself One very important thing with IOT devices is their small microchips So if you think of like you're running this not even on a Raspberry Pi Maybe more of an Arduino level hardware. So doing any sort of scanning can crash the device So So if we're kind of talking the broken links and why reviewing the static OS credentials Reviewing installed applications gets missed by a lot of people So we're gonna take a look at that real quick So if we look at bin Everything they put on is taking space. So you want to see what people are putting in why To see if there's anything weird, especially any server components that might open or close ports And then you're gonna want to scan the system to figure out why it's there. So if Telnet's here SSH is here Anything of that nature But you can get into some fun. So here S bin obviously we're seeing some more kind of fun stuff You know sys log is on here, which you expect for a router But we see these ASUS is here and ASUS LP ASUS SD as GSR TTY We can run strings on this and you can kind of go through and see what these they're binary files But you're trying to figure out kind of what they do and I'll just cheat here a little bit because I already know It's there that I'm looking for So if we see here We're searching for Etsy shadow and we're looking for three lines above and three lines below and what we start seeing here is We're looking at Etsy shadow and Here's the actual shadow lines and it's building the Etsy shadow file from this command So we're I was saying that sometimes the file system is built After the startup of the device and sometimes it's flashed on there and you're updating with these firmwares This is what I'm talking about with it's being created afterwards If we start looking at this it's taking a percent s which from just a cursory look Appears that it may actually be a user input and if we're taking that user input and Putting it in can we take that from the device and add that in and actually do command injection That might be a possibility if we can write this whole command out and Have it run a command and then just do a comment line to comment out the rest of this That's just normal overwritten command injection kind of stuff so some of these kind of commands like this can really open up a lot of Possibilities which you would not see from just looking externally on the device But when we start looking at How the setup works in the back end and doing the code review you can find a lot of cool stuff So reviewing crown jobs. Unfortunately without the device running There's no crown job set up and I couldn't actually find anything running crown jobs Which is interesting on a router. I normally see that And also not seen on this but I see it a lot is look for any artifacts left over from the device testers I usually see a lot of log files or even Like dot test or something where they're actually leaving test artifacts, which may have credentials the test environments May just leak a bunch of other information that you shouldn't be left around But if you can get that information, it's really handy sometimes at a pen test To see if you can break out and attack the cloud systems with that information All right, so going on to api connections So I think api connections are probably the most important thing to test on an IOT and a lot of times it doesn't get tested and This is where you need to be they're doing a penetration test be an internal tester for the company or Be a bug bounty person with it in scope Because if you're attacking the api you are attacking their cloud servers And if you do this without authorization, you could be in a lot of trouble So there are some passive passive things you can look at and some active passive is generally probably going to be considered safe to test Active is generally not going to end well if you don't have a contract so You can look at the code and do a code review of how the initial connections are set up So that can be very interesting with devices Something like a nest camera you have an account and you add your device to your account And when you do that your api key is for your user and that makes sense Some devices that I've seen do this very weirdly so I've actually seen some devices that every device gets the same api key and You send basically the serial number of your device through Up to the cloud server and that's how you access your data and the serial number of the devices are often times a MAC address or something of that nature So they're predictable and if you start rotating those through you're accessing other people's data They're usually done on less sophisticated devices that way obviously, but I've seen quite a few out there like that, but there can be a lot of other issues as well So kind of trying to figure out how that connection is set up read through the code look for logic issues since most people aren't looking At that code. It's very commonly missed if you have an issue there So it's a bit let's pretty much the first thing that I look for So again, does everybody have the same api key? How does each device interact with the api so try to get three devices going and if you can see their api keys? See are they all the same? Are they predictable? What kind of data is being sent that differentiates the connections and Then also doing the code review on the device look for any api methods that are out there that you can enumerate So what all functions can you connect to you might not see all of them going? Back and forth all the time So I'll look in the code to see if there's anything that's in the code for testing purposes or things of that nature That's not normally in use Pull that out and play with it You can fuzz this goes back to the active so you can fuzz api methods And you know try to discover new features So burp suite has has a lot of fun with that and you just get a list of different methods to try to dump through Removing authentication methods entirely I see this a lot on iot connections, and I think it's a test thing they forget to Set it as required in production But I have seen this on probably 25% of the iot products that I've tested over my career If you just remove the authentication methods entirely from the connection it will give you some level of access Sometimes it's administrator. Sometimes you just get access to an organization if you leave the organ there But it's kind of scary how often that works And then also check the server for a whistel that will define all of the methods in scope Or sometimes you'll see if you scan that server you'll find postman files or weird stuff out there That's going to define that or just check for other documentation that might define all of the different methods for the api Also, don't forget to check because I see this a lot test or QA environments exposed to the internet And again check all of those if there's any documentation whistels anything of that nature out there You might be able to pull all of that from a test or QA environment that's exposed For testing between manufacturers and partners and if you can do that you can use that against production So when we're looking code review on a device, so the great thing again bin walk dump out We get to see all that wonderful code You're looking for default credentials And back doors you see this a lot back doors get left in a lot for testing As well as for administration later if somebody calls in and you know, I've got this critical problem with my device They might have a back door to get into it for for support Default credentials is more of a thing that authentication gets screwed up a lot That's kind of why we're all in pentesting and security is this is a consistent problem So looking for credentials that don't roll over upon device setup or get missed or just generally weak and And can still be used look for all of that kind of stuff Authentication logic failures happen a lot Again, so when you put in usernames and passwords, how is it actually handling that going into the code? Can you break out of things? Can you bypass authentication? Our other applications stored in backup directory So sometimes they'll have five versions of the device in a web directory And you can go back through the different versions and if you know vulnerabilities are in those you can look that up Or again, you can look if there's default credentials in those Sometimes you can reset a device by going to slash back slash You know index dot html and it will get you back to that new user setup And now you can roll over the device and take it over from whoever had it set up before And again test code left behind quite often I had something else I was gonna say on code review and I am blanking it at the moment. So unfortunately we're missing it. All right, so I Sometimes you want to go from firmware to interactive. So ideally if you're pentesting you have a device So downstairs I have my router. I can pick it up. I can play with it. I can run nmap against it I can run desys against it All that kind of fun stuff. That is awesome. Sometimes you don't have that You can use Q me to emulate the firmware. It is a royal pain It is such a royal pain that some people made a firm a dine it's called and firm a dime you can load in that Firmware file and it will try to emulate the device and run it in a virtual machine that again is Very similar to the actual device itself. You're gonna be missing some hardware connections, obviously to real physical components But in general it will be the same I came you and firm a dine is an art to get working and on a time crunch for a pen test it can be a pain So don't spend a ton of time on it. I Like to look for the code review stuff and have a physical device I do not like to test entirely in an emulated environment. It is not a good test But as I had said before you can also just steal the files and move it to a running Linux instance so steal those WWW files and steal those S-bin files if you can and Try to get that going stealing those S-bin files. You're gonna run into some architecture Complications because these devices are running an arm or other embedded hardware But the WWW files are just going to be any transportable PHP whatever So those should be able to be be able to be run very easily and at least you'll get some testing Because again one of the biggest problems here is if you hit your devices too hard and they're an embedded chip The whole device is just going to DOS itself and die So this will allow you to put it on more robust hardware and really hammer that with with burp or something and save yourself a lot of time So the ugliest slide in my deck because of pictures Man in the middle in IoT devices this also throws people for a loop sometimes This is usually needing hardware. So wireless setups you can do this yourself with host APD So host APD runs on a machine and you have one or two network connections in it wireless network jacks and Basically one turns into a wireless access point and you set it up And now you set the device to connect to that and it will funnel through the machine to either an ethernet or another Wireless access point that you have set up to get your internet access And you can run things like wire shark then to man in the middle of the vice and all you really need is Either an ethernet and a wireless card on your machine or I usually plug in a couple of just wireless dongles and jack those in And that makes it easy. You can do overkill with a hack 5 pineapple which Host APD can be a pain sometimes to get working Is like if you're not using the same environment over and over again hack 5 pineapple actually is pretty slick It's very set and forget it most of the times So that will do all that host APD for you and you just plug it in To a laptop that has internet and it's gonna funnel all that data right out for you So it takes a little bit of that workout plus they look stylish For wired setups you have throwing star land taps, which are cheap about 20 bucks Hack 5 plunderbugs, which are about 70 bucks and that's ethernet on both sides and then a usbc cable that goes out But the hack 5 plunderbug actually is an active or passive device And I have it error out on me a lot and I seem to spend more time troubleshooting the plunderbug that I do trying to test The device so I went and bought this shark tap On Amazon there about 170 bucks, which is a little more spendy But it allows the the connection through it does a poe pass through which is really nice because a lot of iot devices are poe And you get up to gigabit tap So that's really nice it all comes out in one tap So does the plunderbug the throwing star land tap actually doesn't so it goes directly through but you get Data for one side so transmit out and transmit in come on different connections So you actually have to have two ethernet cables pulling into your laptops to get full duplex on that to read all the data Which is very bizarre For for the hardware what it is it's very small and it's very cheap So that's good, and if you're hiding this at a network closet that might be fine But for our testing I really recommend the shark tap so Honorable mention it looks like hack 5 just upgraded the The pineapples I'm not in any way affiliated with them or getting money for this I just thought the new pineapple has a special hardware board for it That's a kidmit kismet style and you can get lights, and it just looks damn cool So I thought I'd point that out if you're on-site go pick one up because I'm certainly going to All right, so some packet capture notes You want to look for clear-tax communication You want to look for data going to third parties because again anything going out third party You kind of want to figure out what's being sent and why? People love selling your data and try to figure out what they're selling For any encrypted data check to see if it's asymmetric or symmetric If it happens to be a symmetric encryption You might have that decryption key on the device and that's very neat You can decrypt on both sides and see what they're sending And also look for strange connections that can't be explained I've actually tested a couple devices in my career that when I fired it up I left it for 30 days and 20 some days later It does this weird connection out one tripped me off because I went to a University I think it was in the Philippines It turns out it was a compromised device out there and the The base device had been compromised and was calling back home with its shell So supply chain attacks like that do happen and if you're doing a pen test on it Or if you're doing this to look to see if you want the devices in your network I strongly recommend money running a packet capture at least 30 days To see if anything weird goes on And I can be preset up and set up devices. I prefer running it on both So getting kind of to the end here and I haven't been running a timer. So I hope I'm doing okay on time Hardware testing the first rule of hardware testing is you will destroy at least one device For pen testing or bug bony I recommend three devices one to test with and normal two for normal user capacity because I get failed devices quite a bit Especially when they're new If you request just one device, it's pretty common to get one that's dead on arrival So So the one is for normal user testing actually with two is for destructive hardware testing because you'll probably blow one up If you only have one device leave all hardware testing until the end set expectations that retesting is going to be out The window because again, you might blow up the device and once you start soldering on it It's probably not going to operate the same way that it was supposed to anyway The second rule of hardware testing is don't test hardware if you don't know what you're doing I cannot stress this enough if somebody tells you in a consulting capacity Do this test and you don't know how to do hardware testing say that you can't do hardware testing Because you will smoke the device and there's nothing that ruins your credibility faster than having to ask for a bunch of devices Because you've mis-soldered something and then if you get another one you screw up again and another one you screw up again You're gonna look like an idiot So as we can see If you screw up some soldering stuff you can when you power the board up you can blow the brains out of the board Image source from a hardware Engineer electrical engineer But I will go over some of the hardware attacks so you're aware of them And then you can go and dig in and I'll talk about a little bit about some training courses that are out there for you as well So some hardware attacks that you want to look at dumping firmware So you can dump the firmware directly off of the chips that are on the board if you pull it out So what you want to do with that is there's things called chip clips And you have the chip on the board and this clip literally clips around it And when the board is running you can pull that data off and Dump that firmware and then just do exactly what we did and extract that firmware and look at it that way if they had flashed anything On there that the update isn't getting You're going to get that as well In most cases sometimes there's security hardware chips that that blocks and things, but that's a little more rare Then there's also a UART and JTAG to gain interactive consoles So these are test leads that are put on a board For when they're developing the actual hardware Theoretically in production they should burn those off so they should fail and never be an operable on a production board But that's only starting to really come to play in major hardware You still see a lot of it available because if you send something back They want to be able to hook into it and see what what went wrong with it So a lot of times they leave those open and just kind of looking at what I'm talking about that so Here's on a motherboard Actually a network board. So here down here is the JTAG connectors. So you've seen them working on desktop computers I'm sure before These ones are very nice. They're easy to connect to with test leads. That's rarely the case Again, this is meant for somebody to figure out a Lot of times you get By the way, scrolling through here, you can see how complex this can get And I missed it. So here's some of the JTAGs without pins So you get those but even then sometimes you get these nice solder points you can solder to Sometimes you don't I've actually gotten some JTAGs that if you see down here these tiny little dots with the little lines Sometimes it's those little suckers and getting access onto those can be very difficult because you can really burn up the board with that So you want these little pins here or something you can solder to But basically you have to solder heads on a bunch of different JTAGs and these are grouped together nicely and marked Sometimes these pins are going to be all over your board randomly and you'll see like JTAG 1 2 3 4 5 6 7 8 9 and a lot of times you've got to actually go and Map all these out and there's the Adify board Which is a really nice board for finding small amounts and basically it connects a bunch of leads together and it tries different combinations until it finds correct Console you get a valid connection JTAGulator is a bigger version of that I believe it's made by Grand Idea Studios Joe Grand, but it's a much bigger I think it goes and I'm totally guessing here I believe it's 128 possible connections So you can really map out a large board and find multiple different connections because you might actually get multiple consoles because what you're talking to is You're talking to these big chips So you might actually be able to talk to multiple different chips. So think on a On a router. I mean one could be the firmware one might be an actual BIOS or something So you can find different things and access different components So the Xbox 360 has quite a few different components that you can talk to Which is kind of interesting to kind of man in the middle of the hardware even which is literally what you can do with this so So another thing to check for is steelable memory chips So sometimes if you're on a board you can steal the SD microchip and just pull it out plug in your laptop and Look at the file system as well And it's kind of surprising how many times you bust something open There's just an SD little mini SD card sitting inside Which is also bad for how long your device is going to last because if you've run the SD cards Active read writes for a while, you know how quickly those burn out So looking at that and seeing is that actually going to be a stable device for? Over the long period of time. You might actually have a finding right there And then also check the device shell for functional purposes so for thinking about a camera Security cameras like those little mini domes that you see at restaurants and stuff They should theoretically have a hole drilled in the ceiling and go up so nobody can just cut the cable But if you see a lot of those cameras, you can actually see the cable coming out and people can just unscrew them or cut the Cable that's a bad design. So if you're doing an actual pen test on this, you should have that hardened The cable should be cut resistant and it should be hidden so that it can't be attacked And just kind of talking about some of the essential tools Adafi boards have really taken over so adafi is a group I believe they're a consulting company, but they really good training and they made this adafi board The j-tagulator is amazing, but it's expensive. I think it's 200 bucks The adafi board is something like 50 or 60 bucks and the adafi board can not only find those You are in jtech connections. They can actually fire up the console connections as well All in one Which is really nice, although I will say I always recommend the USB to TTL UART device Connections as well. I personally don't like to use my adafi board to do the console connections Just because the longer it's plugged in the more chance that I'm gonna fry it if you bump something So I always switch the USB to TTL UART devices They're $10 on Amazon if you buy them at one packs You can go on like AliExpress and buy 50 packs for dirt cheap. They're like 50 cents a piece So I literally just have a whole stack of them sitting in a closet and I pull them out and I fry them occasionally So much easier to fry that and ironically they fry and don't actually mess up the board I've never actually had one fry up the product I'm testing, but these little things do burn themselves out And I also recommend a multimeter to see where power is going and if you smoke the device And a cheap USB logic analyzer. This is to figure out your BOD rate This is one of the things that you'll want training on and pretty much every training will figure it out But to get the console connections, you need to know the BOD rate To get the connection to actually function So knowing how to use a logic analyzer to get that is very important Otherwise, you're never gonna get a console and you're gonna be confused of why you can try to guess and there are some standards But it's not gonna be as good as you want and those chip clips that I was talking about where you can chip over to download the firmwares there is a large number of those and Some of them actually many of them look the same you have to read the specification on the For the chips themselves you're in a clip to see what kind of format they are If you clip the wrong one, even if the clips look the same you clip the wrong one You just fried the chip which fried your product and now you've got to ask your customer for a new board And again, you do that enough times and they're not gonna be happy So you'll need various chip clips and you'll need to keep them marked So you know exactly which ones are which so you're not smoking your customers hardware And then some hardware hacking resources I Always recommend start with an electronics 101 book and then get into Arduino hardware hacking do not learn on your customers The great thing about pen testing is usually you can learn on the job with hardware hacking You will not be happy and neither will your customer and neither will your employer when they have to explain that you're smoking 100 200,000 $10,000 devices Not good So get the electronics 101 learn basic circuits learn how to make basic circuits series parallel all that kind of stuff very important To know how to not short circuit devices and fry them And then the Arduino stuff is getting into that micro hardware and start building on some circuits yourself And start messing with some cheap devices that you go buy at a thrift store And you can start testing those and then learning soldering is incredibly important A bad solder will fry things getting a board too hot will destroy the whole board And then surface mount soldering is much more important nowadays than it used to be and surface mount soldering is a whole other thing that If you heat the board too much you can cause problems if you don't have a surface mount soldering kit, which like I don't It can be tricky If you do have one that's great But otherwise people do these bake tricks and stuff where you bake the boards or heat them up with blow dryers And all sorts of stuff those can go catastrophically wrong if you don't know what you're doing So learn regular soldering and learn surface mount soldering and the thing I will tell you if you don't know surface mount soldering don't try to surface mount solder on a customer board because again, it's gonna go bad Free training resources black Hills Info Sack has some excellent resources in their blog for how to get started and hardware hacking I believe they came out last year, but maybe it was 2019 One of their people really went through and started to learn it and wrote everything up. It's great Adafi's blog where the Adafi board comes from they have some great blog articles as well You just have to dig through both to find the IOT stuff Paid training Adafi has what I've heard is the best course in the industry for offensive IOT hardware hacking I believe it's about a thousand dollars. They have a remote and in person The remote just came because of last year obviously with the with the pandemic But they will ship you the stuff if you're not comfortable going on site They will ship it to you and you can go through the course And learn you'll get their Adafi board and all that kind of stuff Joe Brand with grand idea studio He has an excellent class as well. He taught it at black hat for many years And he'd bring it to smaller cons as well. I took that personally several years ago loved it Teaches you everything you need to know to at least get your feet wet and not smoke every piece of hardware you get through But he has an uncurrently scheduled whereas Adafi does so I highly recommend both of those So and this is my talk, and I hope I didn't go over time or under time too much But I hope you all learned things and if you ever need to get a hold of me I am available on Twitter for at e-apples sniper Or if you know how to know how to search you will be able to find me and Come and look me up and hit me up with any questions you have. Thank you and have a good day