fbpx
TCM Security is offering free Active Directory Health Checks to any company with 10 or more employees. To inquire, please contact us.

Introduction

Over the last decade, the IoT landscape has witnessed significant growth, with an estimated 13 billion devices currently connected, and this number is rapidly expanding with each passing year. Projections suggest that the count could soar to 40 billion in the next decade. This proliferation of connected devices underscores the critical need for robust security measures. Consequently, there has never been a better time to learn about IoT security.

In this series, I’m going to talk about how you can easily get started with IoT and hardware hacking. Before we dive into the first part of the series, let’s review some fundamentals.

Why Combine IoT and Hardware Hacking – Is Hardware Knowledge Essential for IoT Hacking?

IoT hacking shares similarities with other hacking disciplines like web, network, mobile, and even cloud. However, it presents a unique attack surface due to the accessibility of hardware to consumers, security researchers, and adversaries alike. Hardware vulnerabilities in IoT devices can have significant repercussions. For example, a smart lock that could be unlocked from the outside by accessing the keypad pcb.

Even if hardware security isn’t a priority for manufacturers, access to the hardware can facilitate the discovery of vulnerabilities in other attack surfaces such as web portals or interconnectivity to cloud backends. With this in mind, it’s still possible to get into IoT hacking and start finding vulnerabilities without spending a dime on hardware or knowing anything about it.

What Background Experience is Necessary for IoT Hacking?

While IoT hacking shares commonalities with other hacking domains, it also requires baseline knowledge of each of those avenues and their intersections with each other. Personally, I wouldn’t recommend starting with IoT hacking if you’re brand new to ethical hacking or cybersecurity. Instead, I’d recommend starting with a broader intro to ethical hacking. The Practical Ethical Hacking course on TCM Academy provides a solid foundation for beginners. If you’re absolutely new to hacking I’d suggest starting with that before moving into IoT hacking.

Ethical Hacking and Legal Considerations

As with other forms of ethical hacking, it’s imperative to adhere to the golden rule of “don’t hack or test anything you don’t own and/or have permission to hack or test.” Not only is this rule essential for remaining ethical, it can also keep you out of big legal trouble! Violating this rule can have severe legal repercussions, including potential jail time! Additionally, there are also potential legal concerns with testing and reverse engineering firmware. In the United States, software like firmware is protected by the DMCA (and other regulations) and reverse engineering it can violate DMCA protections. While there are exceptions for security testing and research under the DMCA, it’s essential to stay abreast of regulatory changes and regional laws.

However, you shouldn’t take this blog’s word for it. Regulations frequently change and you may be subject to different laws in your region. You should do your own research on the legalities in your specific region and time frame. Alternatively, using firmware designed for learning IoT security (we’ll talk about some examples in this article), or participating in IoT bug bounty programs with reverse engineering firmware in the scope can help you stay on the right side of the law.

Getting Started in IoT Hacking Without Breaking the Bank

Before we can start hacking, we need to pick up a few tools. We’ll discuss the essential tools and gear needed to build a small toolbox affordably. I’m covering this in the first part of the series so that in the further articles you can already have everything required to follow along. I’m going to assume that you’ve already got a computer to use so that won’t be included.

The “FREE.99” Option: Hardware Hacking on a Budget

IoT hacking can be pursued without spending a dollar or even laying a hand on any hardware. While this isn’t my favorite approach and you may miss out on some vulnerabilities and the advantages that having access to the hardware gives, it’s a valid approach for learning, doing security research, or hunting for bugs.

The firmware, which constitutes the bundle of software running on an IoT device, typically includes components enabling the IoT device to boot up and perform its intended functions. Generally, the firmware comprises elements such as the bootloader, the operating system, or custom code running the device’s operations, alongside additional artifacts like files, tools, scripts, or data. In this getting started series, we’ll specifically focus on devices running embedded Linux due to its prevalence in IoT devices and its similarity to desktop versions of Linux familiar to most hackers. In embedded Linux systems, the firmware comprises three main components, the bootloader (which we’ll examine further in this series), the Linux kernel, and the root file system (RFS). The RFS contains all of the files, binaries, libraries, scripts, and even more that enable the IoT device to function. While the other aspects of the firmware may introduce vulnerabilities worth investigating, the majority of hacker interest lies in the RFS.

IoT Hackers want to obtain the firmware to analyze it and scrutinize it for vulnerabilities. Often, firmware can be acquired without direct access to the device, as manufacturers make it available for download for consumer updates or fixes. Alternatively, beginners can utilize custom firmware designed for learning IoT hacking, such as the one designed for this series,or the IoT GOAT firmware by OWASP.

Once we acquire the firmware, analysis involves attempts to unpack, decrypt, decompress, analyze, and reverse engineer it in order to identify vulnerabilities. Most tools used for this purpose are open source and free to download. This process, known as static firmware analysis, constitutes a significant portion of IoT security research and hacking. While conducting static analysis, you may uncover an interesting binary like a web server that you want to run, debug, or even test a potential exploit. Unfortunately, the Linux kernel and all binaries and libraries in an IoT device’s firmware are likely compiled for a CPU architecture different from that of the host system. Typically, IoT devices use either ARM or MIPs architectures. Although access to hardware can be advantageous, there are alternative methods, such as emulation.

QEMU (Quick Emulator) stands out as the most popular tool for emulating IoT hardware. It is open source and entirely free, capable of emulating various architectures encountered in IoT devices. This is a great video resource on getting started with emulating firmware:

My Favorite Part – IoT Hacking Tools

My favorite part of IoT hacking is the intersection with hardware hacking and the cool gear that comes along with it. One of my goals in this series is to share this passion with you and demonstrate the satisfaction derived from hacking and manipulating hardware firsthand, rather than just looking at a shell. A common misconception I’ve encountered is that hardware hacking is prohibitively expensive and requires expensive gear. While it is true that hardware hacking cannot be solely accomplished with a VM and open source software, it’s not necessary to empty your bank account.

My experience in assembling my personal hardware hacking toolbox has revealed that it closely aligns with the 80/20 rule. This rule states that 80% of the results come from 20% of the inputs, or in this context, the tools. Therefore, we can prioritize the essential tools- the ones yielding the most utility and results- before considering additional, specialized, and potentially expensive tools, if needed at all.

Furthermore, I’ve categorized the gear section must-haves and nice-to-haves, options at multiple price points.

Skip to the end of the article for a list of the essentials required to follow along with this series.

Must-Have Gear to Get Started with Hardware Hacking

Digital Multimeter (DMM)

In my toolbox, the digital multimeter reigns as the most frequently used piece of equipment. It serves as a versatile tool akin to a Swiss Army knife for conducting a wide array of electrical measurements. This device safeguards your equipment by checking voltage levels, verifying pin outs, aiding in reverse engineering circuits, and fulfilling numerous other functions. Digital multimeters are available at various price points, offering a wide range of features. However, the primary advantage of investing in a higher-priced model (apart from accuracy and durability) is the inclusion of autoranging capabilities. Nevertheless, if you are just starting out, opting for a budget-friendly meter is perfectly acceptable and will suffice for the majority of tasks.

digital multimeter tools

Option 1

Manufacturer and ID
Price
Where to Buy
Notes
ANENG A830L (picture right above)
$5.00
For a hardware hacking workshop I organized, I purchased approximately 120 of these digital multimeters. Out of the batch,115 functioned perfectly, and 5 were defective. Despite the Q/A issue with a few units, those that operated correctly proved to be highly effective and accurate, comparable to my regular meter. These multimeters come equipped with all the necessary measurements required for hardware hacking, including a continuity beep test, which is often absent in cheaper alternatives.

Option 2

Manufacturer and ID
Price
Where to Buy
Notes
ASTROAI AM33D (picture left above)
$15.00
This digital multimeter is the model used in the TCM IoT and Hardware Hacking course. Having extensively used this meter myself, I can attest to its reliability and performance. It’s a DMM that should last and grow into any hardware hacking toolkit. Its construction and build quality surpass the $5 AliExpress model.

Option 3

Manufacturer and ID
Price
Where to Buy
Notes
FLUKE 101 or 107 or 115
$40.00 - $225
Fluke meters are widely regarded as some of the best in the industry. While I believe that investing in such a high-priced meter isn't necessary when starting out in hardware hacking, opting for a Fluke meter can be an excellent choice if you seek a long-term investment that can adapt to professional use. Keep in mind the cheapest 101 model cannot do current measurement. This is not normally required for hardware hacking, but it may be a feature you want for other reasons.

Logic Analyzer

Logic analyzers enable the visualization and capture of communications occurring among different hardware components and devices. They play a crucial role in hardware hacking by facilitating the discovery of exposed communication headers and lines to discover what protocols and settings are used. I use my logic analyzer on almost every hardware hacking project I do.

logic analyzer

Option 1

Manufacturer and ID
Price
Where to Buy
Notes
Multiple - FX2LAFW Style devices (pictured above)
$5.00 - $15.00
There are dozens of these logic analyzers on the market all with slightly different names and packaging. However, they are all based on the FX2LAFW chips and will work with the open source Sigrok software. This logic analyzer is featured in the course and is currently used in my home lab.

Option 2

Manufacturer and ID
Price
Where to Buy
Notes
Saleae Logic 8, Pro 8 or Pro 16
$500 - $2000
Saleae stands out as one of the leaders in logic analyzers, renown for their products and software. However, their offerings come with a much higher price point. You don’t need to spend this much if you’re just getting into the hobby. However those with the financial means seeking a long-term, high-quality option may find Saleae products to be an excellent choice.

USB to “X protocol” Adapter

After identifying an open communication line and determining the protocol with your logic analyzer, you’ll need a USB adapter to facilitate interaction with it from your computer. By “X protocol,” I’m referring to commonly encountered protocols such as UART, I2C, SPI, JTAG, or SWD. At the very least, you’ll require an adapter cable capable of communicating via UART as this is by far the most frequently used and abused protocol when hardware hacking.

tigard board

Option 1

Manufacturer and ID
Price
Where to Buy
Notes
Multiple - CP2102 USB to UART
$2.00 - $10.00
For those seeking the least expensive option, consider purchasing a USB to UART adapter. It’s important to note that these are limited to UART communication. However, in many cases, that’s the only protocol you’ll need to interface with. These adaptors can be sourced from hundreds of different manufacturers, but any CP2102 based model capable of operating at both 3.3V and 5V will be fine.

Option 2

Manufacturer and ID
Price
Where to Buy
Notes
Securing Hardware - Tigard Board (Picture above)
$49.00
This model is the true Swiss Army knife of hardware hacking. It’s extremely versatile and can communicate with UART, I2C, SPI, JTAG, SWD and more. If you’re looking to get into hardware hacking in any capacity I’d suggest picking one of these up. It’s made by the awesome folks at www.securinghardware.com who have some excellent courses and resources (some free).

Option 3

Manufacturer and ID
Price
Where to Buy
Notes
Dangerous Prototypes - Bus Pirate
$35.00
Another Swiss Army knife of hardware hacking. The Bus Pirate can also do UART, I2C, SPI, JTAG, SWD and more. I personally prefer the Tigard board because it has some additional features and there is really good free training on how to use it. However, the Bus Pirate is the OG hardware hacking multi-protocol tool and is a bit cheaper than the Tigard.

Hand Tools

When working on commercial off-the-shelf consumer IoT devices, you’ll need tools to open them up and access the internal hardware. Based on my experience, most of these devices can be opened up with a jeweler’s Phillips head screwdriver and a spudger (small electrostatic safe pry bar). Both of these tools are available for less than $5 on Amazon. You can even find kits that include spudger tools and sets of small screwdrivers for small electronics repair.

hardware hacking hand tools

Targets to Test On

Once you’ve acquired some gear, you’ll need something to test and practice your skills on. My personal approach to hardware hacking is to only test or hack on devices I’m prepared to destroy. Accidentally frying or bricking a device is a common occurrence in hardware hacking and can even happen to the most experienced hackers (I have fried many devices in my days). However, there are plenty of affordable options available for testing purposes.

Option 1

Manufacturer and ID
Price
Where to Buy
Notes
Throwaways, recycling and used options
FREEish
Secondhard stores, sidewalks, Facebook Marketplace
I’m a bit of a hoarder when it comes to electronics. I've got bins and drawers of old routers, cameras, and phones. People frequently upgrade electronics and toss out or recycle the old ones. These discarded devices serve as excellent learning tools and can usually be obtained for free or cheap on used sites. After hosting a recent hardware hacking workshop, an attendee reached out to me and said that they went looking for targets at their thrift store and found some kids toys that were running embedded Linux and got custom firmware running on them! Keep an eye open and you’ll come across free or cheap options. If you’re considering buying something new, opt for inexpensive routers or smart cameras. Starting with cheaper options is advisable not only because of the lower price but also due to the likelihood of encountering fewer or no hardware security measures.

Option 2

Manufacturer and ID
Price
Where to Buy
Notes
Raspberry Pi
$15.00 - $50.00
Lots of places! Amazon: https://www.amazon.com/Raspberry-Quad-core-Bluetooth-onboard-Antenna/dp/B0CCRP85TR/" **Note if you’re not comfortable soldering I suggest getting one with headers pre-soldered on like this one: https://www.amazon.com/Raspberry-Pre-Soldered-Quad-Core-Cortex-A53-Bluetooth/dp/B09LTDQY2Z/"
If you want to run a custom firmware designed for learning IoT security the Raspberry Pi is a great option. The IoT GOAT firmware is designed to run on a Raspberry Pi, and the custom firmware created for this series is also compatible with the Raspberry Pi Zero 2W (which is available for $15.00). If you don’t already have one you’ll also need a micro SD card to load the firmware onto, along with a compatible adaptor for reading and writing to the card. Also, if you prefer to avoid soldering, I’d suggest getting a Pi Zero with pre-soldered headers.

Nice-to-Have Gear for Hardware Hacking

This section covers some of the gear that I frequently use, but isn’t absolutely required. These tools make my life easier or come in handy from time to time. I won’t provide multiple options here, just a single link, but you can find all of these items from various places and manufacturers.

Third-Hand

third hand hacking

These tools are amazing for holding PCBs or other electronic components during testing or soldering, effectively freeing up your hands (hence the third-hand name). I use mine all the time. Here’s the link to the one I use: https://www.amazon.com/Helping-Soldering-Workshop-Non-slip-Weighted/dp/B07MDKXNPC/

Electrostatic Discharge (ESD) and Soldering Mat

Personally, I’m not too concerned about ESD prevention tools when I’m working on my own IoT devices. Instead, I adhere to a few key rules like avoiding direct contact with components and holding PCBs by their edges. Therefore, this mat isn’t primarily for ESD protection (although it’s a nice extra). I mainly use it to protect my desk and maintain organization. It features a holder for tools, screws, or other small electronic components. Additionally, it is also heat and burn resistant so you can solder on it. Link to the one I use: https://www.amazon.com/Anti-Static-Electronic-Wristband-Grounding-HPFIX/dp/B07X7VL7VR/

Soldering Iron

If you’re going to be working on commercial IoT devices, you’ll likely need to do some soldering to connect your tools to the pads, wires, pins lines etc., that you’ll want to interface with. I’ve always relied on Weller soldering irons and have had great luck with them. Link to the one I use: https://www.amazon.com/Weller-Digital-Soldering-Station-WLC100/dp/B000AS28UC/ 

Flash Programmer

flash rom programmer

Many commercial IoT devices utilize cheap memory to store their firmware. Extracting this firmware or reprogramming the devices can be accomplished with a Flash programmer. These programmers are extremely helpful for dumping firmware or repairing a bricked device. The one we use in the course features a ch341a chipset and is manufactured by various companies. Here’s one from Amazon: https://www.amazon.com/KeeYees-SOIC8-EEPROM-CH341A-Programmer/dp/B07SHSL9X9

Another popular option for programming and reading a wider range of chip packages are the XGECU T48 or T56. 

Test Clips and Extra Jumper Wires

test clips and jumper wires

The Minimum Requirements to Follow Along with this Series

Raspberry Pi Zero 2w: This is the target we will be learning and testing on. If you don’t already have a micro SD card and something to read/write to it you’ll need to pick those up as well. 

Raspi Zero 2W: https://www.amazon.com/Raspberry-Quad-core-Bluetooth-onboard-Antenna/dp/B0CCRP85TR/ **Note if you’re not comfortable soldering I suggest getting one with headers pre-soldered on like this one: https://www.amazon.com/Raspberry-Pre-Soldered-Quad-Core-Cortex-A53-Bluetooth/dp/B09LTDQY2Z/

SD Card Reader: https://www.amazon.com/Reader-Beikell-Connector-Memory-Adapter/dp/B0BGNZGDTC/

Micro SD Card: https://www.amazon.com/PNY-Elite-microSDHC-Memory-P-SDU32GU185GW-GE/dp/B07R8GVGN9/

USB to UART Serial Adapter: https://www.amazon.com/HiLetgo-CP2102-Converter-Adapter-Downloader/dp/B00LODGRV8/

Logic Analyzer: Two great options from Amazon, either one will work: https://www.amazon.com/HiLetgo-Analyzer-Ferrite-Channel-Arduino/dp/B077LSG5P2/ https://www.amazon.com/Comidox-Analyzer-Device-Channel-Arduino/dp/B07KW445DJ/

If you made it this far, thanks for reading along! In the rest of the series, we will start hacking away at our Raspberry Pi and learn about some common IoT hacking techniques. 

andrew bellini headshot

About the Author

My name is Andrew Bellini and I sometimes go as DigitalAndrew on social media. I’m an electrical engineer by trade with a bachelor’s degree in electrical engineering and am a licensed Professional Engineer (P. Eng) in Ontario, Canada. While my background and the majority of my career has been in electrical engineering, I am also an avid and passionate ethical hacker.

I am the instructor of our Beginner’s Guide to IoT and Hardware Hacking course and I also created the Practical Junior IoT Tester (PJIT) certification.

In addition to my love for all things ethical hacking, cybersecurity, CTFs and tech I also am a dad, play guitar and am passionate about the outdoors and fishing.

About TCM Security

TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.

Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com

See How We Can Secure Your Assets

Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.

 

tel: (877) 771-8911 | email: info@tcm-sec.com